Internetwork Design 3.0
Microsoft Protocols were
designed for flat networks where all the clients and servers are sharing
the same media. There are different remedies and methods of encapsulations
for handling these problems. Most noteworthy is NetBEUI, which must be
bridged and cannot be routed unless encapsulated in another protocol such
as NWLINK (NetBIOS over IPX) or NBT (NetBIOS over TCP/IP).
broadcast-based; it does not have logical addressing functionality and
operates primarily at the Session Layer.
broadcast-based; it does not have logical addressing functionality and
operates at the Transport and Network Layers of the OSI Model.
include Phase 1 (antiquated does not scale well) and Phase 2 (current
version). Phase 2 allows a greater number of hosts per segment (253) and
supports Token Ring, Ether and FDDI.
IPX (Internetwork Packet eXchange)
is a routable protocol and has different encapsulations.
Encapsulations must match to see other machines on the network, or,
although it is not recommended, you can run two different encapsulation
methods on the same router interface. Use the ipx route-cache same
interface command. You can also run different encapsulations using
subinterfaces but the two networks cannot see each other. The default for
Novell 3.X protocol support is Raw Ethernet or ETHERNET_802.3
(Novell-Ether). For Novell 4.X protocol support is ETHERNET_802.2
(ETHERNET_802.3) is similar to the IEEE 802.3 frame with no Logical Link
Control and FFFF in the DSAP (Destination Service Access Point) and SSAP
(Source Service Access Point).
Control Protocol/Internet Protocol)
is a widely used routable
protocol, and its biggest challenge is proper management with addressing,
security and broadcast management.
the usual address prefixes are 10, 172 and 192. Used for private networks
not openly exposed to the Internet (inside a firewall).
assigned by an ISP and not recommended for private networks. Private to
public network communication can be accomplished by NAT through a PIX or
other firewall. Options also include VPN (Virtual Private Networks) or
extranets secured through PPTP (Point-to-Point Tunneling Protocol) and or
L2TP (Layer 2 Tunneling Protocol).
using address schemes where the different network numbers
determine whether a destination is local or remote. Longer subnets masks
are used at the access layers. The network prefix gets smaller as you move
up the network hierarchy.
is how a router forwards packets. The router uses the network number for
the addressing scheme commonly used where the subnet mask reflects the
number of bits used to calculate the default gateway. (ex. Class A
10.0.0.0 Mask 255.X.0.0, Class B 18.104.22.168 255.255.0.0, Class C 192.0.0.0
VLSM (Variable Length
- classless addressing allows using, for example, a Class
B address with a Class C subnet mask. Usually summarized in this fashion
22.214.171.124/30 (30) or 255.255.255.252 specifies the number of bits used
to calculate the network portion. This allows effective use of your IP
addresses and should only be used with routing protocols that support VSLM
like IEGRP and OSPF.
Is assigning a second IP gateway address for the same interface on a
router. This is not recommended and should be used only when you have
- is an encapsulation standard used over Asynch Serial,
Synch Serial and ISDN.
SLIP (Serial Line
only supports TCP/IP, and information is passed
in plain text.
NCP (NetWare Core
- is a layer protocol of PPP and encapsulates multiple
protocols. It has built-in security features.
LCP (Link Control
- another component of PPP and is responsible for
authentication, multilink, callback and compression.
or PAP: CHAP is encrypted, with PAP, login and password information are
sent in plain text.
referred to as MP; allows additional calls or channels to connect to a
host for additional bandwidth. In order to use Multilink with Brand X
routers the routers must comply with RFC1990. Multilink is configured on
LCP controls Multilink
Works on Cisco 700 series routers.
Works on routers running Cisco
RFC 1990 allows for vendor
Allows packet fragmentation across
Sequences packets and performs load
calculation on lines or channels.
4-Byte field in header allows for
dial-in ISDN channels can be split to different access servers
(a.k.a. stackgroup) or routers. The access servers (stackgroup) or routers
intake the data packets and forward them to a high end MMP process server.
A process server uses SGBP (Stackgroup Bidding Protocol) to do all the
packet reassembly. The advantages are that the stackgroup is very
scaleable and less overhead is required from the access servers.
is used for
serial lines and this version is proprietary for Cisco. Do not use if
connecting to a non-Cisco router or with the AutoInstall feature. This is
a connectionless datagram protocol.
used often in
SNA environments, it supports full and half duplex and can be used in
packet or circuit switched environment.
unreliable links and .X25. Connection-oriented with ordering and error
used to tunnel
SNA over WAN links. ACKs and LLC2 frames are sent over the WAN.
- used to tunnel SNA over WAN links. It supports local ACK
used with SDLC on congested WAN links.
used to tunnel IP packets securely over the
used primarily in the backbone. Can be used
to tunnel IPX or AppleTalk. Fast switching supported.
encapsulate NetBIOS over IPX. Requires type 20 packets to operate
properly. Use the ipx type-20-propogation commands on the
encapsulate NEBIOS over TCP/IP.
AURP (AppleTalk Update
encapsulated in TCP/IP over WAN links. Sends
updates only, like EIGRP.
server-side software used with PPP to connect servers or clients over a
dial-up connection. It is responsible for establishing a routing metric
once the connection is made. It is dynamic and no configuration is
Design principals are shaped
around the type and numbers of connections that need to be made. The
applications and requirements will depend on the type of users that will
be connecting to the network. Users usually fit into these categories:
not connected all the time. Short connections and low bandwidth
requirements, usually analog.
Full Time Telecommuters
usually require faster connections. Longer connect times with higher
bandwidth requirements. Use ISDN to run other devices or connections.
Home or Small Office
requires fast and long connection time. Multi-interface router needed to
support LAN and multiple WAN connections.
limited access and limited functionality. It can be used only to get email
or access an application.
common access method. It is like dialing into a security server, RAS
server, modem bank or access server stackgroup. This is the preferred
method since it is very flexible and scales well in the Enterprise. Less
overhead and PC appears as if directly connected to the LAN.
when a PC dialing in and taking control of another PC on the LAN. User has
full function of network services. This requires the most overhead due to
the fact that an extra PC, analog line and modem are required. A good
example of this is PCAnywhere.
Remote Access Support Equipment
small - <20, 3600 to 4000
larger - >20, higher
density, use a PRI on 7500 to 7200 Router
AS5300 Access servers are
recommended because they can combine analog and ISDN and can support
higher densities. External modems are no longer recommended since they do
not scale well.
- can be configured from medium to heavy port density and can
support analog and ISDN lines. It is very scalable and servers can use MPP
Security for Remote Access
TACACS+ on Unix or NT
It is important to
distinguish between routed and routing protocols. Routing protocols use
metrics, hop counts, ticks, etc. to make a routing decision. Since routers
do not forward broadcasts, routers separate networks into different
broadcast domains. Switches and bridges separate media into separate
collision domains. Routers are responsible for:
Bandwidth, delay MTU, load
Must use IP and
Classfull IP addresses. Can load balance.
Bandwidth, delay MTU, load
multi-protocols sends updates only on WAN. Scales well. Converges
More robust than RIP
sends subnet info so it can support VSLM
Max Hop count is 15,
is chatty and does not scale well
Uses LSAs to check
on links. Backbone is area 0 Supports VSLM and Discontigous
Used to connect
Link State Interior
Used to connect
autonomous areas, can be used as an interior
Very chatty not
recommended for WAN traffic or slow links
Link state for IPX.
Robust and scales well. Used in large IPX networks <400 per
Tunnelled by IP over
WAN links. Sends updates over the WAN and full updates on
IPX on the WAN
Use NLSP (NetWare Link State
Protocol) for faster convergence over IPX/RIP and reducing of routing
traffic. It uses cost as calculation metric and is more CPU intensive.
NLSP redistributes RIP, but retains a 15-hop limit. NLSP supports up to
1023 hops and areas of <400 routers.
EIGRP for IPX
Increases bandwidth by only
sending updates over the WAN and full updates over the LAN. When a route
goes from IPX/RIP to EIGRP it increases the hop count by two. From EIRGP
to IPX/RIP, the route tick count is unchanged.
LSA1 Router Links LSA
Sends information about the routers links.
LSA2 Network Link LSA
Sent by the DR to all routers in the AS. A list of routers in the
LSA3 Summary Link LSA
Sent by ABRs list of networks available outside the area.
LSA4 Summary Link LSA
Sent by ASBRs list of networks available outside the area.
LSA5 External Link LSA
Sent by ASBRs list of external network routes.
OSPF recalculates a new
table when a route goes down, so if you have a link flapping you may want
to increase the amount of time to wait; use spf holdtime
command, if not, it could overload the CPU and cause performance
to stay away from meshing the backbone. Use LAN backbone design and keep
everything to one hop. Use as few routers as possible to keep the diameter
used only for
IP. The entire routing table is sent every 90 seconds, and updates are
triggered on link failures. Flapping links can be detected with a protocol
analyzer, as updates are sent when the link state changes. It does not
support VSLM or summarization. Primary metric is bandwidth and delay.
Complete updates can be changed from 90 seconds. Stay with the defaults
unless a fast network requires faster convergence.
version of a routing protocol. It is very similar to RIP; broadcasts
entire table in 10 seconds. Max Hop count is still 15, uses split
EIRGP for routing AppleTalk
bandwidth because only updates are sent. Fast convergence.
AURP (AppleTalk Update
Apples attempt to create a better WAN-friendly
routing protocol than RTMP. RTMP is encapsulated in IP over an AURP Tunnel
on WAN links. Reduces WAN traffic because only updates are sent over the
wire. Use in an IP only WAN environment.
Network Services and Gateways
Windows computers use LMHOST
files, broadcasts, WINS, DNS and HOSTS files to locate services. By
default they elect a default browser.
DHCP (Dynamic Host
a BOOTP server used to assign IP addresses
to requesting clients. Can be configured to specify node type, WINS, DNS
and other information such as subnet mask and default gateway.
There are several options
for DHCP configuration. Cisco offers IOS features to forward DHCP packets.
The ip helper-address command forwards broadcasts to DHCP
servers like an NT server.
CNR (Cisco Network
a Cisco solution that automates network services and
provides a fully scalable solution for DHCP and DNS. Noted for being able
to integrate network infrastructure software and applications.
similar to CNR, not as robust and will be cancelled
Internet Name Service)
is a static-addressed server that performs
NetBIOS name to IP address resolution, which takes away the need to ARP
(broadcast) to resolve network names. Acts as a register for Windows
machines. After booting and obtaining a DHCP IP address, the client sends
a unicast packet to the WINS server requesting it to register its NetBIOS
name. DNS servers and WINS servers (sometimes on the same server) work
together to resolve name lookup.
DNS (Domain Name
- Application server that provides Internet-name to
IP-address conversion. A Windows DNS server can be directed to query a
WINS server for NetBIOS names.
RAS (Remote Access
uses PPP and CHAP or PAP to encapsulate the clients dial-in
multi-protocol support, usually a NT Server. For a larger scalable
solution an AS5X00 is recommended.
A client and server solution for accessing the Internet in an IPX network.
Primarily used by IPX clients to access the Internet. The gateway server
must run both IPX and TCP/IP. Clients run the client software and servers
are usually dual homed to act as a gateway. The server only needs one IP
address to serve several IPX clients.
resources are defined as Workgroups. The presence of an NT server
classifies it as a domain. Domains make the administration of resources
Single Domain Model
services controlled by one PDC for clients.
Master Domain Model
is a collection of domains trusting a single master PDC for centralized
administration. Simplifies management of resources.
Multiple Master Domain
resource domains trusting multiple master domain PDCs.
Complete Trust Domain
(a.k.a. Cluster Trust) all domains trust all other domains and
resources can be administered and shared across these domains.
one-to-many services. Class D multicast address needed. Router must be
configured correctly for multicast, or it will forward out all of its
ports. ICMP, CGMP and PIM are often used (PIM scales well in the
the preferred Cisco solution. It is advisable to turn off all ports, and
then enable ports for only certain services to specific hosts. Protect
yourself from IP from the Internet and configure your outside router to
deny packets shown to have an inside IP address. Do not configure your
routers for rsh or rlogin.
Common campus issues are
Media, Protocols and Transport. Media issues are caused by high network
loads and media contention. Use LAN switching to solve this problem.
Another protocol problem is that some do not scale well and are prone to
excessive broadcasts. To solve this problem, use routers to segment your
network. Transport problems occur when there is not enough bandwidth to
support high bandwidth applications. Use ATM, Gigabit Ethernet and/or QOS
OIS features to solve these problems.
a packet is forwarded once the destination is read. No CRC check.
Store and Forward
the entire packet is processed, the CRC checked and then
forwarded out the appropriate interface.
802.1Q is a
VLAN standard. VLANS help separate broadcast domains, since a router is
required for communication between VLANS. Switching separate collision
Each floor or building would be isolated by its own router and switch.
This setup is more expensive and often requires costly upgrades to
all floors are wired into a single switch and router. More cost effective,
but creates a single point of failure.
- are designed for scalability, and this model is easier to troubleshoot.
like Frame Relay and X.25, it uses PVCs and SVCs to
establish connectivity. Used for high-speed data, video and voice. It uses
cells to transport information in 53 byte cells. ATM Features:
5 bytes for header, 48 for data
QOS is effective for managing ATM
Flexible multiplexing and switching
Low latency due to small cells and
high speed media
Supports high performance
Uses SNAP encapsulation to multiplex
SVC are disconnected once
transmission is complete
Operates primarily at the Data Link
Layer of the OSI model
AAL (ATM Adaptation
operates at the Data Link Layer, and its primary function is
to hide what it is doing to the frames from the higher OSI Layers.
Abstraction is right.
establishes connections and passes cells through the ATM network.
manages the physical transmission of the cells. Does the bit to cell
AAL1 Used for
AAL3/4 Used for SDMS
AAL5 used for data,
non SDMS data
connection-oriented; needs time sequencing from source to destination and
connectionless-oriented; used to transfer SDMS. It loses some payload
capacity due to added CRC, MIDs (Message Identifier) and the sequence
number. There is a slightly increased delay attributed to the SAR
(Sequence Assembly Reassembly). Requires the use of a SDSU for SAR.
and connectionless-oriented. Used for data transport. Uses SEAL for SAR.
ATM uses prefix routing
in private networks.
PNNI (Private Network
hierarchical routing protocol used for ATM routing.
It is dynamic and requires little configuration. Scalable, but
Inter-Switch Signaling Protocol)
is a static routing on ATM network.
Uses SVCs when routes go down.
LANE (LAN Emulation)
emulation of a LAN over an ATM network.
LEC (LAN Emulation
sends its MAC address to the LECS server. It can be a
workstation or a router. It is responsible for endpoint functions, address
resolution and data forwarding.
LES (LAN Emulation
pseudo-WINS server for ATM. Acts as a register to store the
multicast or unicast MAC address information of the LE clients. It accepts
LE-ARP requests for destination MAC addresses.
LECS (LAN Emulation
serves multiple ELANS and maintains a database
of all the LECs MAC addresses. LECS respond to LECs requests by sending
the appropriate ELAN information (identifier). Used like DHCP to assign
LECs to certain ELANS. This is a one-per-ATM switch.
BUS (Broadcast and
- multicast and broadcast server. Sends traffic to
clients of the ELAN is it responsible for.
X.25 is a packet-switched
Layer 2 protocol that operates at the Data Link Layer of the OSI model.
This protocol works by encapsulating the layer 3 protocols. X.25 was
engineered for strong error checking and flow control at layers 2 and 3.
X.25 uses LAPB and it is very reliable. It also uses sliding windows (much
like TCP/IP) for flow control. Suffers from lower throughput and higher
latency than Frame Relay. X.25 uses SVCs (Switched Virtual Circuits) and
PVCs (Permanent Virtual Circuits). PVCs are always connected. X.25 treats
connection as a reliable data link; Frame Relay does not.
Subinterfaces solve the
problem of split horizon and forwarding updates on NBMA.
X.25 is highly available and used worldwide.
- can also be a router. It collects the data
transmissions from the terminals and gathers them into a X.25 data stream
and vice versa. PAD acts like a multiplexer for the terminals. During
configuration of the X.25 you specify whether the interface will act as a
DCE or DTE. When configured as a DCE the router behaves as an X.25
- is the
addressing standard. Static mappings must be made manually. X.25 does not
support ARP. The addressing standard is a 4-digit country code. The
following 8 to 11 digits are assigned by the X.25 service provider.
Options for X.25
windows and packet sizes must match on both sides on the connection. Use
the x25 ips command for incoming packet size and x25
ops for outgoing packet size. Window size uses a counter for when
to send an acknowledgement. x25 win and x25
wout commands are used. The modulo controls the size of the window
8 or 128 are used to specify the number of packets.
Satellites use X.25 as well.
To increase performance, they use modulo 128 which sets the window size
Window Parameters #
window sends ack
after 7 packets inbound or out
Interfaces - Frame Relay requires the use of a CSU/DSU. Like X.25,
Frame Relay uses SVCs and PVCs. PVCs are used for frequent and long
connection times. SVCs are for sporadic, infrequent traffic.
Frame Relay Bandwidth
- maximum throughput is up to T3 speed. Frame Relay is a layer 2 protocol.
It uses the upper layer for error correction and is faster than x.25.
- is the standard for signaling. There are 3
Cisco is the default. The
service provider will specify the LMI in use.
LMIs control data keep-alives and
verify the dataflow.
Use multicast mechanism to provide
network server the DCLI.
Use multi cast addressing so DLCI
has global significance.
Verifies the DLCIs in use and status
to the local Frame-Relay switch.
router with IOS 11.2 and newer does not need to be configured for the LMI.
The newer routers will send a signal to the FR switch to determine the LMI
DLCI (Data Link
- verifies the logical circuits in use and the
status from the CPE to the Frame Relay switch.
are Cisco and IETF. Cisco is the default. If the router is a non-Cisco
router, use IETF. This designation can be made per DLCI. Even if all the
routers are Cisco, you can communicate with a location with a non-Cisco
router. Specify the IETF encapsulation and DLCI. You can use this with the
map command. In short, encapsulation can be set to per interface or per
Split Horizon and Routing
- since routing updates should not be sent out from the same
interface you receive the update from (as this causes routing loops), the
solution to fixing this problem is creating subinterfaces with different
Each subinterface has its
own DLCI-enabled multipoint connection. Routing updates will now work
Frame Relay Map
command is used to configure the next hop address on an interface.
care of all the mappings for you. It builds a Frame-Relay map by querying
the Frame-Relay switch during the LMI exchange. It sends an Inverse ARP
request for the protocols that are specified on the interface. The
downside for the automatic set up is troubleshooting can be a pain.
NBMA Model (Non-Broadcast
mesh between peer routers. Routers are
configured as a simulated LAN and are configured as one logical subnet.
The downside is processor overhead: each broadcast packet must be
Broadcasts are sent out each
Performance degradation on
To control the amount of
bandwidth used on an interface use the frame-relay
Uses subinterfaces to conquer the split horizon issues. This
simulates several point-to-point links.
Icons from Cisco ConfigMaker.
MBNA Full Mesh,
Subinterfaces with Full Mesh, Hub and Spoke. X.25 and Frame- Relay
interfaces can be backed up with an option called a floating static map
using an analog or ISDN line.
- can be used to merge two large networks without having
to re-address the whole network. Another function of NAT is overloading
inside global addresses. This process contains several inside addresses
using a single IP address. NAT can also use a pool of addresses or
multiple interfaces. NAT is supported by IOS 11.2 and higher. (Easily
remembered by meet me at 11 toNAT instead of tonight. 11.2 toNAT, it is
corny but effective!)
Description and Interfaces
TE1- has an ISDN
Interface. DS0=64Kbps=Digital Signal Level 0
- does not have
an ISDN interface; requires a TA (Terminal Adapter). The TA is typically
an ISDN Modem. The TA converts the signal to ISDN standards.
ISDN PRI US T1
requires different connectors. Uses DB15 and RJ48 connections.
DS1=1.54Mbps contains 24 DS0s considered in band.
ISDN PRI EUROPE E1
requires four connections DB15 before the CSU/DSU, and four RJ45 and/or
DB15 connections to the switch. 30 X DS0 is considered out of band.
In Europe, the ISDN service
provider provides the NT1. In the US, the customer supplies the NT1. In
the USA, T1s D channel is in band. In Europe, it is considered
RSTUV-Logical Reference Points
Rate Reference Point-
located between the Non-ISDN router interface and the Terminal Adapter
System Reference Point
- is the reference point between the router with an ISDN Interface and
the NT2 or TA and NT2. Non-U.S. demarcation.
- the reference point between the TE1 and NT1 and/or TA. If
there is an NT2 (Customer Switching Equipment), the reference point is
included to the NT1 as well. This point is Non-U.S. demarcation.
User Reference Point-
This reference point is a U.S. demarcation. It references the point
between the NT1 and the LT.
V Reference Point -
Located between the LT and the ET. Also referred to as the Local
SNA is a hierarchal network
structure. There are several components and possible configurations for
configuring a SNA network.
all devices that can communicate in an SNA
LU Logical Unit
the software end unit. Software that provides the interaction for the
PU Physical Unit
controls resources on the node. Loads software and provides the
communication with the SSCP.
SSCP System Services
software for the mainframe that is responsible for
establishing the lines of communication and controlling resources.
handling direct communication with the mainframe for a dumb terminal or PC
would be quite rough without a gateway.
uses polling to communicate. Sending polling traffic over the LAN may
convince you to establish a gateway. LU gateways are good because the
Mainframe has a SSCP session to PU session to the LU gateway. The clients
only connect to the LU gateway though NetBIOS, so the Mainframe maintains
larger amount of overhead and administrative burden. The PCs attached to
the PU have to be manually configured on the VTAM.
Downstream PU is a Cisco router acting as a PU 2.0 device. To
PCs it looks like the mainframe and is very robust.
Connecting and Routing with SNA
DLSW Data Link
recommended as a scalable solution for traffic over a WAN
link. It is compatible with other vendors. Responsible for multiplexing
LLC connections over the WAN link. They are encapsulated in TCP/IP.
RDSB Remote Source
older method of SNA tunneling. Prone to timeouts over
slow WAN links. Tends to be chatty. Local ACK is used to solve this
problem. It is much like IPX Spoofing and prevents time outs.
- older method of SNA tunneling. Prone to timeouts over slow
WAN links. It performs very well over serial lines and supports direct
serial connections. Has fewer options than RDSB but is more robust.
Supports local ACK is routable.
VPN Design Fundamentals
VPN stands for Virtual
VPN is any network built
upon a public network and partitioned for use by individual customers.
A VPN will allow you or your
company to use a public media such as the Internet to provide end-to-end
connection. This allows you to design a cost effective solution for your
clients but you must be aware of all the major design considerations that
follow. Your main issue of course will be Security and Encryption. VPNs
use encryption and tunneling to establish secure connections.
There are three different
corporate or business uses of VPNs
Basic VPN Design
Remote Access VPN Design
Remote Access VPNs provide
remote access to mobile or remote site users.
A Remote Access VPN solution
will allow a connection to a corporate Intranet or extranet over a public
Access VPNs enable mobile or
remote users to access resources at company headquarters locations.
Access VPNs encompass many
Intranet VPN Design
Intranet VPNs provide a link
over a shared infrastructure using mostly dedicated connections.
An Intranet will connect
entities together and most of them are trusted entities. When you let your
doors open to un-trusted or less trusted entities, you begin to create a
Extranet based VPN.
Extranet VPN Design
Extranet VPNs provide a link
to a corporate Intranet over a shared infrastructure using mostly
Now external customers can
take part in your Intranet solution. This would be a typical design if you
wanted to have an external business partner take part in some of your web
server transactions or access a database. This of course puts a new twist
into your design where you need to start thinking about intrusion
detection systems or ways to monitor access.
Notice that in the above
scenario you are allowing access to your Intranet over the VPN
For more Documentation on
VPN Strategies from Cisco, visit these links
Read VPN: Your Guide to the New World Opportunity
Read VPN Overview By Cisco (Design Examples)
Factors to Consider When Designing Your VPN Solution
What are the advantages of
having a VPN strategy as part of your network design?
When designing and implementing a
VPN you can sell the fact that organizations no longer have to use
expensive leased or frame relay lines to provide end to end connectivity
in every situation. Now, remote users can connect to their corporate
networks via a local ISP.
Calculate your savings with Cisco's
Remote Access VPN Savings Calculator.
VPNs can provide a high level of
security using advanced encryption techniques and authentication
Some of these protocols are
PPTP and L2TP which are Tunneling Protocols that provide
VPNs give flexibility to companies
to have a remote access infrastructure (some cannot afford expensive
Corporations are able to add a
virtually unlimited amount of capacity without adding significant
infrastructure. You must remember that the following should be taken
into your design: although it will scale, you will not get a dedicated
rate of bandwidth nor will you be able to fully rely on its
VPNs allow mobile workers,
telecommuters and day extenders to take advantage of high-speed,
broadband connectivity, such as DSL and Cable, when gaining access to
their corporate networks. This provides workers with significant
flexibility and efficiency.
Note that this is also a security
problem. Design your VPNs with security taking a high priority.
what you pay for. If you are designing a network for a client, you will
need to take into account that although you are saving money, you may not
be able to provide the most redundancy or offer a guarantee of bandwidth.
A VPN solution should be implemented into an infrastructure with much
thought and planning.
Security and Encryption
Three Phases of Securing a Network
Setting up a security policy that
will define the security goals of an enterprise
Using a Defense in Depth approach
in your design. This entails Implementing network security with a
multi-layered design so that the enterprise does not fully depend or
rely on one type of technology or one layer of defense to solve all
security related issues
Consistent auditing of the network
to make sure that the security policy is being enforced. You can use the
results of the audits to modify the security policy and the technology
implementation as you develop your design. The CiscoSecure ACS (TACACS+)
does a fantastic job of performing router login auditing amongst other
things. This would be a product that you could incorporate into your
design as a Layer one defense
Cisco Network Security Solutions
Note: Know how to leverage
these products in your network design.
network traffic crossing in either direction is
Is an add-on module
to Cisco IOS software It provides advanced firewall capabilities,
security technology such as intrusion detection and
activity on the network, responds to it, and send alarms back to the
Is software that
scans networks to find security vulnerabilities and provides
recommendations to correct them (Ciscos Port/ Vulnerability
of network policies on the network and centrally manages policies on
PIX firewalls, VPNs, and Cisco Secure IDS systems
security posture assessments by highly experienced teams of Cisco
Network Security Engineers
Has been developed
as a central warehouse of security knowledge to provide Cisco
security professionals with an interactive database of security
authentication, authorization, and accounting services for both
small and large access environments
Is a program
designed to deliver comprehensive, interoperable security solutions
for Cisco networks to its customers and its associates
Five Key Elements of Network Security
Five Key Elements
Defined as the accurate and positive
identification of network users, hosts, applications, services, and
Technologies used to perform solid
Authentication protocols such as
RADIUS and TACACS+
Kerberos (and a TGS -Ticket
New technologies are beginning to
emerge which perform increasingly important roles in identification
Perimeter security provides a means
to control access to critical resources such as network applications,
data, and services
The goal is to control access so
only legitimate users and information can traverse your network
Routers and switches with ACLs
(access control lists) provide this control by filtering by IP / Port
Other tools that perform Perimeter
Effective data privacy can be
provided by several methods including:
GRE (generic routing encapsulation)
or L2TP (Layer 2 Tunneling Protocol) provide data separation and
Other implementations are by using
protocols such as IPSec for digital encryption
This added protection is
especially important when designing VPNs
How do you know your design worked?
Any good designer must look at and test their design regularly at
periodic intervals to ENSURE that the design works. You have to test
your design and monitor it
Network vulnerability scanners
(Cisco Secure Scanner) can denote weak areas
Intrusion detection systems (Cisco
Secure IDS) can monitor and respond to security events in
As you continue to design and grow
your network, how do you manage it?
You can use Cisco Security Policy
Management tools to provide such management
Know how to implement overall
management products into a design especially for large enterprise size
Basic Three Part Firewall Design
the External Network is the Unknown Network.
Designing for Security
Before Looking at this
overview, download and read SUN Network Security Policy Design.
Network assets can include
Network hosts (including the hosts'
operating systems, applications, and data)
Internetworking devices (such as
routers and switches)
Network data that traverses the
The companys reputation
Note: Protecting these
assets is the intent of network security design measures.
Analyzing Security Design
When analyzing the design you need
to achieve a balance between certain factors. These factor include:
Security adds to the overall
workload by adding responsibility for maintaining user login IDs,
passwords, and audit logs
Designing and implementing network
security will affect network performance.
Packet filters and data encryption
will take a toll on CPU power and memory.
Encryption can use more than 15
percent of available CPU power.
If you design a network with a
dedicated device to do the encryption it will still add latency because
packets still have to be encrypted or decrypted and this adds delay.
Availability is affected and this
happens when you create a choke point that forces all your data traffic
out one point. (This is the device doing the encrypting and decrypting.)
This also creates one point of
Cisco recommends that to
maximize performance and minimize security complexity, a router that is
running encryption probably should not offer load balancing. So instead,
implement load balancing on the routers between the pair of devices
offering encryption This advice should be taken into consideration
when planning your design.
Load balance scenario
View this Case study
Provided by Cisco: Cisco AAA Implementation Case Study.
Identifies who is requesting
services on the network.
Most security policies state that
to access a network and its services a user must enter a name and
password that are authenticated by a security server.
One Time Passwords:
Enhance security greatly because
once the password is used it is changed
Make it nearly impossible to guess
or be susceptible to a well-focused dictionary attack
Are often accomplished through a
Can also be implemented with a
security card (resembles a credit card). With this, a user enters a
PIN (personal identification number) that enables him to use the
software unlocked by the card
The passwords are synchronized
with a centralized security server
Authentication controls who
can access network resources.
Authorization controls what
they can do when they have access.
Authorization grants privileges to
processes and users.
Authorization lets a security
administrator control parts of a network such as directories and files
Collecting data for accountability
is called accounting and is better known as auditing.
If you have designed a strict
security policy, you will probably be auditing all attempts to
achieve authentication and authorization by any person. (If you have
used the CiscoSecure ACS product you can set this up on routers so that
any attempt to access the router is audited and logged.) This is highly
recommended in any Network Security design.
It is most important to log
"anonymous" or "guest" access to public servers.
What is even better to implement
into your design is a Honey Pot. A Honey Pot is a nice little trap you
can implement. Its design follows.
Basic Attack and how to
The CiscoSecure ACS
application will allow you to set up a login into a router so you can both
audit and fully monitor activity into your routers and what changes take
When you set up users and
groups you can audit activity with your routers and switches.
Encryption is enabled to protect
data from being read by anyone except who you intended to receive and
An encryption device encrypts data
before placing it on a network.
A decryption device decrypts the
data before passing it to an application.
An encryption or decryption device
can be a router, server, end system, or dedicated device.
Encrypted data is sometimes called
Data that is not encrypted is called
plain text or clear text.
You may want to encrypt data for
many reasons. One main reason that you can explain to your clients when
you go over your design is the major need for encryption in the first
place. If you think about it, Telnet and SNMP send passwords, strings,
and any other form of authentication in clear text. If you telnet to a
router and an attacker play man in the middle, you could be jeopardizing
your security. Instead, incorporate encryption into your design so that
if the attacker does capture your data, they probably will not be able
to crack the encryption and use your data against you.
Another reason for including
encryption in your design is that VPN (the transport of data over a
public medium) uses encryption-based protocols.
PIX Firewall Products
Cisco Secure PIX Firewall Overview, Firewalls
Note: Be familiar with the
PIX product and how to leverage it into your designs.
Last Tips for Advanced Design
Please visit and use Ciscos
site, paying particular attention to the following links. Good Luck!
External Security with NT
This Document deals with NT-based
products external security design.
This excellent document will help
you get a feel for how to implement servers into your design when
dealing with Bastion hosts, the DMZ, and many other factors that you
SHOULD incorporate into your design.
You are expected to be familiar with
this technology when you implement and plan an advanced design for your