FVNET9712 S08 S11 Notes

‫آموزش طراحی شبکههای‬
‫کامیپوتری ‪Enterprise‬‬
‫آموزش طراحی شبکههای کامیپوتری ‪Enterprise‬‬

‫درس هشتم‪ :‬طراحی ماژولهای شبکه ‪ -‬بخش یکم‬
‫مدرس‪:‬‬
‫رضا گنجی‬
‫کارشناس ارشد مهندسی فناوری اطالعات )‪(IT‬‬
‫‪1‬‬
‫طراحی ماژول‌های شبکه‬

‫طراحی‌یک‌شبکه‌امن‬
‫‪2‬‬
Enterprise ‫کامیپوتری‬
Key Threats in Campus

• Service disruption
- E.g. Malicious code, DOS, DDOS
• Unauthorized access
- E.g. Intrusions, privilege escalations
• Disclosure and modification of data
- E.g. Packet sniffing, Man-In-The-Middle attacks
• Network abuse
- E.g. Peer-to-peer abuse, IM abuse
• Data leak
• Identity theft and fraud
- E.g. Phishing, SPAM
3
Security Goals
• Service availability and resiliency

• Prevent unauthorized access, network abuse, intrusions, data leak, and fraud
• Ensure data confidentiality, integrity, and availability
• Ensure user segmentation
• Protect the endpoints
• Protect the infrastructure
4
Securing the Perimeter
• Ensure physical security

- Protect against physical access and environmental threats.
• Ensure operating system security
- Update device software and allocate enough resources.
• Device hardening
- Consider using AAA.
- Consider both Out-of-band and In-Band management.
- Implement reporting.
5
Introduction to Firewalls
• Firewalls prevent undesirable traffic from entering prescribed areas within a network,
therefore they should:
- Be resistant to attacks.
- Be the only point of transit.
- Enforce the company's access control policy.
6
Flavors of Firewalls
• Traditional flavors include: Flavors of Firewalls

- Packet filtering firewall
- Stateful firewall
- Application level gateway
• Other types
- Host-based firewall
- Transparent firewall
- Hybrid firewall
7
Flavors of Firewalls (Cont.)
Next Generation Firewalls combine traditional firewall technologies with:

• Application filtering using deep packet inspection
- Investigating payload of a packet and comparing it to application signature database,
instead of relying on header information.
• Intrusion prevention system
• URL filtering
• Antivirus and antimalware inspection
• Decryption of encrypted traffic
• User identification
8
Firewall Recommended Practices

• Position them at key network boundaries.
• Firewall should be the primary, but not the only security device on the network:
- For high availability, deploy firewalls in pairs.
- Use Intrusion prevention systems, email security appliances, etc.
• A closed security model is preferred over an open security model.
• Firewall features should be leveraged as needed.
• Ensure physical and management access controls.
• Continuously monitor firewall logs.
• Practice change management.
9
IPS/IDS Fundamentals
• Can firewalls stop malicious traffic, malware, or zero-day attacks?

- Networks must be able to recognize and mitigate these threats.
• Two systems have evolved that both look into packet payload and compare it to
application signature database:
- Intrusion Detection System: Investigates traffic offline and sense alerts or logs when
malicious traffic is detected.
- Intrusion Prevention System: Investigates traffic in-line and stops malicious traffic from
entering the network.
10
IPS/IDS Fundamentals (Cont.)
• IDS • IPS
- No network performance impact. - Trigger packets can be stopped.
- No network downtime on failure. - Stream normalization can be used.
- Trigger packets cannot be stopped. - Network performance is impacted.
- Vulnerable to network evasion. - Network downtime may be experienced
in case of failure.
11
IPS/IDS Recommended Practices
• Ensure proper capacity planning.

• Do not place IPS in front of the firewall.
• Tune the default signatures.
• Create an update schedule.
• Monitor generated events.
12
Network Access Control
• Access control mechanism fall into the following categories:
13
Network Access Control (Cont.)
14
Security Implications of Client Access Methods

• There is little reason to differentiate clients that are using different access methods. Users should be
able to have access to the same corporate resources, regardless of the access method.
15
Summary
• The network should be protected against a vast variety of network threats.

• Implement a security policy that protects the infrastructure, its services, and its users.
• Place firewalls at key network boundaries to protect the network.
• IPS devices provide higher levels of protection, they should be properly sized and
placed behind the firewall.
• Client access to the network should be controlled.
• Clients should not be differentiated based on access methods.
16

‫طراحی‌الیه ‪ Edge‬شبکه‬
‫‪17‬‬
Edge Overview
• Securely connecting the enterprise network to the Internet and other administrative
domains
18
Edge Overview (Cont.)
19

Typical Applications:
• Internet access: IPv4 & IPv6:
- Outbound for users
- Inbound for public services
• Remote access VPN: SSL or IPsec
• Site-to-site VPN: IPsec
• IP Telephony
• Video conferencing
• Security services:
- Web firewall
- E-mail firewall
20
Typical requirements:
• Security: Security appliances and technologies
• Availability: Redundant devices, connectivity, and redundancy protocols
• Performance: Adequate processing capacity, bandwidth, clustering
• Scalability: Modularity of devices and technologies
• Manageability: Ease of service management
• Standards and regulations: Industry standards and their requirements
• Cost: Optimized cost based on business requirements, technical requirements, and
risk assessment
21
DMZ Overview
• Primary function: Host one or multiple services.

• Secondary function: Provide isolation and access control to services through segmentation.
• There are two types of services inside DMZs:
- Physical appliances
- Virtual appliances located in the data center
22
DMZ Segmentation
• Primary segmentation is using a network firewall.

• Other segmentation technologies:
- Layer 2: VLANs
- Layer 3: IPsec, SSL, MPLS VPNs
- Devices: Server virtualization, virtual device contexts
23
DMZ Segmentation (Cont.)
E.g. public DMZ:

• Public service hosting
• Strict access control between security domains
24
DMZ Segmentation (Cont.)
• Identify required DMZ services.

• Identify the required security/segmentation mechanisms and devices based on risk
assessment.
• Optionally, use virtual context to logically segment the firewall itself (Cisco ASA).
25
DMZ Service Placing
• Per-Service DMZs:
- Best isolation
- All inter-server traffic goes through firewall
(better security control, but there is a
performance impact)
• Shared DMZs:
- Easier management
- Inter-server traffic (Locally switched- no
performance impact on firewall)
26
Internet Connectivity
27
Internet Connectivity (Cont.)
28
Internet Edge with High Availability
• Two independent ISPs

• Public AS number
• Provider-independent address space
29
‫‪VPN Design‬‬
‫‪30‬‬
VPN Design (Cont.)
SSL VPN for Remote Access:

• Cisco ASA design options:
- Availability options are single device, failover (active/standby), load balancing
- Integration with external user authentication systems
• Client design options (enforced by ASA):
- Full tunnel or split tunnel
- Local LAN access
- Web browser and/or AnyConnect client
- Certificate and/or one-time-password authentication
- Endpoint assessment
31
Site-to-Site VPN Use Cases
Site-to-site use cases:

• Branch WAN backup
• Primary branch access method
• Extranet
• Secure integration with cloud-based services
Technologies:
• IPsec for data confidentiality, integrity, and authenticity
• GRE to provide for any type of payload and simplify routing designs
32
Site-to-Site VPN Use Cases (Cont.)
• Example: Using a site-to-site tunnel over the Internet as the backup connection to
branch office
33
Site-to-Site VPN Use Cases (Cont.)
Example: Using a site-to-site tunnel to connect to extranet:

• Use a dedicated DMZ to tightly control extranet connectivity.
• Use firewalls and dedicated extranet servers to integrate business processes with
partners.
34
Overview of Remote Access Flavors
35
Security Services Design
• Network firewall (Cisco ASA) is the primary network security function used to build
DMZs.
• Extra security functions can be implemented to further strengthen the environment:
- In dedicated security service DMZs
- In the Edge Distribution module
• Sample security services:
- Intrusion Prevention System- IPS such as Cisco ASA with FirePOWER module.
- Web firewall such as Cisco Web Security Appliance (Cisco WSA).
- Email firewall such as Cisco Email Security Appliance (Cisco ESA).
36
Security Services Design (Cont.)
• Example: FirePOWER IPS
37
• Example: Cisco Email Security Appliance
38
• Example: Cisco Email Security Appliance
39
Edge Device Selection

Design choices:
• Dedicated appliance per service
• Multipurpose appliance
Types of appliances:
• Physical appliance (e.g Cisco ASA 5xxx)
• Virtual appliance (e.g. Cisco ASAv)
• Cloud service
Carefully consider how your design choices influence the following:
• Security characteristics
• Performance characteristics
• Potential risks to the business
40
Edge Device Selection (Cont.)
41
Physical Appliances: Virtual Appliances:

• Known performance characteristics. • Performance characteristics depend on
• Performance upgrades require purchase and underlying server capabilities and configuration.
installation of new hardware and optionally • Performance upgrades are software and license
licensing. based.
• Require rack space, power, and cooling. • Redundancy can be implemented at the
virtualization layer.
• Smaller energy footprint though it may be larger
per bps.
• Not all functionalities may b available.
42
Cisco Routers: Cisco ASA:

• VRFs • Virtual Contexts
• Isolation at the routing layer • Isolation at the system layer
• Extend segmentation across Layer 3 • Use one ASA and logically have multiple
hops (like VLANs in Layer 2) ASAs
• Not all functionality is available in
context mode
43
‫‪NAT Placement‬‬
‫‪44‬‬
NAT Placement (Cont.)
45
Summary
• Use risk management to guide the design choices in order to achieve adequate levels of:
- Reliability
- Security
- Performance
- Scalability
- Cost
• Consider hybrid implementations:
- Use of virtual appliances
- Use of cloud services (e.g. security appliances hosted on premises of a service provider, but managed by the
enterprise)
- Reevaluate risk management practices when introducing cloud services
46

‫طراحی‌‪WAN‬‬
‫‪47‬‬
WAN Topologies
Star, or Hub-and-Spoke, Topology:

• Benefits: Network simplicity, low number of circuits
• Drawbacks: Suboptimal traffic flow, no redundancy
Fully Meshed Topology:

• Benefits: Any-to-any connectivity, high level of redundancy
• Drawbacks: Configuration complexity, number of circuits
Partially Meshed Topology:

• A compromise between star and fully meshed
48
How Should I Connect Remote Sites?
49
WAN Considerations
• Service-level agreement-SLA
• Cost of investment and usage
• Support for growth
• Level of security
• End-to-End QoS
• Multicast
• Redundancy
• Etc.
50
Provider-Managed VPNs: Layer 2 vs. Layer 3
• L2 VPN: customer routers exchange routes directly.

• Some applications need L2 connectivity to work.
• E.g. VPLS and VPWS.
51
Provider-Managed VPNs: Layer 2 vs. Layer 3

(Cont.)
• L3 VPN: customer routers exchange routes with SP routers.
• Most scalable solution.
• Usually cheaper than L2 VPN.
• E.g. MPLS L3 VPN.
52
MPLS Overview
• MPLS is a forwarding mechanism in which packets are forwarded based on labels.
53
MPLS Overview (Cont.)
• Within the SP network traffic is forwarded solely based on labels (P-routers do not
need to lookup IP routing information).
54
Layer 3 VPN: MPLS/VPN
• Builds VPNs over MPLS. PE routers carry separate set of routes for each customer
(customers can use overlapping addresses).
55
Layer 3 VPN: MPLS/VPN (Cont.)
• From customer perspective PE routers are core routers that are connected via BGP
backbone (P-routers are hidden from customer).
56
Layer 3 VPN: MPLS/VPN Considerations
Which services are available:

• Routing protocol choice might be limited.
• Can service provider offer QoS services? What kind of QoS?
• What kind of SLA can the provider offer you?
• Is multicast supported?
57
Layer 3 VPN: MPLS/VPN Considerations

(Cont.)
Your dependence on the service provider is heavy:
• End-to-end layer 3 convergence time depends mostly on SP.
- Reliability of the network depends on the service provider.
• Significant lock-in .
- It is hard to change provider when it is operating your WAN network.
58
Layer 2 VPN: VPWS
• From customer's perspective, VPWS is a technology that makes entire provider

network seem like an Ethernet link between any two customer sites.
59
L2 VPN: VPWS Considerations
Ask the service provider:

• Are QoS mechanisms available?
• What is the maximum MTU size?
• Is service totally transparent?
• Is link loss signaling propagated?
60
Layer 2 VPN: VPLS
• From customer's perspective, VPLS is a technique that makes entire provider

network seem like a giant switch between a number of customer sites.
61
Layer 2 VPN: VPLS Considerations
• Almost no lock-in.
• You control routing convergence.
• Possible issues:
- Scalability
- Mullticast
- STP loops
- Load balancing
62
Provider-Managed VPNs: Making Choices
• First consider your business needs.

• What type of services are available for your sites.
- L2 or L3 VPN might not even be an option for all your sites.
- You might be forced to combine multiple services in your network.
• Try before you buy (if possible).
• If it is your first time, get help from an expert.
63
Introducing Enterprise-Managed VPNs
• Build point-to-point or multipoint links across third-party IP infrastructure.

- Cheap, but weak QoS support, questionable SLA, and security concerns.
• Connect sites with private IP addressing.
• (Optional) Encrypt traffic.
64
Deploying Enterprise-Managed VPN over

Provider-Managed VPN
• Why provider-based VPN instead of Internet?

- SLAs and better convergence.
• Why tunnel over provider-based Layer 3 MPLS/VPN?
- Lack of features (routing, QoS) or trust issues with service provider.
65
IPsec Overview
• IPsec is a framework of open security standards.

• IPsec provides four main functions:
- Confidentiality
- Data integrity
- Authentication
- Antireplay protection
66
Enterprise-Managed VPN: IPsec Tunnel Mode
• IPsec allows tunnel establishment between sites.

• Straightforward implementation and vendor independent solution.
• Multicast is not possible.
- So multicast-based dynamic routing is not possible.
67
Enterprise-Managed VPNs: GRE over IPsec

• Addition of GRE to IPsec enables routing and multicast.
• Entire GRE-encapsulated packet is encrypted with IPsec header:
- Everything is encrypted, including routing updates.
• Scalability is problematic:
- More peers, more configuration.
- Routing peers limit scalability.
68
Enterprise-Managed VPNs: DMVPN

DMVPN provides a scalable GRE over IPsec solution:
• Simple hub-and-spoke configuration.
• Zero-touch configuration for new spokes.
• Uses mGRE, NHRP, and IPsec.
• However, it is Cisco proprietary and can get complex (especially QoS configuration).
69
Enterprise-Managed VPNs: DMVPN (Cont.)
• An important characteristic of the DMVPN solution is scalability, which is enabled

by deploying mGRE.
70
Next Hop Resolution Protocol provides a mechanism to dynamically learn IP addresses of the spokes:
• The hub acts as the server and the spokes as clients.
• The hub maintains a database of all physical and tunnel addresses of the spokes.
• Each spoke registers its addresses when it boots.
71
mGRE uses NHRP to create dynamic tunnels.

• The hub learns the spoke addresses in order to create
GRE tunnels to them.
• Spokes query the server to resolve external addresses of
other spokes and create dynamic GRE tunnels to them.
72
Enterprise-Managed VPNs: IPsec VTI
• IPsec VTI = simplified IPsec tunnel mode configuration.

• Natively supports features that previously required GRE (e.g. routing, multicast).
• Cisco proprietary.
• Two types: static and dynamic.
73
Enterprise-Managed VPNs: GETVPN

• Large-scale deployment with any-to-any IP connectivity using group IPsec security.
• Takes advantage of underlying IP VPN routing infrastructure.
- No need for overlay routing plane like with GRE over IPsec.
- Native multicast support.
• However, it is Cisco proprietary!
74
Enterprise-Managed VPNs: GETVPN (Cont.)
• Typical usage: encrypt MPLS/VPN or VPLS traffic to meet regulatory requirements.
75
Enterprise-Managed VPNs: Making Choices
76
Enterprise-Managed VPNs: Making Choices (Cont.)
Scalable VPN design depends on:

• Number of branch offices.
• Connection speeds and packets per second.
• IGP routing peers.
• High availability.
• Supported applications.
77
Summary
General WAN options for your Enterprise network:
• Leased lines
• Provider-managed VPN:
- Layer 3 MPLS/VPN: Affordable, but you will need to adapt to provider (and trust the provider).
- VPLS: Scalability and reliability can be an issue, but there is little adaptations to be made to SP.
- VPWS: Only for special use cases (e.g. DC interconnect).
• Enterprise-managed VPN options
- Standard IPsec: OK, for small networks and if you do not need dynamic routing or multicast.
- GRE over IPsec: Adds routing and multicast capabilities. Not scalable.
- DMVPN: Scalable version of GRE over IPSec.
- IPsec VTI: IPsec with native support for dynamic routing and multicast.
- GET VPN: Large-scale IPsec, not suitable for Internet.
78

‫طراحی ‪Branch‬ها‬
‫‪79‬‬
Branch Putting Pressure on the WAN
80
Common Branch Connectivity Options
81
Branch Redundancy Options
82
Single-Carrier WANs vs. Dual-Carrier WANs
Single Provider Benefits: Dual Providers Benefits:

• Common QoS support model • More fault domains
• Only one vendor to "manage" • More transport offerings to business
• Overall simpler design • Second vendor option
Single Provider Drawbacks: Dual Providers Drawbacks:

• Carrier failure could be catastrophic • Increased cost of two carriers
• Transitioning to a new carrier is • Increased overall design complexity
• complicated
83
Single-Carrier MPLS/VPN Site Types
• Dual-homed:
- Single or dual CE routers
- EBGP to service provider, IBGP between CEs
- Redistribute routes into IGP
- Only advertise local prefixes
• Single-homed:
- Advertise local prefixes to provider
- Redistribute into IGP or use default route
84
Dual-Carrier MPLS/VPN WAN

• EIGRP:
- Routes redistributed from BGP into EIGRP
- BGP routes are treated as EIGRP external
• BGP:
- No IBGP required between HQ-W1 and HQ-W2 CE routers
- Routes that are redistributed from EIGRP into BGP except those routes that are tagged as originally sourced
from BGP
85
Hybrid WAN: Layer 3 Provider VPN and IPSec VPN

• HQ WAN:
- HQ-W1 learns branch route via EBGP.
- HQ-W2 learns branch route via EIGRP.
• HQ core:
- HQ-W1 redistributes EBGP into EIGRP-seen as EIGRP external routes.
- HQ-W2 does not require redistribution- seen as EIGRP internal routes.
- Core installs branch routes via HQ-W2 because internal routes are preferred.
86

• Branch:
- BR-W1 learns HQ routes via EBGP.
- BR-W2 learns HQ routes via EIGRP.
- Redistribution is not configured.
- HSRP primary is on BR-W1.
• MPLSNPN is the preferred path because EBGP has a lower administrative distance than EIGRP.
87
• Running the same EIGRP AS for campus and Internet VPN,

results in VPN being preferred over MPLS/VPN.
• Solution: Running multiple EIGRP AS:
- EIGRP 100 is used in Campus, EIGRP 200 over Internet
VPN.
- EIGRP 200 routes that are redistributed into EIGRP 100
appear as external routes (AD = 170).
- Routes from both sources now have the same AD, thus are
equal cost. If you want to prefer the MPLS/VPN path, modify
the EIGRP delay metric.
88
• Direct adjacencies over provider-based Layer 2 VPN and enterprise-based VPN over the Internet.
• If you want for traffic to prefer the premium path (Layer 2 VPN ), you will need to modify the EIGRP
delay metric.
- Otherwise, equal-cost load balancing will occur.
89
Branch Internet Access-Centralized or Local?
Centralized Internet Access:

• Simplified management and easier control of traffic
• May be required per your security policy
• More bandwidth is required for WAN connection,
which means higher costs
90
Branch Internet Access-Centralized or Local?
Local Internet Access:

• Also called "split tunneling"
• Only traffic that is not Internet-bound will
traverse the WAN links
- In example: MPLSIVPN for Branch1 and VPN over
Internet for Branch2
• Default route to Internet- web traffic does not
traverse the Branch1 WAN
91
Remote-Site LAN: Flat Layer 2
Single-router:
• Access switch (or switch port on router) usually
configured with two VLANs- one for data, one
• for voice
• If router and switch are used, the connection
between the two needs to be configured as a trunk
92
Remote-Site LAN: Flat Layer 2 (Cont.)
Dual-router:
• IGP needed between routers
• Gateway redundancy that is assured by the use of FHRP
93
Remote-Site LAN: Collapsed Core
• Bigger branches require LAN design that is similar to LANs at the main campus.
Dual-WAN and dual-router design offers better resiliency.
94
Summary
• Provider-managed and enterprise-managed VPNs can be used in different combinations:

- Non-redundant (cheapest, but least reliable)
- Redundant links
- Redundant links and redundant routers (most expensive, but most reliable)
• When you design a dual-carrier MPLS/VPN connectivity, be careful not to introduce routing
loops with redistribution.
• When you want to use VPN over Internet as secondary connection to provider-managed
VPN, make sure that the premium connection will be preferred.
• If your security policy allows it, consider offloading Internet traffic at the branch trough a
local exit.
95

‫ارتباط‌با‌دیتاسنترها‬
‫‪96‬‬
Data Center Architecture
97
Data Center Ethernet Infrastructure
98
Data Center Storage Integration
Traditional approach to storage:

• LAN and SAN infrastructure is parallel.
• In efficient use of infrastructure and space.
• More possible points of failure.
• Complex management.
• Solution: Consolidation of network and storage.
99
Data Center Storage Integration (Cont.)
Unified approach to storage:

• LAN and SAN consolidated in one single network
• Lower total cost of ownership.
100
Data Center Storage Integration (Cont.)
• Unified Port allows a physical port to be configured to support either native Fiber Channel or Ethernet.
• FCoE allows encapsulation and transport of Fiber Channel traffic over a shared Ethernet network.
- From FC perspective, Ethernet is just a different physical media.
- From Ethernet perspective, FC is just another upper layer protocol.
101
Data Center Reference Architecture
3-tier hierarchy:
• Scalable and resilient.
• Makes maintenance easier
102
Data Center Reference Architecture
2-tier hierarchy:
• Reduced DC hierarchy.
• Fewer management points.
103
Server Virtualization and Virtual Switch
• Hypervisor-based virtualization solutions run

multiple VMs inside a physical server.
• Each VM has a virtual NIC that connects to a
virtual switch.
- Traffic between VMs within server is now
switched within the physical host.
• Virtual machines can be moved between physical
hosts.
104
Resilient Data Center Core Options
Traditional design with spanning tree:

• STP blocks links in order to prevent looping.
• Only half of uplinks are actively forwarding traffic.
105
Resilient Data Center Core Options (Cont.)
vPC design:
• vPC- virtual Port Channel.
• Allows links that are physically connected to two different
switches to appear to a downstream device to be coming from
a single device, as part of a single port channel.
- All uplinks are active.
• Similar technology as the Multichassis EtherChannel- MEC,
that is part of VSS in LAN. However, vPC does not merge
devices into one logical device
106
Resilient Data Center Core Options (Cont.)
Fabric extender design:

• Fabric extension allows you to group physical switch
ports.
• All configuration is done on data center switches;
fabric extender acts as a line card on the DC switch.
107
Data Center Security
• Deploy firewall inline to protect data resources.

• Proper data center design enables creation of multiple networks to host services that
require separation.
- E.g. Separating customer relationship management application from other applications.
108
Need to Connect Data Centers
• Disaster recovery:
- Activate the secondary data center after disaster.
• Active/active data center:
- Two data centers active at the same time.
109
Data Center Interconnect Options
110
Extending Layer 2 Between Data Centers

• If possible , do not extend Layer 2 between data centers.
• Sometimes Layer 2 needs to be extended because:
- IP renumbering can be complex and costly.
- Some applications can be difficult to re-address.
- Layer 2 adjacency is sometimes required to maintain business continuity.
- Synchronization of software modules of virtual machines.
- Cluster communication requirements (heartbeat).
111
Supporting Server Scalability
Scale-up:
• Buy a bigger box.
• Buy more memory.
• Etc.
Scale-out:
• Add servers.
112
Supporting Server Scalability
Scale-up: Scale-out:
• Rigid and disruptive. • Elastic and non-disruptive
• Costly in case of physical servers • Requires load balancing implementation:
• Easy to implement - Application-level
- Network-level
113
Application-Level Load Balancing
• Load balancing between tiers in application stack.

• Not possible with all applications.
- If it is not possible, then you will have to implement
network-level load balancing.
• E.g. decoupled web and application.
114
Network-Level Load Balancing
Network-level load balancing can be divided into three categories:

• DNS-based
• Anycast
• Layer 4-7 load balancers
115
Network-Level Load Balancing (Cont.)

Example: DNS-based load balancing
• The DNS server keeps track which server is available.
• When a client tries to access the server, DNS response contains a list of servers.
• If a server becomes unavailable, DNS server removes it from the list.
• Works great if application is DNS-aware and considers TTL times (web browsers are not).
116
Example: Local anycast load balancing

• Servers share the same IP.
- This common IP is advertised to first-hop router.
• Useful only for UDP traffic.
117

Example: L4-L7 load balancing
• Dedicated load balancing appliance constantly checks the state of all servers.
• Application (service) is associated with a pool of addresses.
• Clients make a request to the virtual IP address of the load balancer and the load balancer maps the
request to the best server in the pool.
118
Summary
• Storage and LAN have become integrated.

- Fewer cables, less possible failure points, less complex management, and lower costs in
long term.
• Build a resilient DC core:
- vPC is similar to MEC in Campus switches, just for data center switches.
- Fabric extension groups physical switch ports and all configuration is done on the DC
switch.
• Deploy firewall in line to protect data resources.
• Avoid extending Layer 2 between data centers.
119
‫شبکههای‬
‫تکمیلی‬
‫طراحی‬
‫آموزش‬
‫آموزش‬
‫نت‬
‫‪Enterprise‬‬
‫بیسیک دات‬
‫کامیپوتری‬
‫ویژوال‬
‫این اسالیدها بر مبنای نکات مطرح شده در فرادرس‬

‫«آموزش طراحی شبکههای کامیپوتری ‪»Enterprise‬‬
‫تهیه شده است‪.‬‬
‫برای کسب اطالعات بیشتر در مورد این آموزش به لینک زیر مراجعه نمایید‪.‬‬
‫‪faradars.org/fvnet9712‬‬

FVNET9712 S08 S11 Notes

Uploaded by

Copyright:

Available Formats

FVNET9712 S08 S11 Notes

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

FVNET9712 S08 S11 Notes

Uploaded by

Copyright:

Available Formats

‫آموزش طراحی شبکههای‬

‫آموزش طراحی شبکههای کامیپوتری ‪Enterprise‬‬

‫طراحی ماژول‌های شبکه‬

Key Threats in Campus

• Service availability and resiliency

Securing the Perimeter

• Ensure physical security

• Traditional flavors include: Flavors of Firewalls

Flavors of Firewalls (Cont.)

Next Generation Firewalls combine traditional firewall technologies with:

Firewall Recommended Practices

• Can firewalls stop malicious traffic, malware, or zero-day attacks?

IPS/IDS Fundamentals (Cont.)

IPS/IDS Recommended Practices

• Ensure proper capacity planning.

Network Access Control

• Access control mechanism fall into the following categories:

Network Access Control (Cont.)

Security Implications of Client Access Methods

• The network should be protected against a vast variety of network threats.

‫طراحی ماژول‌های شبکه‬

Edge Overview (Cont.)

Edge Overview (Cont.)

Edge Overview (Cont.)

• Primary function: Host one or multiple services.

• Primary segmentation is using a network firewall.

DMZ Segmentation (Cont.)

E.g. public DMZ:

DMZ Segmentation (Cont.)

• Identify required DMZ services.

DMZ Service Placing

Internet Connectivity (Cont.)

Internet Edge with High Availability

• Two independent ISPs

VPN Design (Cont.)

SSL VPN for Remote Access:

Site-to-Site VPN Use Cases

Site-to-site use cases:

Site-to-Site VPN Use Cases (Cont.)

Site-to-Site VPN Use Cases (Cont.)

Example: Using a site-to-site tunnel to connect to extranet:

Overview of Remote Access Flavors

Security Services Design

Security Services Design (Cont.)

• Example: FirePOWER IPS

Security Services Design (Cont.)

• Example: Cisco Email Security Appliance

Security Services Design (Cont.)

• Example: Cisco Email Security Appliance

Edge Device Selection

Edge Device Selection (Cont.)

Edge Device Selection (Cont.)

Physical Appliances: Virtual Appliances:

Edge Device Selection (Cont.)

Cisco Routers: Cisco ASA:

NAT Placement (Cont.)

‫طراحی ماژول‌های شبکه‬

Star, or Hub-and-Spoke, Topology:

Fully Meshed Topology: