Home 
 MCSE Cert.
 MCSD Cert. 
 Overview 
 The Work 
 Areas of Work 
 Eligibility 
 Career Prospects 
 Remuneration 

Cisco Internetwork Design 3.0

Protocols

Desktop Protocols

Microsoft Protocols were designed for flat networks where all the clients and servers are sharing the same media. There are different remedies and methods of encapsulations for handling these problems. Most noteworthy is NetBEUI, which must be bridged and cannot be routed unless encapsulated in another protocol such as NWLINK (NetBIOS over IPX) or NBT (NetBIOS over TCP/IP).

NetBIOS – broadcast-based; it does not have logical addressing functionality and operates primarily at the Session Layer.

NetBEUI – broadcast-based; it does not have logical addressing functionality and operates at the Transport and Network Layers of the OSI Model.

AppleTalk – versions include Phase 1 (antiquated does not scale well) and Phase 2 (current version). Phase 2 allows a greater number of hosts per segment (253) and supports Token Ring, Ether and FDDI.

IPX (Internetwork Packet eXchange) – is a routable protocol and has different encapsulations. Encapsulations must match to see other machines on the network, or, although it is not recommended, you can run two different encapsulation methods on the same router interface. Use the ipx route-cache same interface command. You can also run different encapsulations using subinterfaces but the two networks cannot see each other. The default for Novell 3.X protocol support is Raw Ethernet or ETHERNET_802.3 (Novell-Ether). For Novell 4.X protocol support is ETHERNET_802.2 (SAP).

Raw Ethernet (ETHERNET_802.3) is similar to the IEEE 802.3 frame with no Logical Link Control and FFFF in the DSAP (Destination Service Access Point) and SSAP (Source Service Access Point).

TCP/IP (Transmission Control Protocol/Internet Protocol) – is a widely used routable protocol, and its biggest challenge is proper management with addressing, security and broadcast management.

Private Addressing – the usual address prefixes are 10, 172 and 192. Used for private networks not openly exposed to the Internet (inside a firewall).

Public Addressing – assigned by an ISP and not recommended for private networks. Private to public network communication can be accomplished by NAT through a PIX or other firewall. Options also include VPN (Virtual Private Networks) or extranets secured through PPTP (Point-to-Point Tunneling Protocol) and or L2TP (Layer 2 Tunneling Protocol).

Hierarchical Addressing – using address schemes where the different network numbers determine whether a destination is local or remote. Longer subnets masks are used at the access layers. The network prefix gets smaller as you move up the network hierarchy.

Prefix Routing – this is how a router forwards packets. The router uses the network number for routing determination.

Classfull Addressing – the addressing scheme commonly used where the subnet mask reflects the number of bits used to calculate the default gateway. (ex. Class A 10.0.0.0 Mask 255.X.0.0, Class B 172.0.0.0 255.255.0.0, Class C 192.0.0.0 255.255.255.0)

VLSM (Variable Length Subnet Mask) - classless addressing allows using, for example, a Class B address with a Class C subnet mask. Usually summarized in this fashion 172.98.98.24/30 (30) or 255.255.255.252 specifies the number of bits used to calculate the network portion. This allows effective use of your IP addresses and should only be used with routing protocols that support VSLM like IEGRP and OSPF.

Secondary Addressing – Is assigning a second IP gateway address for the same interface on a router. This is not recommended and should be used only when you have to.

Encapsulation Protocols

PPP (Point-to-Point Protocol) - is an encapsulation standard used over Asynch Serial, Synch Serial and ISDN.

SLIP (Serial Line Internet Protocol) – only supports TCP/IP, and information is passed in plain text.

NCP (NetWare Core Protocol) - is a layer protocol of PPP and encapsulates multiple protocols. It has built-in security features.

LCP (Link Control Protocol) - another component of PPP and is responsible for authentication, multilink, callback and compression.

Authentication - CHAP or PAP: CHAP is encrypted, with PAP, login and password information are sent in plain text.

Multilink PPP – also referred to as MP; allows additional calls or channels to connect to a host for additional bandwidth. In order to use Multilink with Brand X routers the routers must comply with RFC1990. Multilink is configured on the interface.

LCP controls Multilink

• Works on Cisco 700 series routers.

• Works on routers running Cisco IOS.

• RFC 1990 allows for vendor compatibility.

• Allows packet fragmentation across channels.

• Sequences packets and performs load calculation on lines or channels.

• 4-Byte field in header allows for proper sequencing.

Multilink Multichassis PPP - dial-in ISDN channels can be split to different access servers (a.k.a. stackgroup) or routers. The access servers (stackgroup) or routers intake the data packets and forward them to a high end MMP process server. A process server uses SGBP (Stackgroup Bidding Protocol) to do all the packet reassembly. The advantages are that the stackgroup is very scaleable and less overhead is required from the access servers.

HDLC – is used for serial lines and this version is proprietary for Cisco. Do not use if connecting to a non-Cisco router or with the AutoInstall feature. This is a connectionless datagram protocol.

SLDC – used often in SNA environments, it supports full and half duplex and can be used in packet or circuit switched environment.

LAPB – used over unreliable links and .X25. Connection-oriented with ordering and error checking.

RDSB – used to tunnel SNA over WAN links. ACKs and LLC2 frames are sent over the WAN.

STUN (Serial Tunneling) - used to tunnel SNA over WAN links. It supports local ACK used with SDLC on congested WAN links.

PPTP(Point-to-Point Tunneling Protocol) – used to tunnel IP packets securely over the Internet.

GRE (Generic Routing Encapsulation) – used primarily in the backbone. Can be used to tunnel IPX or AppleTalk. Fast switching supported.

NWLINK – used to encapsulate NetBIOS over IPX. Requires type 20 packets to operate properly. Use the ipx type-20-propogation commands on the interface.

NBT – used to encapsulate NEBIOS over TCP/IP.

AURP (AppleTalk Update Routing Protocol) – encapsulated in TCP/IP over WAN links. Sends updates only, like EIGRP.

IPXWAN – client- and server-side software used with PPP to connect servers or clients over a dial-up connection. It is responsible for establishing a routing metric once the connection is made. It is dynamic and no configuration is required.

Remote Access

Design principals are shaped around the type and numbers of connections that need to be made. The applications and requirements will depend on the type of users that will be connecting to the network. Users usually fit into these categories:

• Mobile Users/Telecommuters - not connected all the time. Short connections and low bandwidth requirements, usually analog.

• Full Time Telecommuters - usually require faster connections. Longer connect times with higher bandwidth requirements. Use ISDN to run other devices or connections.

• Home or Small Office - requires fast and long connection time. Multi-interface router needed to support LAN and multiple WAN connections.

Access Methods

Remote Gateway - limited access and limited functionality. It can be used only to get email or access an application.

Remote Node - most common access method. It is like dialing into a security server, RAS server, modem bank or access server stackgroup. This is the preferred method since it is very flexible and scales well in the Enterprise. Less overhead and PC appears as if directly connected to the LAN.

Remote Control - is when a PC dialing in and taking control of another PC on the LAN. User has full function of network services. This requires the most overhead due to the fact that an extra PC, analog line and modem are required. A good example of this is PCAnywhere.

Remote Access Support Equipment

small - <20, 3600 to 4000 Routers

larger - >20, higher density, use a PRI on 7500 to 7200 Router

AS5300 Access servers are recommended because they can combine analog and ISDN and can support higher densities. External modems are no longer recommended since they do not scale well.

Enterprise (AS5X00 Servers) - can be configured from medium to heavy port density and can support analog and ISDN lines. It is very scalable and servers can use MPP in stackgroups.

Security for Remote Access

• CHAP/PAP

• TACACS+ on Unix or NT

• RADIUS

• CiscoSecure

• PIX Firewalls

• VPN

Routing Protocols

It is important to distinguish between routed and routing protocols. Routing protocols use metrics, hop counts, ticks, etc. to make a routing decision. Since routers do not forward broadcasts, routers separate networks into different broadcast domains. Switches and bridges separate media into separate collision domains. Routers are responsible for:

• Switching and or Relaying packets

• Path determination

Protocols

IPX on the WAN

Use NLSP (NetWare Link State Protocol) for faster convergence over IPX/RIP and reducing of routing traffic. It uses cost as calculation metric and is more CPU intensive. NLSP redistributes RIP, but retains a 15-hop limit. NLSP supports up to 1023 hops and areas of <400 routers.

EIGRP for IPX

Increases bandwidth by only sending updates over the WAN and full updates over the LAN. When a route goes from IPX/RIP to EIGRP it increases the hop count by two. From EIRGP to IPX/RIP, the route tick count is unchanged.

OSPF

LSA1 – Router Links LSA – Sends information about the routers links.

LSA2 – Network Link LSA – Sent by the DR to all routers in the AS. A list of routers in the segment.

LSA3 – Summary Link LSA – Sent by ABR’s list of networks available outside the area.

LSA4 – Summary Link LSA – Sent by ASBR’s list of networks available outside the area.

LSA5 – External Link LSA – Sent by ASBR’s list of external network routes.

OSPF recalculates a new table when a route goes down, so if you have a link flapping you may want to increase the amount of time to wait; use spf holdtime command, if not, it could overload the CPU and cause performance issues.

OSPF Backbone – try to stay away from meshing the backbone. Use LAN backbone design and keep everything to one hop. Use as few routers as possible to keep the diameter small.

IGRP – used only for IP. The entire routing table is sent every 90 seconds, and updates are triggered on link failures. Flapping links can be detected with a protocol analyzer, as updates are sent when the link state changes. It does not support VSLM or summarization. Primary metric is bandwidth and delay. Complete updates can be changed from 90 seconds. Stay with the defaults unless a fast network requires faster convergence.

AppleTalk

RTMP – AppleTalk’s version of a routing protocol. It is very similar to RIP; broadcasts entire table in 10 seconds. Max Hop count is still 15, uses split horizon.

Design Rule – Use EIRGP for routing AppleTalk

EIGRP – Saves bandwidth because only updates are sent. Fast convergence.

AURP (AppleTalk Update Routing Protocol) – Apple’s attempt to create a better WAN-friendly routing protocol than RTMP. RTMP is encapsulated in IP over an AURP Tunnel on WAN links. Reduces WAN traffic because only updates are sent over the wire. Use in an IP only WAN environment.

Network Services and Gateways

Windows computers use LMHOST files, broadcasts, WINS, DNS and HOSTS files to locate services. By default they elect a default browser.

DHCP (Dynamic Host Configuration Protocol) – a BOOTP server used to assign IP addresses to requesting clients. Can be configured to specify node type, WINS, DNS and other information such as subnet mask and default gateway.

There are several options for DHCP configuration. Cisco offers IOS features to forward DHCP packets. The ip helper-address command forwards broadcasts to DHCP servers like an NT server.

CNR (Cisco Network Registrar) – a Cisco solution that automates network services and provides a fully scalable solution for DHCP and DNS. Noted for being able to integrate network infrastructure software and applications.

Cisco DNS/DHCP Manager – similar to CNR, not as robust and will be cancelled soon.Example:

WINS (Windows Internet Name Service) – is a static-addressed server that performs NetBIOS name to IP address resolution, which takes away the need to ARP (broadcast) to resolve network names. Acts as a register for Windows machines. After booting and obtaining a DHCP IP address, the client sends a unicast packet to the WINS server requesting it to register its NetBIOS name. DNS servers and WINS servers (sometimes on the same server) work together to resolve name lookup.

DNS (Domain Name Services) - Application server that provides Internet-name to IP-address conversion. A Windows DNS server can be directed to query a WINS server for NetBIOS names.

RAS (Remote Access Server) – uses PPP and CHAP or PAP to encapsulate the client’s dial-in multi-protocol support, usually a NT Server. For a larger scalable solution an AS5X00 is recommended.

IPeXchange Gateway – A client and server solution for accessing the Internet in an IPX network. Primarily used by IPX clients to access the Internet. The gateway server must run both IPX and TCP/IP. Clients run the client software and servers are usually dual homed to act as a gateway. The server only needs one IP address to serve several IPX clients.

Workstations sharing resources are defined as Workgroups. The presence of an NT server classifies it as a domain. Domains make the administration of resources easier.

Single Domain Model – services controlled by one PDC for clients.

Master Domain Model – is a collection of domains trusting a single master PDC for centralized administration. Simplifies management of resources.

Multiple Master Domain Model – resource domains trusting multiple master domain PDCs.

Complete Trust Domain Model – (a.k.a. Cluster Trust) all domains trust all other domains and resources can be administered and shared across these domains.

Multicast Issues – one-to-many services. Class D multicast address needed. Router must be configured correctly for multicast, or it will forward out all of its ports. ICMP, CGMP and PIM are often used (PIM scales well in the Enterprise).

Firewalls – PIX is the preferred Cisco solution. It is advisable to turn off all ports, and then enable ports for only certain services to specific hosts. Protect yourself from IP from the Internet and configure your outside router to deny packets shown to have an inside IP address. Do not configure your routers for rsh or rlogin.

Campus Design

Common campus issues are Media, Protocols and Transport. Media issues are caused by high network loads and media contention. Use LAN switching to solve this problem. Another protocol problem is that some do not scale well and are prone to excessive broadcasts. To solve this problem, use routers to segment your network. Transport problems occur when there is not enough bandwidth to support high bandwidth applications. Use ATM, Gigabit Ethernet and/or QOS OIS features to solve these problems.

Cut-through Switching – a packet is forwarded once the destination is read. No CRC check.

Store and Forward Switching – the entire packet is processed, the CRC checked and then forwarded out the appropriate interface.

VLANS – 802.1Q is a VLAN standard. VLANS help separate broadcast domains, since a router is required for communication between VLANS. Switching separate collision domains.

Distributed Backbone – Each floor or building would be isolated by its own router and switch. This setup is more expensive and often requires costly upgrades to scale.

Collapsed Backbone – all floors are wired into a single switch and router. More cost effective, but creates a single point of failure.

Hierarchical Networks - are designed for scalability, and this model is easier to troubleshoot.

ATM

ATM (Asynchronous Transfer Mode) – like Frame Relay and X.25, it uses PVCs and SVCs to establish connectivity. Used for high-speed data, video and voice. It uses cells to transport information in 53 byte cells. ATM Features:

• 5 bytes for header, 48 for data

• QOS is effective for managing ATM

• Flexible multiplexing and switching technology

• Low latency due to small cells and high speed media

• Supports high performance applications

• Uses SNAP encapsulation to multiplex several protocols

• SVC are disconnected once transmission is complete

• Operates primarily at the Data Link Layer of the OSI model

AAL (ATM Adaptation Layer) – operates at the Data Link Layer, and its primary function is to hide what it is doing to the frames from the higher OSI Layers. Abstraction is right.

ATM Layer – establishes connections and passes cells through the ATM network.

ATM Physical – manages the physical transmission of the cells. Does the bit to cell conversion.

AAL1 – connection-oriented; needs time sequencing from source to destination and vise versa.

AAL3/4 – connectionless-oriented; used to transfer SDMS. It loses some payload capacity due to added CRC, MIDs (Message Identifier) and the sequence number. There is a slightly increased delay attributed to the SAR (Sequence Assembly Reassembly). Requires the use of a SDSU for SAR.

AAL5 – connection- and connectionless-oriented. Used for data transport. Uses SEAL for SAR.

ATM uses prefix routing in private networks.

PNNI (Private Network Node Interface) – hierarchical routing protocol used for ATM routing. It is dynamic and requires little configuration. Scalable, but complex.

IISP (Interim Inter-Switch Signaling Protocol) – is a static routing on ATM network. Uses SVCs when routes go down.

LANE (LAN Emulation) – emulation of a LAN over an ATM network.

LEC (LAN Emulation Client) – sends its MAC address to the LECS server. It can be a workstation or a router. It is responsible for endpoint functions, address resolution and data forwarding.

LES (LAN Emulation Server) – pseudo-WINS server for ATM. Acts as a register to store the multicast or unicast MAC address information of the LE clients. It accepts LE-ARP requests for destination MAC addresses.

LECS (LAN Emulation Configuration Server) – serves multiple ELANS and maintains a database of all the LEC’s MAC addresses. LECS respond to LEC’s requests by sending the appropriate ELAN information (identifier). Used like DHCP to assign LECs to certain ELANS. This is a one-per-ATM switch.

BUS (Broadcast and Unknown Server) - multicast and broadcast server. Sends traffic to clients of the ELAN is it responsible for.

X.25

X.25 is a packet-switched Layer 2 protocol that operates at the Data Link Layer of the OSI model. This protocol works by encapsulating the layer 3 protocols. X.25 was engineered for strong error checking and flow control at layers 2 and 3. X.25 uses LAPB and it is very reliable. It also uses sliding windows (much like TCP/IP) for flow control. Suffers from lower throughput and higher latency than Frame Relay. X.25 uses SVCs (Switched Virtual Circuits) and PVCs (Permanent Virtual Circuits). PVCs are always connected. X.25 treats connection as a reliable data link; Frame Relay does not.

Subinterfaces solve the problem of split horizon and forwarding updates on NBMA.

Datagram encapsulation

Network Function - X.25 is highly available and used worldwide.

PAD (Packet Assembler Disassembler) - can also be a router. It collects the data transmissions from the terminals and gathers them into a X.25 data stream and vice versa. PAD acts like a multiplexer for the terminals. During configuration of the X.25 you specify whether the interface will act as a DCE or DTE. When configured as a DCE the router behaves as an X.25 switch.

X.121 - is the addressing standard. Static mappings must be made manually. X.25 does not support ARP. The addressing standard is a 4-digit country code. The following 8 to 11 digits are assigned by the X.25 service provider.

Options for X.25 - windows and packet sizes must match on both sides on the connection. Use the x25 ips command for incoming packet size and x25 ops for outgoing packet size. Window size uses a counter for when to send an acknowledgement. x25 win and x25 wout commands are used. The modulo controls the size of the window 8 or 128 are used to specify the number of packets.

Satellites use X.25 as well. To increase performance, they use modulo 128 which sets the window size higher.

Frame Relay


Frame Relay Interfaces - Frame Relay requires the use of a CSU/DSU. Like X.25, Frame Relay uses SVCs and PVCs. PVCs are used for frequent and long connection times. SVCs are for sporadic, infrequent traffic.

Frame Relay Bandwidth - maximum throughput is up to T3 speed. Frame Relay is a layer 2 protocol. It uses the upper layer for error correction and is faster than x.25.

LMI (Line Management Interface) - is the standard for signaling. There are 3 types:

Cisco is the default. The service provider will specify the LMI in use.

• LMIs control data keep-alives and verify the dataflow.

• Use multicast mechanism to provide network server the DCLI.

• Use multi cast addressing so DLCI has global significance.

• Verifies the DLCIs in use and status to the local Frame-Relay switch.

LMI Autoconfigure - a router with IOS 11.2 and newer does not need to be configured for the LMI. The newer routers will send a signal to the FR switch to determine the LMI in use.

DLCI (Data Link Connection Identifier) - verifies the logical circuits in use and the status from the CPE to the Frame Relay switch.

Encapsulation Types - are Cisco and IETF. Cisco is the default. If the router is a non-Cisco router, use IETF. This designation can be made per DLCI. Even if all the routers are Cisco, you can communicate with a location with a non-Cisco router. Specify the IETF encapsulation and DLCI. You can use this with the map command. In short, encapsulation can be set to per interface or per destination.

Split Horizon and Routing Updates - since routing updates should not be sent out from the same interface you receive the update from (as this causes routing loops), the solution to fixing this problem is creating subinterfaces with different DLCIs.

Each subinterface has its own DLCI-enabled multipoint connection. Routing updates will now work properly.

Frame Relay Map – command is used to configure the next hop address on an interface.

Inverse ARP – takes care of all the mappings for you. It builds a Frame-Relay map by querying the Frame-Relay switch during the LMI exchange. It sends an Inverse ARP request for the protocols that are specified on the interface. The downside for the automatic set up is troubleshooting can be a pain.

Frame Relay Topologies

NBMA Model (Non-Broadcast Multi-Access Model) – mesh between peer routers. Routers are configured as a simulated LAN and are configured as one logical subnet. The downside is processor overhead: each broadcast packet must be processed.

Broadcasts are sent out each virtual circuit.

Performance degradation on the link.

To control the amount of bandwidth used on an interface use the frame-relay broadcast-queue command.

Virtual Circuit Routing – Uses subinterfaces to conquer the split horizon issues. This simulates several point-to-point links.

Icons from Cisco ConfigMaker.

MBNA Full Mesh, Subinterfaces with Full Mesh, Hub and Spoke. X.25 and Frame- Relay interfaces can be backed up with an option called a floating static map using an analog or ISDN line.

NAT

Network Address Translation - can be used to merge two large networks without having to re-address the whole network. Another function of NAT is overloading inside global addresses. This process contains several inside addresses using a single IP address. NAT can also use a pool of addresses or multiple interfaces. NAT is supported by IOS 11.2 and higher. (Easily remembered by “meet me at 11 toNAT” instead of tonight. 11.2 toNAT, it is corny but effective!)

Description and Interfaces

TE1- has an ISDN Interface. DS0=64Kbps=Digital Signal Level 0

TE2 - does not have an ISDN interface; requires a TA (Terminal Adapter). The TA is typically an ISDN Modem. The TA converts the signal to ISDN standards. DS0=64Kbps

ISDN PRI US T1 - requires different connectors. Uses DB15 and RJ48 connections. DS1=1.54Mbps contains 24 DS0s considered in band.

ISDN PRI EUROPE E1 - requires four connections DB15 before the CSU/DSU, and four RJ45 and/or DB15 connections to the switch. 30 X DS0 is considered out of band.

In Europe, the ISDN service provider provides the NT1. In the US, the customer supplies the NT1. In the USA, T1’s D channel is in band. In Europe, it is considered out-of-band signaling.

Logical Interfaces

RSTUV-Logical Reference Points

Rate Reference Point- located between the Non-ISDN router interface and the Terminal Adapter (TA).

System Reference Point - is the reference point between the router with an ISDN Interface and the NT2 or TA and NT2. Non-U.S. demarcation.

Terminal Reference Point - the reference point between the TE1 and NT1 and/or TA. If there is an NT2 (Customer Switching Equipment), the reference point is included to the NT1 as well. This point is Non-U.S. demarcation.

User Reference Point- This reference point is a U.S. demarcation. It references the point between the NT1 and the LT.

V Reference Point - Located between the LT and the ET. Also referred to as the Local Exchange.

SNA

SNA is a hierarchal network structure. There are several components and possible configurations for configuring a SNA network.

NAUs – Network Addressable Units – all devices that can communicate in an SNA network.

LU – Logical Unit – the software end unit. Software that provides the interaction for the users.

PU – Physical Unit – controls resources on the node. Loads software and provides the communication with the SSCP.

SSCP – System Services Control Point – software for the mainframe that is responsible for establishing the lines of communication and controlling resources.

SNA Gateways – handling direct communication with the mainframe for a dumb terminal or PC would be quite rough without a gateway.

LU Gateway – SDLC uses polling to communicate. Sending polling traffic over the LAN may convince you to establish a gateway. LU gateways are good because the Mainframe has a SSCP session to PU session to the LU gateway. The clients only connect to the LU gateway though NetBIOS, so the Mainframe maintains fewer connections.

PU Gateways – have a larger amount of overhead and administrative burden. The PCs attached to the PU have to be manually configured on the VTAM.

DSPU

DSPU – Downstream PU – is a Cisco router acting as a PU 2.0 device. To PCs it looks like the mainframe and is very robust.

Connecting and Routing with SNA

DLSW – Data Link Switching – recommended as a scalable solution for traffic over a WAN link. It is compatible with other vendors. Responsible for multiplexing LLC connections over the WAN link. They are encapsulated in TCP/IP.

RDSB – Remote Source Route Bridging – older method of SNA tunneling. Prone to timeouts over slow WAN links. Tends to be chatty. Local ACK is used to solve this problem. It is much like IPX Spoofing and prevents time outs.

STUN – Serial Tunneling - older method of SNA tunneling. Prone to timeouts over slow WAN links. It performs very well over serial lines and supports direct serial connections. Has fewer options than RDSB but is more robust. Supports local ACK is routable.

VPN Design Fundamentals

VPN stands for Virtual Private Network.

VPN is “any network built upon a public network and partitioned for use by individual customers”.

A VPN will allow you or your company to use a public media such as the Internet to provide end-to-end connection. This allows you to design a cost effective solution for your clients but you must be aware of all the major design considerations that follow. Your main issue of course will be Security and Encryption. VPNs use encryption and tunneling to establish secure connections.

There are three different corporate or business uses of VPNs

• Remote Access

• Intranet

• Extranet

Basic VPN Design

Remote Access VPN Design

Remote Access VPNs provide remote access to mobile or remote site users.

A Remote Access VPN solution will allow a connection to a corporate Intranet or extranet over a public infrastructure.

Access VPNs enable mobile or remote users to access resources at company headquarters locations.

Access VPNs encompass many technologies including:

• Analog

• Dial up

• ISDN,

• Digital Subscriber Line (DSL),

• Mobile IP

• Cable technologies

Intranet VPN Design

Intranet VPNs provide a link over a shared infrastructure using mostly dedicated connections.

They connect

• Corporate headquarters

• Remote offices

• Branch offices

An Intranet will connect entities together and most of them are trusted entities. When you let your doors open to un-trusted or less trusted entities, you begin to create a Extranet based VPN.

Extranet VPN Design

Extranet VPNs provide a link to a corporate Intranet over a shared infrastructure using mostly dedicated connections.

They connect

• Customers

• Suppliers

• Partners

• Other communities of interest

Now external customers can take part in your Intranet solution. This would be a typical design if you wanted to have an external business partner take part in some of your web server transactions or access a database. This of course puts a new twist into your design where you need to start thinking about intrusion detection systems or ways to monitor access.

Notice that in the above scenario you are allowing access to your Intranet over the VPN Solution

For more Documentation on VPN Strategies from Cisco, visit these links

Read VPN: Your Guide to the New World Opportunity

Read VPN Overview By Cisco (Design Examples)

Factors to Consider When Designing Your VPN Solution

What are the advantages of having a VPN strategy as part of your network design?

Cost Savings

• When designing and implementing a VPN you can sell the fact that organizations no longer have to use expensive leased or frame relay lines to provide end to end connectivity in every situation. Now, remote users can connect to their corporate networks via a local ISP.

• Calculate your savings with Cisco's Remote Access VPN Savings Calculator.

Security

• VPNs can provide a high level of security using advanced encryption techniques and authentication protocols

• Some of these protocols are PPTP and L2TP which are Tunneling Protocols that provide encryption

Scalability

• VPNs give flexibility to companies to have a remote access infrastructure (some cannot afford expensive lines)

• Corporations are able to add a virtually unlimited amount of capacity without adding significant infrastructure. You must remember that the following should be taken into your design: although it will scale, you will not get a dedicated rate of bandwidth nor will you be able to fully rely on its dependability.

Compatibility with Broadband Technology

• VPNs allow mobile workers, telecommuters and day extenders to take advantage of high-speed, broadband connectivity, such as DSL and Cable, when gaining access to their corporate networks. This provides workers with significant flexibility and efficiency.

• Note that this is also a security problem. Design your VPN’s with security taking a high priority.

Remember: You get what you pay for. If you are designing a network for a client, you will need to take into account that although you are saving money, you may not be able to provide the most redundancy or offer a guarantee of bandwidth. A VPN solution should be implemented into an infrastructure with much thought and planning.

Security and Encryption

Three Phases of Securing a Network

1. Setting up a security policy that will define the security goals of an enterprise

2. Using a “Defense in Depth” approach in your design. This entails Implementing network security with a multi-layered design so that the enterprise does not fully depend or rely on one type of technology or one layer of defense to solve all security related issues

   

    

3. Consistent auditing of the network to make sure that the security policy is being enforced. You can use the results of the audits to modify the security policy and the technology implementation as you develop your design. The CiscoSecure ACS (TACACS+) does a fantastic job of performing router login auditing amongst other things. This would be a product that you could incorporate into your design as a Layer one defense

Cisco Network Security Solutions

Note: Know how to leverage these products in your network design.

Five Key Elements of Network Security

Five Key Elements

1. Identity

2. Perimeter Security

3. Data Privacy

4. Security Monitoring

5. Policy Management

Identity

• Defined as the accurate and positive identification of network users, hosts, applications, services, and resources

• Technologies used to perform solid identification are:
  

  1. Authentication protocols such as RADIUS and TACACS+

  2. Kerberos (and a TGS -Ticket Granting Server)

  3. One-time password tools
     

• New technologies are beginning to emerge which perform increasingly important roles in identification solutions
  

  1. Digital certificates

  2. Smart cards

  3. Directory services

Perimeter Security

• Perimeter security provides a means to control access to critical resources such as network applications, data, and services

• The goal is to control access so only legitimate users and information can traverse your network

• Routers and switches with ACL’s (access control lists) provide this control by filtering by IP / Port

• Other tools that perform Perimeter Security
  

  1. Firewalls

  2. Virus scanners

  3. Content filters

Data Privacy

• Effective data privacy can be provided by several methods including:
  

  1. Tunneling

  2. Data separation
     

• GRE (generic routing encapsulation) or L2TP (Layer 2 Tunneling Protocol) provide data separation and tunneling

• Other implementations are by using protocols such as IPSec for digital encryption

• This added protection is especially important when designing VPNs

Security Monitoring

• How do you know your design worked? Any good designer must look at and test their design regularly at periodic intervals to ENSURE that the design works. You have to test your design and monitor it

• Network vulnerability scanners (Cisco Secure Scanner) can denote weak areas

• Intrusion detection systems (Cisco Secure IDS) can monitor and respond to security events in real-time

Policy Management

• As you continue to design and grow your network, how do you manage it?

• You can use Cisco Security Policy Management tools to provide such management

• Know how to implement overall management products into a design especially for large enterprise size companies

Basic Three Part Firewall Design

Note: Connecting to the External Network is the “Unknown” Network.

Designing for Security

Before Looking at this overview, download and read SUN Network Security Policy Design.

Network assets can include

• Network hosts (including the hosts' operating systems, applications, and data)

• Internetworking devices (such as routers and switches)

• Network data that traverses the network

• Intellectual property

• Trade secrets

• The company’s reputation

Note: Protecting these assets is the intent of network security design measures.

Analyzing Security Design Decisions

• When analyzing the design you need to achieve a balance between certain factors. These factor include:
  

  1. Affordability

  2. Usability

  3. Performance

  4. Availability
     

• Security adds to the overall workload by adding responsibility for maintaining user login IDs, passwords, and audit logs

Security Design Considerations

• Designing and implementing network security will affect network performance.

• Packet filters and data encryption will take a toll on CPU power and memory.

• Encryption can use more than 15 percent of available CPU power.

• If you design a network with a dedicated device to do the encryption it will still add latency because packets still have to be encrypted or decrypted and this adds delay.

• Availability is affected and this happens when you create a choke point that forces all your data traffic out one point. (This is the device doing the encrypting and decrypting.)

• This also creates one point of failure.

• Cisco recommends that “to maximize performance and minimize security complexity, a router that is running encryption probably should not offer load balancing. So instead, implement load balancing on the routers between the pair of devices offering encryption” This advice should be taken into consideration when planning your design.

Load balance scenario

AAA

View this Case study Provided by Cisco: Cisco AAA Implementation Case Study.

Authentication

• Identifies who is requesting services on the network.

• Most security policies state that “to access a network and its services a user must enter a name and password that are authenticated by a security server”.

• One Time Passwords:
  

  1. Enhance security greatly because once the password is used it is changed

  2. Make it nearly impossible to guess or be susceptible to a well-focused dictionary attack

  3. Are often accomplished through a software application

  4. Can also be implemented with a security card (resembles a credit card). With this, a user enters a PIN (personal identification number) that enables him to use the software unlocked by the card

  5. The passwords are synchronized with a centralized security server

Authorization

• Authentication controls “who” can access network resources.

• Authorization controls “what” they can do when they have access.

• Authorization grants privileges to processes and users.

• Authorization lets a security administrator control parts of a network such as directories and files on servers.

Accounting

• Collecting data for accountability is called accounting and is better known as auditing.

• If you have designed a strict security policy, you will probably be auditing all attempts to achieve authentication and authorization by any person. (If you have used the CiscoSecure ACS product you can set this up on routers so that any attempt to access the router is audited and logged.) This is highly recommended in any Network Security design.

• It is most important to log "anonymous" or "guest" access to public servers.

• What is even better to implement into your design is a Honey Pot. A Honey Pot is a nice little trap you can implement. Its design follows.

Basic Attack and how to get accountability

CiscoSecure ACS

The CiscoSecure ACS application will allow you to set up a login into a router so you can both audit and fully monitor activity into your routers and what changes take place.

When you set up users and groups you can audit activity with your routers and switches.

Data Encryption

• Encryption is enabled to protect data from being read by anyone except who you intended to receive and view it.

• An encryption device encrypts data before placing it on a network.

• A decryption device decrypts the data before passing it to an application.

• An encryption or decryption device can be a router, server, end system, or dedicated device.

• Encrypted data is sometimes called ciphered data.

• Data that is not encrypted is called plain text or clear text.

• You may want to encrypt data for many reasons. One main reason that you can explain to your clients when you go over your design is the major need for encryption in the first place. If you think about it, Telnet and SNMP send passwords, strings, and any other form of authentication in clear text. If you telnet to a router and an attacker play man in the middle, you could be jeopardizing your security. Instead, incorporate encryption into your design so that if the attacker does capture your data, they probably will not be able to crack the encryption and use your data against you.

• Another reason for including encryption in your design is that VPN (the transport of data over a public medium) uses encryption-based protocols.

PIX Firewall Products

Cisco Secure PIX Firewall Overview, Firewalls Overview

Note: Be familiar with the PIX product and how to leverage it into your designs.

Last Tips for Advanced Design

Please visit and use Cisco’s site, paying particular attention to the following links. Good Luck!

External Security with NT

• This Document deals with NT-based products external security design.

• This excellent document will help you get a feel for how to implement servers into your design when dealing with Bastion hosts, the DMZ, and many other factors that you SHOULD incorporate into your design.

• You are expected to be familiar with this technology when you implement and plan an advanced design for your clients.