Presentation is loading. Please wait.

Presentation is loading. Please wait.

P ART 2 L OGICAL N ETWORK D ESIGN 1  Network Topology  Addressing and Naming  Switching and Routing Protocols  Network Security Strategies  Management.

Similar presentations

Presentation on theme: "P ART 2 L OGICAL N ETWORK D ESIGN 1  Network Topology  Addressing and Naming  Switching and Routing Protocols  Network Security Strategies  Management."— Presentation transcript:

1 P ART 2 L OGICAL N ETWORK D ESIGN 1  Network Topology  Addressing and Naming  Switching and Routing Protocols  Network Security Strategies  Management Strategies

2 C HAPTER F IVE D ESIGNING A N ETWORK T OPOLOGY Copyright 2010 Cisco Press & Priscilla Oppenheimer 2

3 N ETWORK T OPOLOGY D ESIGN T HEMES Hierarchy ( opposite to flat or mesh network ) Core layer Distribution layer Access layers Redundancy Modularity Well-defined entries and exits Protected areas 3

4 W HY U SE A H IERARCHICAL M ODEL ? Reduces workload on network devices Avoids devices having to communicate with too many other devices (reduces “CPU adjacencies”) Constrains broadcast domains Minimize costs. Only buy appropriate devices for each layer Facilitates changes easy and cheap Good for modularity and scalability 4

5 5

6 H IERARCHICAL N ETWORK D ESIGN Enterprise WAN Backbone Campus ACampus B Campus C Building C-1Building C-2 Campus C Backbone Core Layer Distribution Layer Access Layer 6

7 C ISCO ’ S H IERARCHICAL D ESIGN M ODEL A core layer of high-end routers and switches that are optimized for availability and speed A distribution layer of routers and switches that implement policies and segment traffic An access layer that connects users via hubs, switches, and other devices 7

8 U TILIZE THE H IERARCHICAL D ESIGN M ODEL TO D EVELOP A C OST -E FFECTIVE N ETWORK D ESIGN Access Layer requirements : Connectivity for existing devices and new devices VLANs to separate voice, security, wireless, and normal data services Redundancy QoS

9 U TILIZE THE H IERARCHICAL D ESIGN M ODEL TO D EVELOP A C OST -E FFECTIVE N ETWORK D ESIGN Distribution layer requirements: Redundant components and links High-density routing Traffic filtering QoS implementation High-bandwidth connectivity Fast convergence Route summarization

10 U TILIZE THE H IERARCHICAL D ESIGN M ODEL TO D EVELOP A C OST -E FFECTIVE N ETWORK D ESIGN Core Layer requirements : High-speed connectivity Routed interconnections High-speed redundant links

11 F LAT V ERSUS H IERARCHY Flat Loop Topology Headquarters in Medford Grants Pass Branch Office Ashland Branch Office Klamath Falls Branch Office Headquarters in Medford Ashland Branch Office Klamath Falls Branch Office Grants Pass Branch Office White City Branch Office Hierarchical Redundant Topology 11

12 M ESH D ESIGNS Partial-Mesh Topology Full-Mesh Topology 12

13 A P ARTIAL -M ESH H IERARCHICAL D ESIGN Headquarters (Core Layer) Branch Offices (Access Layer) Regional Offices (Distribution Layer) 13

14 A H UB - AND -S POKE H IERARCHICAL T OPOLOGY FOR SMALL COMPANY Corporate Headquarters Branch Office Home Office 14

15 A VOID C HAINS AND B ACKDOORS Core Layer Distribution Layer Access Layer Chain Backdoor Chain: extra layer Back door: connection between devices in the same layer, makes unexpected routing and switching problems. 15

16 C AMPUS T OPOLOGY D ESIGN Use a hierarchical, modular approach Minimize the size of bandwidth domains Minimize the size of broadcast domains Provide redundancy 16

17 A S IMPLE C AMPUS R EDUNDANT D ESIGN Host A Host B LAN X LAN Y Switch 1Switch 2 17


19 VLAN S VERSUS R EAL LAN S Switch A Station A1Station A2Station A3 Network A Switch B Station B1Station B2Station B3 Network B V IRTUAL LAN S (VLAN S ) 19 Two switches that are not connected to each other in any way. When Station A1 sends a broadcast, Station A2 and Station A3 receive the broadcast, but none of the stations in Network B receive the broadcast

20 A S WITCH WITH VLAN S Station A1Station A2Station A3 VLAN A Station B1Station B2Station B3 VLAN B 20 Through the configuration of the switch there are now two virtual LANs implemented in a single switch. The broadcast, multicast, and unknown-destination traffic originating with any member of VLAN A is forwarded to all other members of VLAN A, and not to a member of VLAN B. VLAN A has the same properties as a physically separate LAN bounded by routers.

21 VLAN S S PAN S WITCHES Switch A Station B1Station B2Station B3 Switch B Station B4 Station B5Station B6 Station A1Station A2Station A3Station A4Station A5Station A6 VLAN B VLAN A VLAN B VLAN A 21 VLANs can span multiple switches.

22 I NCORPORATE W IRELESS C ONNECTIVITY INTO THE LAN D ESIGN Factors influencing availability in a wireless network: Location of the AP Signal strength of the AP Number of users Dynamic reconfiguration Centralization

23 WLAN S AND VLAN S A wireless LAN (WLAN) is often implemented as a VLAN WLAN should be a separate subnet Clients roaming but Users remain in the same VLAN and IP subnet as they roam, so there’s no need to change addressing information Also makes it easier to set up filters ACL(Access Control Lists) to protect the wired network from wireless users. 23

24 S ECURITY T OPOLOGIES Enterprise Network DMZ Web, File, DNS, Mail Servers Internet 24

25 DMZ 25 DMZ: demilitarized zone: is a physical or logical subnetwork that contains and exposes an organization's external-facing services to a larger untrusted network, usually the Internet. The purpose of a DMZ is to add an additional layer of security to an organization's local area network (LAN); an external attacker only has access to equipment in the DMZ, rather than any other part of the network. In a computer network, the hosts most vulnerable to attack are those that provide services to users outside of the local area network, such as , web and Domain Name System (DNS) servers.

26 S ECURITY T OPOLOGIES Internet Enterprise Network DMZ Web, File, DNS, Mail Servers Firewall Firewall: boundary between two or more networks 26

27 F IREWALL A firewall can either be software-based or hardware-based and is used to help keep a network secure. Its primary objective is to control the incoming and outgoing network traffic by analyzing the data packets and determining whether it should be allowed through or not, based on a predetermined rule set. 27

28 S UMMARY Use a systematic, top-down approach Plan the logical design before the physical design Topology design should feature hierarchy, redundancy, modularity, and security 28

29 R EVIEW Q UESTIONS Why are hierarchy and modularity important for network designs? What are the three layers of Cisco’s hierarchical network design? What are the major components of Cisco’s enterprise composite network model? What are the advantages and disadvantages of the various options for multihoming an Internet connection? 29

30 C HAPTER S IX D ESIGNING M ODELS FOR A DDRESSING AND N AMING Copyright 2010 Cisco Press & Priscilla Oppenheimer 30

31 G UIDELINES FOR A DDRESSING AND N AMING Use a structured model for addressing and naming Assign addresses and names hierarchically Decide in advance 31

32 A DVANTAGES OF S TRUCTURED M ODELS FOR A DDRESSING & N AMING It makes it easier to Read network maps Operate network management software Recognize devices in protocol analyzer traces Meet goals for usability Design filters on firewalls and routers Implement route summarization 32

33 P UBLIC IP A DDRESSES Managed by the Internet Assigned Numbers Authority (IANA)IANA Users are assigned IP addresses by Internet Service Providers (ISPs). ISPs obtain allocations of IP addresses from their appropriate Regional Internet Registry (RIR) Public address is essential for web server or other servers that external users access. But not necessary for all internal hosts and networks. Private address is ok. Addressing for internal host that need access to outside services can be handled by NAT (Network Address Translation) gateway. 33

34 R EGIONAL I NTERNET R EGISTRIES (RIR) American Registry for Internet Numbers (ARIN) American Registry for Internet Numbers (ARIN) serves North America and parts of the Caribbean. RIPE Network Coordination Centre (RIPE NCC) RIPE Network Coordination Centre (RIPE NCC) serves Europe, the Middle East, and Central Asia. Asia-Pacific Network Information Centre (APNIC) Asia-Pacific Network Information Centre (APNIC) serves Asia and the Pacific region. Latin American and Caribbean Internet Addresses Registry (LACNIC) Latin American and Caribbean Internet Addresses Registry (LACNIC) serves Latin America and parts of the Caribbean. African Network Information Centre (AfriNIC) African Network Information Centre (AfriNIC) serves Africa. 34

35 P RIVATE A DDRESSING – – – An enterprise network administrator assigns to internal networks and hosts without any coordination from an ISP or RIRs. Advantages:  Security. Private network numbers are not advertised.  Flexibility. Easy to change to new ISP.  Save IP address resources. 35

36 T HE T WO P ARTS OF AN IP A DDRESS PrefixHost 32 Bits Prefix Length 36

37 D ESIGNING N ETWORKS WITH S UBNETS Determining subnet size Computing subnet mask Computing IP addresses 37

38 38 S UBNETS Subnetting is the process to divide a network into several smaller networks. Within a subnet, all the hosts have the same network ID in their IP addresses. With subnets, a physical network can be divided into logical units. The hosts in each unit can directly communicate with each other and use the same router to communicate with the hosts in the other subnets. Local broadcasting is limited within a subnet.

39 39 R EASONS FOR U SING S UBNETS To efficiently use IP addresses To reduce the number of collisions To reduce broadcasting traffic To strengthen network security control To implement the network structure at the site, building, department, and office levels To reduce the cost of paying the ISP for public IP addresses

40 40 S UBNET M ASKS A subnet mask is a string of 32-bit binary code used to determine which part of an IP address is used as the network ID. Binary Subnet MaskDecimal Subnet Mask The leftmost bits in a subnet mask are a sequence of consecutive 1s and rightmost bits must be consecutive 0s. Invalid masks are listed below. BinaryDecimal

41 A DDRESSES TO A VOID W HEN S UBNETTING A node address of all ones (broadcast) A node address of all zeros (network) A subnet address of all ones (all subnets) A subnet address of all zeros (confusing) 41

42 C LASSFUL IP A DDRESSING ClassFirst First BytePrefixIntent Few BitsLength A01-126*8Very large networks B Large networks C Small networks D NAIP multicast E NAExperimental *Addresses starting with 127 are reserved for IP traffic local to a host. 42

43 ClassPrefixNumber of Addresses Lengthper Network A = 16,777,214 B = 65,534 C = 254 D IVISION OF THE C LASSFUL A DDRESS S PACE 43

44 C LASSFUL IP IS W ASTEFUL Class A uses 50% of address space Class B uses 25% of address space Class C uses 12.5% of address space Class D and E use 12.5% of address space 44

45 C LASSLESS A DDRESSING Prefix/host boundary can be anywhere Less wasteful Supports route summarization ( Aggregation ) Also known as Aggregation Supernetting Classless routing Classless inter-domain routing (CIDR) Prefix routing 45

46 S UPERNETTING Move prefix boundary to the left Branch office advertises / Branch-Office Networks Enterprise Core Network Branch-Office Router 46

47 G UIDELINES FOR A SSIGNING N AMES Names should be Short Meaningful Clear Distinct Case insensitive Avoid names with unusual characters Hyphens, underscores, asterisks, and so on 47

48 D OMAIN N AME S YSTEM (DNS) Maps names to IP addresses Supports hierarchical naming example: A DNS server has a database of resource records (RRs) that maps names to addresses in the server’s “zone of authority” Client queries server Uses UDP port 53 for name queries and replies Uses TCP port 53 for zone transfers 48

49 D ESCRIBE IP V 6 I MPLEMENTATIONS AND IP V 6 TO IP V 4 I NTERACTIONS Enhancements available with IPv6: Mobility and security Simpler header Address formatting

50 S UMMARY Use a systematic, structured, top-down approach to addressing and naming Assign addresses in a hierarchical fashion Distribute authority for addressing and naming where appropriate IPv6 looms in our future 50

51 R EVIEW Q UESTIONS Why is it important to use a structured model for addressing and naming? When is it appropriate to use IP private addressing versus public addressing? When is it appropriate to use static versus dynamic addressing? What are some approaches to upgrading to IPv6? 51

52 C HAPTER S EVEN S ELECTING S WITCHING AND R OUTING P ROTOCOLS Copyright 2010 Cisco Press & Priscilla Oppenheimer 52

53 S WITCHING AND R OUTING C HOICES Switching Layer 2 transparent bridging (switching) Multilayer switching Spanning Tree Protocol enhancements VLAN technologies Routing Static or dynamic Distance-vector and link-state protocols Interior and exterior Etc. 53

54 S ELECTION C RITERIA FOR S WITCHING AND R OUTING P ROTOCOLS Network traffic characteristics Bandwidth, memory, and CPU usage The number of peers supported The capability to adapt to changes quickly Support for authentication 54


56 T RANSPARENT B RIDGING (S WITCHING ) T ASKS Forward frames transparently Learn location of devices by source address in each frame Bridge develops a switch/bridge table, or MAC address table, or Content Address Memory (CAM) table. Floods unknown or broadcast frames Layer 1 and 2 device (physical address), don’t look at IP address. Store-and-forward device. Receive a complete frame, determines outgoing port, calculates CRC then transmits the frame when the port is free 56


58 P ROTOCOLS FOR T RANSPORTING VLAN I NFORMATION Switches need a method to make sure intra- VLAN traffic goes to the correct interfaces. IEEE 802.1Q VLAN Trunk Protocol (VTP) VLAN management protocol 58 Switch A Station B1Station B2Station B3 Switch B Station B4 Station B5Station B6 Station A1Station A2Station A3Station A4Station A5Station A6 VLAN B VLAN A VLAN B VLAN A

59 Routing vs. Bridging and Switching Routing is operating at the Network Layer of the OSI Model. Bridging and switching occur on the Data Link Layer. 59

60 S ELECTING R OUTING P ROTOCOLS They all have the same general goal: To share network reachability information among routers They differ in many ways: Interior versus exterior Metrics supported Dynamic versus static and default Distance-vector versus link-sate Classful versus classless Scalability 60 A routing protocol lets a router dynamically learn how to reach other networks and exchange this information with other routers.

61 I NTERIOR V ERSUS E XTERIOR R OUTING P ROTOCOLS Interior routing protocols are used within one organization. The current lead Interior Routing Protocol is OSPF. Other Interior Protocols include IS-IS, RIP, and EIGRP. Exterior routing protocols are used between organizations. The current lead Exterior Gateway Protocol is BGP. The current revision of BGP is BGP4. There are no other Exterior Gateway Routing protocols in current competition with BGP4. 61

62 R OUTING P ROTOCOL M ETRICS Metric: the determining factor used by a routing algorithm to decide which route to a network is better than another Examples of metrics: Bandwidth - capacity Delay - time Load - amount of network traffic Reliability - error rate Hop count - number of routers that a packet must travel through before reaching the destination network Cost - arbitrary value defined by the protocol or administrator 62

63 R OUTING A LGORITHMS Static routing Calculated beforehand, offline Default routing “If I don’t recognize the destination, just send the packet to Router X” Cisco’s On-Demand Routing Routing for stub networks Uses Cisco Discovery Protocol (CDP) Dynamic routing protocol Distance-vector algorithms Link-state algorithms 63

64 D ISTANCE -V ECTOR V S. L INK -S TATE Distance-vector algorithms keep a list of networks, with next hop and distance (metric) information Link-state algorithms keep a database of routers and links between them Link-state algorithms think of the internetwork as a graph instead of a list When changes occur, link-state algorithms apply Dijkstra’s shortest-path algorithm to find the shortest path between any two nodes Dijkstra’s shortest-path algorithm 64

65 C HOOSING B ETWEEN D ISTANCE - V ECTOR AND L INK -S TATE Choose Distance- Vector Simple, flat topology Hub-and-spoke topology Junior network administrators Convergence time not a big concern Choose Link-State Hierarchical topology More senior network administrators Fast convergence is critical 65

66 D YNAMIC IP R OUTING P ROTOCOLS Distance-Vector Routing Information Protocol (RIP) Version 1 and 2 Interior Gateway Routing Protocol (IGRP) Enhanced IGRP Border Gateway Protocol (BGP) Link-State Open Shortest Path First (OSPF) Intermediate System-to- Intermediate System (IS-IS) 66

67 67

68 S UMMARY The selection of switching and routing protocols should be based on an analysis of Goals Scalability and performance characteristics of the protocols Transparent bridging is used on modern switches But other choices involve enhancements to STP and protocols for transporting VLAN information There are many types of routing protocols and many choices within each type 68

69 R EVIEW Q UESTIONS What are some options for enhancing the Spanning Tree Protocol? What factors will help you decide whether distance-vector or link-state routing is best for your design customer? What factors will help you select a specific routing protocol? Why do static and default routing still play a role in many modern network designs? 69

70 C HAPTER E IGHT D EVELOPING N ETWORK S ECURITY S TRATEGIES Copyright 2010 Cisco Press & Priscilla Oppenheimer 70

71 N ETWORK S ECURITY D ESIGN T HE 12 S TEP P ROGRAM 1. Identify network assets 2. Analyze security risks 3. Analyze security requirements and tradeoffs 4. Develop a security plan 5. Define a security policy 6. Develop procedures for applying security policies 71 ch2 ch8

72 T HE 12 S TEP P ROGRAM ( CONTINUED ) 7. Develop a technical implementation strategy 8. Achieve buy-in from users, managers, and technical staff 9. Train users, managers, and technical staff 10. Implement the technical strategy and security procedures 11. Test the security and update it if any problems are found 12. Maintain security 72 out ch12 ch8

73 N ETWORK A SSETS Hardware Software Applications Data Intellectual property Trade secrets Company’s reputation 73

74 S ECURITY R ISKS Hacked network devices Data can be intercepted, analyzed, altered, or deleted User passwords can be compromised Device configurations can be changed Reconnaissance attacks ( gather information ) Denial-of-service attacks ( make a computer resource unavailable to its intended users ) 74

75 S ECURITY T RADEOFFS Tradeoffs must be made between security goals and other goals: Affordability Usability Performance Availability Manageability 75 Security adds to management work (user ID, passwords ), and affects network performance. Encryption consume upto 15% of CPU power on a router or network throughput.

76 A S ECURITY P LAN High-level document that proposes what an organization is going to do to meet security requirements Specifies time, people, and other resources that will be required to develop a security policy and achieve implementation of the policy 76

77 A S ECURITY P OLICY A security policy is a “Formal statement of the rules by which people who are given access to an organization’s technology and information assets must abide.” The policy should address Access, accountability, authentication, privacy, and computer technology purchasing guidelines 77

78 S ECURITY M ECHANISMS Physical security Authentication Authorization Accounting (Auditing) Data encryption Packet filters Firewalls Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) 78

79 M ODULARIZING S ECURITY D ESIGN Security defense in depth Network security should be multilayered with many different techniques used to protect the network Belt-and-suspenders approach Don’t get caught with your pants down 79

80 M ODULARIZING S ECURITY D ESIGN Secure all components of a modular design: Internet connections Public servers and e-commerce servers Remote access networks and VPNs Network services and network management Server farms User services Wireless networks 80

81 S ECURING I NTERNET C ONNECTIONS Physical security Firewalls and packet filters Audit logs, authentication, authorization Well-defined exit and entry points Routing protocols that support authentication 81

82 S ECURING P UBLIC S ERVERS Place servers in a DMZ that is protected via firewalls Run a firewall on the server itself Enable DoS protection Limit the number of connections per timeframe Use reliable operating systems with the latest security patches Maintain modularity Front-end Web server doesn’t also run other services ( FTP services not run on the same server as Web services, e-commerce database should not be on the web server.) 82

83 S ECURING R EMOTE -A CCESS AND V IRTUAL P RIVATE N ETWORKS (VPN) Physical security Firewalls Authentication, authorization, and auditing Encryption One-time passwords Security protocols CHAP RADIUS IPSec 83

84 S ECURING N ETWORK S ERVICES Treat each network device (routers, switches, and so on) as a high-value host and harden it against possible intrusions Require login IDs and passwords for accessing devices Require extra authorization for risky configuration commands Use SSH rather than Telnet Change the welcome banner to be less welcoming 84

85 S ECURING S ERVER F ARMS Deploy network and host IDSs to monitor server subnets and individual servers Configure filters that limit connectivity from the server in case the server is compromised Fix known security bugs in server operating systems Require authentication and authorization for server access and management Limit root password to a few people Avoid guest accounts 85

86 S ECURING U SER S ERVICES Specify which applications are allowed to run on networked PCs in the security policy Require personal firewalls and antivirus software on networked PCs Implement written procedures that specify how the software is installed and kept current Encourage users to log out when leaving their desks Consider using 802.1X port-based security on switches 86

87 S ECURING W IRELESS N ETWORKS Place wireless LANs (WLANs) in their own subnet or VLAN Simplifies addressing and makes it easier to configure packet filters Require all wireless (and wired) laptops to run personal firewall and antivirus software Disable beacons that broadcast the SSID, and require MAC address authentication Except in cases where the WLAN is used by visitors 87

88 WLAN S ECURITY O PTIONS Wired Equivalent Privacy (WEP) (danger) IEEE i Wi-Fi Protected Access (WPA) IEEE 802.1X Extensible Authentication Protocol (EAP) Lightweight EAP or LEAP (Cisco) Protected EAP (PEAP) Virtual Private Networks (VPNs) Any other acronyms we can think of? :-) 88

89 W IRED E QUIVALENT P RIVACY (WEP) Defined by IEEE Users must possess the appropriate WEP key that is also configured on the access point 64 or 128-bit key (or passphrase) WEP encrypts the data using the RC4 stream cipher method Infamous for being crackable (within 30 minutes by normal laptop) 89

90 WEP A LTERNATIVES Vendor enhancements to WEP Temporal Key Integrity Protocol (TKIP) Every frame has a new and unique WEP key Advanced Encryption Standard (AES) IEEE i Wi-Fi Protected Access (WPA) from the Wi- Fi Alliance 90

91 E XTENSIBLE A UTHENTICATION P ROTOCOL (EAP) With 802.1X and EAP, devices take on one of three roles: The supplicant resides on the wireless LAN client The authenticator resides on the access point An authentication server resides on a RADIUS server 91

92 EAP (C ONTINUED ) An EAP supplicant on the client obtains credentials from the user, which could be a user ID and password The credentials are passed by the authenticator to the server and a session key is developed Periodically the client must reauthenticate to maintain network connectivity Reauthentication generates a new, dynamic WEP key 92

93 VPN S OFTWARE ON W IRELESS C LIENTS Safest way to do wireless networking for corporations Wireless client requires VPN software Connects to VPN concentrator at HQ Creates a tunnel for sending all traffic VPN security provides: User authentication Strong encryption of data Data integrity 93

94 S UMMARY Use a top-down approach Chapter 2 talks about identifying assets and risks and developing security requirements Chapter 5 talks about logical design for security (secure topologies) Chapter 8 talks about the security plan, policy, and procedures Chapter 8 also covers security mechanisms and selecting the right mechanisms for the different components of a modular network design 94

95 R EVIEW Q UESTIONS How does a security plan differ from a security policy? Why is it important to achieve buy-in from users, managers, and technical staff for the security policy? What are some methods for keeping hackers from viewing and changing router and switch configuration information? How can a network manager secure a wireless network? 95

96 C HAPTER N INE D EVELOPING N ETWORK M ANAGEMENT S TRATEGIES Copyright 2010 Cisco Press & Priscilla Oppenheimer 96

97 N ETWORK M ANAGEMENT Helps an organization achieve availability, performance, and security goals Helps an organization measure how well design goals are being met and adjust network parameters if they are not being met Facilitates scalability Helps an organization analyze current network behavior, apply upgrades appropriately, and troubleshoot any problems with upgrades 97

98 N ETWORK M ANAGEMENT D ESIGN Consider scalability, traffic patterns, data formats, cost/benefit tradeoffs Determine which resources should be monitored Determine metrics for measuring performance Determine which and how much data to collect 98

99 P ROACTIVE N ETWORK M ANAGEMENT Plan to check the health of the network during normal operation, not just when there are problems Recognize potential problems as they develop Optimize performance Plan upgrades appropriately 99

100 N ETWORK M ANAGEMENT P ROCESSES A CCORDING TO THE ISO Fault management Configuration management Accounting management Performance management Security management 100

101 F AULT M ANAGEMENT Detect, isolate, diagnose, and correct problems Report status to end users and managers Track trends related to problems 101

102 C ONFIGURATION M ANAGEMENT Keep track of network devices and their configurations Maintain an inventory of network assets Log versions of operating systems and applications 102

103 A CCOUNTING M ANAGEMENT Keep track of network usage by departments or individuals Facilitate usage-based billing Find abusers who use more resources than they should 103

104 P ERFORMANCE M ANAGEMENT Monitor end-to-end performance Also monitor component performance (individual links and devices) Test reachability Measure response times Measure traffic flow and volume Record route changes 104

105 S ECURITY M ANAGEMENT Maintain and distribute user names and passwords Generate, distribute, and store encryption keys Analyze router, switch, and server configurations for compliance with security policies and procedures Collect, store, and examine security audit logs 105

106 N ETWORK M ANAGEMENT C OMPONENTS A managed device is a network node that collects and stores management information An agent is network-management software that resides in a managed device A network-management system (NMS) runs applications to display management data, monitor and control managed devices, and communicate with agents 106

107 N ETWORK M ANAGEMENT A RCHITECTURE NMS Management Database Agent Management Database Agent Management Database Agent Managed Devices 107

108 A RCHITECTURE C ONCERNS In-band versus out-of-band monitoring In-band control passes control data on the same connection as main data. Out-of-band control passes control data on a separate connection from main data. In-band is easier to develop, but results in management data being impacted by network problems Centralized versus distributed monitoring Centralized management is simpler to develop and maintain, but may require huge amounts of information to travel back to a centralized network operations center (NOC) 108

109 S IMPLE N ETWORK M ANAGEMENT P ROTOCOL (SNMP) Most popular network management protocol SNMPv3 should gradually supplant versions 1 and 2 because it offers better authentication SNMP works with Management Information Bases (MIBs) 109

110 R EMOTE M ONITORING (RMON) Developed by the IETF in the early 1990s to address shortcomings in standard MIBs Provides information on data link and physical layer parameters Nine groups of data for Ethernet The statistics group tracks packets, octets, packet-size distribution, broadcasts, collisions, dropped packets, fragments, CRC and alignment errors, jabbers, and undersized and oversized packets 110

111 C ISCO T OOLS Cisco Discovery Protocol With the show cdp neighbors detail command, you can display detailed information about neighboring routers and switches, including which protocols are enabled, network addresses for enabled protocols, the number and types of interfaces, the type of platform and its capabilities, and the version of Cisco IOS Software running on the neighbor. NetFlow Accounting An integral part of Cisco IOS Software that collects and measures data as it enters router or switch interfaces 111

112 S UMMARY Determine which resources to monitor, which data about these resources to collect, and how to interpret that data Develop processes that address performance, fault, configuration, security, and accounting management Develop a network management architecture Select management protocols and tools 112

113 R EVIEW Q UESTIONS Why is network management design important? Define the five types of network management processes according to the ISO. What are some advantages and disadvantages of using in-band network management versus out-of-band network management? What are some advantages and disadvantages of using centralized network management versus distributed network management? 113

114 114

Download ppt "P ART 2 L OGICAL N ETWORK D ESIGN 1  Network Topology  Addressing and Naming  Switching and Routing Protocols  Network Security Strategies  Management."

Similar presentations

Ads by Google