Massimiliano Sbaraglia

Similar documents
Building Cisco Multilayer Switched Networks (BCMSN)

Cisco Certified Network Associate ( )

CCNA Routing and Switching (NI )

CCNP SWITCH (22 Hours)

Implementing Cisco IP Switched Networks (SWITCH)

TEXTBOOK MAPPING CISCO COMPANION GUIDES

CCNA. Murlisona App. Hiralal Lane, Ravivar Karanja, Near Pethe High-School, ,

Building A Resilient Campus: Fundamentals and Best Practices

Exam Topics Cross Reference

TestOut Routing and Switching Pro - English 6.0.x COURSE OUTLINE. Modified

Cisco Certified Network Professional (CCNP)

CCNP (Routing & Switching and T.SHOOT)

NETLOGIC TRAINING CENTER

Number: Passing Score: 800 Time Limit: 120 min File Version: 9.0. Cisco Questions & Answers

Implementing Cisco IP Routing ( )

Syllabus. Cisco Certified Design Professional. Implementing Cisco IP Routing

PrepKing. PrepKing

SWITCH Implementing Cisco IP Switched Networks

CERTIFICATE CCENT + CCNA ROUTING AND SWITCHING INSTRUCTOR: FRANK D WOUTERS JR. CETSR, CSM, MIT, CA

Catalyst 4500 Series IOS Commands

CCNA Routing & Switching

Question No : 1 Which three options are basic design principles of the Cisco Nexus 7000 Series for data center virtualization? (Choose three.

ASM Educational Center (ASM) Est. 1992

3. What could you use if you wanted to reduce unnecessary broadcast, multicast, and flooded unicast packets?

Vendor: Cisco. Exam Code: Exam Name: Implementing Cisco IP Switched Networks. Version: Demo

Interconnecting Cisco Networking Devices Part 2 (ICND2) Course Overview

UniNets CCNA Security LAB MANUAL UNiNets CCNA Cisco Certified Network Associate Security LAB MANUAL UniNets CCNA LAB MANUAL

CCNP Switch Questions/Answers Cisco Enterprise Campus Architecture

Symbols. Numerics INDEX

MS425 SERIES. 40G fiber aggregation switches designed for large enterprise and campus networks. Datasheet MS425 Series

CCIE Route & Switch Written (CCIERSW) 1.0

Q&As Implementing Cisco IP Switched Networks (SWITCH v2.0)

Implementing Cisco IP Switched Networks (SWITCH) v2.0

Configuring Private VLANs

CCNA. The knowledge and skills that a learner must have before attending this course are as follows:

Implementing Cisco IP Routing Volume 1

ActualTest v by-VA

Cisco Configuring Cisco Nexus 7000 Switches v3.1 (DCNX7K)

"Charting the Course... Implementing Cisco Data Center Infrastructure (DCII) Course Summary

Authorized CCNP. Student. LabManual SWITCH.

BraindumpsIT. BraindumpsIT - IT Certification Company provides Braindumps pdf!

Catalyst 4500 Series IOS Commands

CUDN PoP Switch Changes 2018

Enterprise Multilayer and Routed Access Campus Design. Yaman Hakmi Systems Engineer

VSS-Enabled Campus Design

SEVENMENTOR TRAINING PVT.LTD

Troubleshooting and Maintaining Cisco IP Networks v2 ( )

examcollection.premium.exam.157q. Exam code: Exam name: Implementing Cisco IP Switched Networks. Version 15.0

PassTorrent. Pass your actual test with our latest and valid practice torrent at once

actualtests.cisco.ccnp switch by.passforu

: Building Cisco Multilayer Switched Networks

Campus Networking Workshop. Layer 2 engineering Spanning Tree and VLANs

Configuring StackWise Virtual

Integrated Switch Technology

Cisco ME 6524 Ethernet Switch

Question No: 1 What is the maximum number of switches that can be stacked using Cisco StackWise?

Cisco Exam Bundle

Cisco.Braindumps v by.Toni.259q. Exam Code: Exam Name: Cisco implementing cisco switched networks

Cisco Exam Bundle

Module 5: Cisco Nexus 7000 Series Switch Administration, Management and Troubleshooting

Cisco Systems Korea Cisco Systems, Inc. All rights reserved. 1

Internetwork Expert s CCNA Security Bootcamp. Mitigating Layer 2 Attacks. Layer 2 Mitigation Overview

Implementing Cisco Data Center Infrastructure v6.0 (DCII)

Overview. Features CHAPTER

Configuring Cisco Nexus 7000 Series Switches

Cisco Exam Bundle

Cisco ME 6524 Ethernet Switch

Pass-Through Technology

Product features. Applications

Network-Level High Availability

Network+ Guide to Networks 7 th Edition

CCNA Practice test. 2. Which protocol can cause high CPU usage? A. NTP B. WCCP C. Telnet D. SNMP Answer: D

CCNA 3 (v v6.0) Chapter 3 Exam Answers % Full

Cisco EXAM Cisco ADVDESIGN. Buy Full Product.

Configuring Private VLANs

MS355 SERIES. Multi-Gigabit access switches with 40G uplinks, designed for high performance enterprise and campus networks

Designing Cisco Data Center Unified Computing

CCNA Semester 3 labs. Part 1 of 1 Labs for chapters 1 8

Vendor: HP. Exam Code: HP0-Y37. Exam Name: Migrating &Troubleshooting Enterprise Networks. Version: Demo

Lab 1-2Connecting to a Cisco Router or Switch via Console. Lab 1-6Basic Graphic Network Simulator v3 Configuration

Cisco CCNP Exam

Cisco CISCO Data Center Networking Infrastructure Design Specialist. Practice Test. Version

TSHOOT v2.0 Troubleshooting and Maintaining Cisco IP Networks 5 days, Instructor-led

48-Port 10/100/1000BASE-T + 4-Port 100/1000BASE-X SFP Gigabit Managed Switch GS T4S

Design of High-Availability Resilient Converged Enterprise Networks. (C) Petr Grygárek

"Charting the Course... TSHOOT Troubleshooting and Maintaining Cisco IP Networks Course Summary

Cisco CCNA (ICND1, ICND2) Bootcamp

Transparent or Routed Firewall Mode

Implementing Cisco IP Switched Networks (SWITCH) Technical Edition

Specialist Level Certification JNCIS-ENT; 5 Days; Instructor-led

MS225 SERIES. Stackable access switches with 10G SFP+ uplinks, designed for the branch and campus. Datasheet MS225 Series Switches

School Site Design. Large School Modular Switch Design CHAPTER

H3C S1850 Gigabit WEB Managed Switch Series

cisco. Number: Passing Score: 800 Time Limit: 120 min.

Top-Down Network Design

About the HP A7500 Configuration Guides

About the H3C S5130-HI configuration guides

Interconnecting Cisco Networking Devices: Accelerated

Chapter 1: Enterprise Campus Architecture. Course v6 Chapter # , Cisco Systems, Inc. All rights reserved. Cisco Public

CISCO CCNP Cisco Certified Network Professional v2.0

Transcription:

Massimiliano Sbaraglia

Printer Layer 2 access connections to End-Point Layer 2 connections trunk or layer 3 p2p to pair distribution switch PC CSA PVST+ or MST (Spanning Tree Protocol) VLANs LapTop VoIP Phone CSA Software Security End-Point: CSA (Cisco Security Agent) for safe host-based intrusion prevention system (HIPS) Security Access Network: DHCP, ARP, IP Spoofing, NFP (Network Foundaton Protection) and CISF (Catalyst Integrated Security Feature) LWAPP Access Point WIFI ACCESS

Security Infrastructure Level Implement OOB (Out Of Band) interface to devices network management Limit the accessible port devices and restrict the permitted communications Legal Notification Authenticate and Authorize access using AAA Log and Account for all access Protect sensitive data such as local-password Security Routing Level (for layer 3 access routing) Authentication router neighbors Use default passive interface Log neighbor changes Implement stub-routing when possible

Security Device Level Disable unnecessary services Filter and rate-limit control-plane traffic Redundancy Security Network Telemetry NTP (Network Time Protocol) to synchronize time to all network domain Monitor interface statistics to all devices Monitor system status information such as CPU, memory and process Log all system status, traffic analysis, access device informations Security Policy Enforcement: Implement management and infrastructure ACL (i-acl) Protect against IP spoofing with urpf on routed edge interface and with IP source guard on access port

Security Switching Level Restrict broadcast domain Implement Spanning Tree Protocol against loops (RSTP, RPVST+) and BPDU guard, STP root guard DHCP snooping enable on access vlans against dhcp starvation and rogue dhcp servers attacks IP spoofing protecton with IP source guard enable on access port ARP spoofing protection with dynamic ARP inspection (DAI) enable on access vlans MAC flooding protection with port security enable on access port Broadcast and Multicast protection with storm control enable on access port Security i-acl level A carefully planned addressing scheme Ping and traceroute allowed Block access to address assigned to the infrastructure devices Block access to address assigned to the network management devices Permit client transit traffic

Security Vlans Level Restrict vlans on single switch Configure separate vlans to voice and data Disable vlans dynamic trunk negotiation trunking on access port (DTP off) Configure explicity trunk mode on infrastructure ports rather autonegotiation Use VTP mode transparent on switches Disable unused ports (shutdown) Do not use vlan 1 for anything Use all tagged mode for native vlan on trunks port

IBNS ( Identity-Based Networking Services) 802.1x MAB (MAC Authentication Bypass) NAC Appliance Implemented on in-band or out-of-band NAC servers and NAC manager placement Access switch vlans requirements Client redirection to NAC server NAC agent Client authentication

Service requirement Discovery and Configuration Type of Service 802.1AF (Authenticated Key Agreement MACsec) ; CDP ; LLDP ; LLDP-MED Security Services INBS (802.1x) ; CISF (Catalyst Integrated Security Feature) ; port security ; DHCP snooping ;DAI (Dynamic Arp Inspection) ; IPSG (IP source guard) Network Identity and Access Application Recognition 802.1x ; MAB (Mac Authentication Bypass) ; Web-Auth QoS marking, policing, queueing ; NBAR (Network Based Application Recognition) Intelligent Network Service Control PVST+ ; Rapid PVST+ ; EIGRP ; OSPF ; DTP ; LACP or PAgP ; Flexlink ; port-fast ; uplink-fast ; backbone-fast ; loop-guard ; BPDU-guard ; port-security ; rootguard Physical Infrastructure PoE (Power of Ethernet)

CORE DISTRIBUTION ACCESS NOT GOOD ACCEPTABLE GOOD

Core Level Core Level MSFC SVI HSRP active MSFC SVI HSRP standby MSFC SVI HSRP active MSFC SVI HSRP standby L3 L2 DISTRIBUTION L3 L2 STP root primary uplink active link Uplinks active state STP root secondary uplink active link STP root primary uplink active link Uplinks active state STP root secondary uplink active link vlans vlans ACCESS vlans vlans Loop Free type U Loop Free type Inverted-U

Core Level Core Level HSRP active HSRP standby HSRP active HSRP standby L3 L3 STP root primary L2 DISTRIBUTION L2 uplink active link blocked link uplink active link STP root secondary blocked link STP root primary uplink active link Square STP root secondary uplink active link vlans vlans ACCESS vlans blocked link vlans Loop type Triangle Loop type Square

Core Level DISTRIBUTION vlans HSRP active primary link HSRP standby L3 L2 primary link backup link ACCESS backup link vlans vlans Flex-Link model

Loop guard enable DISTRIBUTION GLBP provide for active-active FHRP ACCESS Loop guard enable Root guard enable STP domain edge port edge port Flex-link an alernative to STP BPDU guard enable Root guard enable BPDU guard enable Root guard enable

Catalyst-1 Catalyst-2 VSS switch logico DISTRIBUTION VSS active VSL VSS standby STP active link MEC STP standby link = trunk ACCESS physical view logical view STAR model

Core Level DISTRIBUTION L3 p2p L3 p2p L3 p2p ACCESS SVI gateway voice vlan x data vlan y other vlan z L3 p2p voice vlan a data vlan b other vlan c SVI gateway Layer 3 Layer 2

Intrusion Prevention NAC Access control Netflow urpf Distribution module work between access and core levels Distribution switch are implemented on pair for redundancy reasons Protecting End-Point with network-based intrusion prevention system Protecting Infrastructure with NFP best practice DISTRIBUTION Access Level Core Level

Security IPS Level Provide filtering of know network worm and virus, DoS traffic attacks, hacking attacks IPS is placed in traffic path (inline mode with bridged traffic) or in promiscuous mode via SPAN, RSPAN, VACL Multiple IPS sensor may offer scalability and availability with load-balancing using ether-channel (ECLB) IPS sensor may be used to see traffic on both directions (traffic symmetry) Security Infrastructure Level Implement OOB (Out Of Band) interface to devices network management Limit the accessible port devices and restrict the permitted communications Legal Notification Authenticate and Authorize access using AAA Log and Account for all access Protect sensitive data such as local-password

Security Routing Level Authentication router neighbor Use default passive interface Log neighbor changes Implement stub-routing when possible Note: Route filtering and stub routing in the distribution layer are only recommended for a multi-tier or VSS design where the routed edge interface is on the distribution switches. In a routed access design, these features are used in the access layer. Security Device Level Disable unnecessary services Filter and rate-limit control-plane traffic Redundancy

Security Network Telemetry NTP (Network Time Protocol) to synchronize time to all network domain Monitor interface statistics to all devices Monitor system status information such as CPU, memory and process) Log all system status, traffic analysis, access device information Enable Netflow Security Policy Enforcement: Implement management and infrastructure ACL (i-acl) Protect against IP spoofing with urpf on routed edge interface Note: urpf is only applicable in the distribution layer of a multi-tier design where the routed edge interface is on the distribution switches. In a routed access design, this is enabled in the access layer.

Security Switching Level Restrict broadcast domain Implement Spanning Tree Protocol against loops (RSTP, RPVST+) and BPDU guard, STP root guard Implement vlans best practice Note: VLAN and spanning tree best practices are only applicable in the distribution layer of a multi-tier design where Layer 2 extends to the distribution layer switches.

Protocol Multi-Tier Access Routed Access Virtual Switch Access distribution control-plane PVST+ ; Rapid PVST+ ; MST EIGRP ; OSPF PaGP ; LACP Spanning Tree Required for redundancy and to prevent L2 loops Network Recovery STP and FHRP (HSRP ; GLPB ; VRRP) EIGRP ; OSPF MEC (multichassis eth) VLAN spanning wiring closets YES (required L2 STP loops) NO YES Layer 2 / Layer 3 demarcation Distribution level Access level Distribution level First Hop Redundancy Protocol HSRP ; GLPB ; VRRP NO NO NO NO Access to Distribution per-flow load-balancing Convergence Change control NO YES (ECMP) YES (MEC) 900 msec to 50 sec (depend on tuning STP and FHRP topology) Dual distribution switch design requires manual configurationsynchronization but allows for independent code upgrades and changes 50 to 600 msec 50 to 600 msec The same like multitier access Single virtual switch auto-syncs the configuration between redundant hardware but does not currently allow independent code upgrades for individual member switches

DHCP Server DNS Server FTP Server Cisco Call Manager Centralized LWAPP wireless Controller IPv6 ISATAP tunnel termination Local Internet Edge Cisco Unified Communication services WLAN Controller Policy Gateways NAC Access Control Service Block Core Level

Distribution Edge High Availability and always-on operate It is the backbone and connect all distribution block on Enterprices campus L3 Appropriate redundancy level to ensure any kind of failure (switch, supervisor, line-card, cabling) Upgrade hardware and software without any disruption of network application CORE L3 Distribution Building Access Building

PSTN INTERNET WAN MPLS Metro-E E-Commerce INTERNET Service Provider Edge Router WAN Router with PIX Firewall Router with Firewall VPN Concentrator SSL Terminator Remote Access Layer 3 Layer 3 Layer 3 Edge distribution Enterprice Edge Layer 3 Layer 3 Layer 3 Layer 3 Core Level L3 Layer 3 Enterprice Campus Building distribution Nexus VDC Firewall Vdom Balancer Server Farm Layer 2 Data Center Access Level (end-user )

untrusted Access Distribution Core WAN/VPN PE Service Provider trusted CSA trusted Marking QoS in hardware DSCP PHB

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback