Designing Cisco Network Service Architectures - Free Books

More documents

Recommendations

Info

The roles are as stated in Case Study 2:— The following roles or VLANs are needed at each Layer 3 switch: guest, user,system administrators, developer, financial system administrators, voice VLAN,plus a few more for growth.— Each role subnet must allow for up to 254 users, since ordinary users, developers, orsystem administrators might be grouped near each other. That is, you cannot safelyassume the users will be evenly distributed among roles.The CP Hotels network team has decided that the following role to VLAN mapping will beused:VLAN Purpose1 Default for unassigned ports: don’t use2 Native VLAN on trunks, no other use3 Guest4 User5 Sys admin6 Developer7 Financial sys admin8 Voice VLAN9-16 Reserved for future expansion of rolesCP Hotels Design TasksComplete these steps:Step 1 Complete a design for the new CP Hotels VPN. Your design should include thefollowing components:— Your recommendation as to what type of IPsec VPN CP Hotels should use, why yourecommend that approach, and its pros and cons.— An explanation of how each hotel will connect in your design.— An explanation of how your design routes to each hotel, including how failoverworks. Also explain how routing will allow packets to reach the other IPsec tunnelendpoint (i.e. how the IPsec packets would be routed).— Details of routing protocol implementation, e.g. OSPF areas, and EIGRP or OSPFsummarization.— Your description of how your design controls routing impact of any instability inlocal or regional ISPs.— Detailed addressing and routing plan, implementing the summarization (and, ifrelevant, areas) of the previous step.Page 32 WHAT IS MY NAME? (ARCH) v2.0 © 2007 Cisco Systems, Inc.
Step 2 Review the CP Hotels design concerning overall security. Your report shouldinclude at least the following:— Your observations of any security problems in the present design. Also note ways inwhich packet and control plane security might be improved.— A check that all external connections are properly secured with firewalls. (Since allthe details have not been specified, indicate what you want the design to look like ateach external connection.)— Your recommendations for where CP Hotels should deploy IPS systems, and howthey should be deployed, also where to deploy Cisco MARS.— Your evaluation of the risks concerning the Call Centers, and how best to mitigatethose risks. The CP Hotel.com site and the Call Centers are crucial to revenueproduction at CP Hotels. The collocation facility redesign secured the e-commercesite. Now it is time to ensure the Call Centers are secure.Step 3 Assume that NAC Appliance is to be deployed in HQ3, with 3000 users, and 15Layer 3 access switches connected to two building switches that connect back to thedata centers. The specific requirement is role-based control over who can accesswhich servers. While the formal policy has yet to be determined, you will need todevelop a preliminary design, answering the following questions at a high level:— How many and where to deploy NAC Appliances?— In-band or out-of-band deployment? Other info about deployment mode (virtual /real gateway, etc.)?— Either way, describe how it impacts addressing and VLAN definitions, performance,and manageability. If additional VLANs will be needed, describe what they shouldbe and why they are needed. Do not do any detailed IP addressing design, all that isdesired here is a high-level description of any addressing impact of your proposeddesign.— Describe where your design allows traffic to be controlled (building access layer,building aggregation layer, data center core, data center module core-facing edge),and for what filtering purpose each possible location might be used.— Also describe what traffic your design approach will not be able to control, if any.Activity VerificationYour group has completed this activity when you have completed answers to the abovequestions, and selected a presenter for the group.The presenter should be prepared to explain and defend your answers to the class. The topicsfor discussion include the following:• Your recommendation as to what type of IPsec VPN CP Hotels should use, pros, cons, andjustification. Your detailed design plan for the hotel IPsec VPN, including overall hotelrouting with failover, how IPsec reaches the other tunnel endpoint, and detailed IPaddressing plan.• Your critical review of and recommendations to improve security at CP Hotels, includingthe specific items listed above.• Your NAC Appliance design, including coverage of the specific items listed above.© 2007 Cisco Systems, Inc. Lab Guide 33
Page 1 and 2: ARCHDesigning Cisco NetworkService
Page 3 and 4: Table of ContentsLab Guide 1Overvie
Page 5 and 6: ARCHLab GuideOverviewThis guide pre
Page 7: MegaCorp Campus Case Study Scenario
Page 10: MegaCorp Campus Design TasksComplet
Page 13 and 14: Case Study 2: CP Hotels Addressing
Page 15 and 16: The following diagram illustrates t
Page 17 and 18: Note128 x 256 Kbps is approximately
Page 19 and 20: The routing design uses external Bo
Page 21 and 22: Addressing at CP HotelsHQ buildings
Page 23 and 24: CP Hotels Design TasksComplete thes
Page 25 and 26: Case Study 3: CP Hotels Network Ini
Page 27 and 28: Series switches use HSRP and EIGRP
Page 29 and 30: Step 3 (E-Commerce Redesign Stateme
Page 31 and 32: Case Study 4: CP Hotels Security an
Page 33 and 34: The following diagram indicates the
Page 35: The data centers will be connected
Page 39 and 40: Case Study 5: DS Medical Research I
Page 41 and 42: DS-MRI Design TasksComplete these s
Page 43 and 44: Activity VerificationYour group has
Page 45 and 46: Answer KeyThe recommended solutions
Page 47 and 48: uplinks, since the speeds on the up
Page 49 and 50: Case Study 2 Answer Key: CP Hotels
Page 51 and 52: Another option uses 3 bits for desi
Page 53 and 54: Case Study 3 Answers: CP Hotels Net
Page 55 and 56: Step 3 E-Commerce Refresh• For th
Page 57 and 58: Case Study 4 Answer Key: CP Hotels
Page 59 and 60: Step 2 CP Hotels Security• The to
Page 61 and 62: Case Study 5 Answer Key: DS Medical
Page 63 and 64: Step 5 High Level Storage Design•
Page 65 and 66: • DS-MRI would also need to ident

Designing Cisco Network Service Architectures - Free Books

Create successful ePaper yourself

Delete template?

Save as template?