cisco design!!
1 plan:
- design
- assessment
- strategy & analysis for solution
2 build
- validation
- deployment
- migration
minimumly distruptive as possible!
** achieve bisnis goals. -> minimize operational downtime of network infrastructure.
3 manage
- product support
- solution support
- optimization
- operations management
==========================
di plan phase bakal banyak
HLD / HIGH LEVEL DESIGN
LLD / LOW LEVEL DESIGN
BOM / BILL OF MATERIAL
=========================
- Network life cycle model
PPDIOO
prepare
plan
design
^ 3 ini masuk kategori plan
implement
^ build
operate
optimize
^ 2 ini masuk kategori manage
dari atas ke bawah, trus ke atas lagi.
====================
PPPDIO part2
1 prepare phase. ( high level )
proposing solution.
financial justification.
identify particular technology that suit organization.
2 plan
make more details!
characterizing existing network. putting particular goal in baseline.
3 Design
before implemen.
make sure business and technical goal fit in.
creating design
each solution scalable.
perform at spec
high available?
^ 3 metric ini paling penting
4 Implement
least distruptive existing infra.
5 Operate
6 Optimize
day to day check and optimize!
====================
characterize existing nework
- network maps
- network addressing and naming
- wiring and media
- architecture / environtment constraint
- network health :
prepare checklist to make sure the network is healthy!
cisco provide us with nice starting point for analyze health of our existing network as we plan to redesign.
- ethernet segment should not feature a sustained utilization 40% or higher.
- all ethernet segments should be switched -- no shared segments ( hub-based )
- no WAN link should feature a sustained utilization 70% or higher
- response time should be generally less than 100ms
- LAN response time should generally be 2ms
- no segments have more than 1 CRC error per million bytes of data
- no segments should have more than 20% multicast / broadcast traffic
- for ethernet segments, there should be less than .1 percent collisions over 5 min intervals.
- CPU utilization should not exceed 75%
- number of output queue drop should not exceed 100 in an hour
- number of input queue drop should not exceed 50 in an hour
- number of buffer miss should not exceed 25 in an hour
==========================
identify
network audit
analyze
=========================
existing documentationn
existing management software
additional auditing tools
=======================
bisa lewat cli. show command.
atau pake tools kyk cisco prime infrastructure. / solarwind
polling graphic/resource via SNMP.
======================
MIB = database of variables. diakses oleh NMS buat analisis data.
SNMP 1
SNMP 2c
SNMP 3 -> ++ authentication, integrity, encryption
=====================
CDP -> cisco prop
LLDP -> vendor neutral ( link layer discovery protocol )
Netflow -> built in within cisco router
====================
komponen netflow:
- monitor / traffic monitoring
- exporter / gathering information and sending to device
- collector
exporter:
# flow exporter NF_1 !! give name
# destination 12.12.12.100 !! ip dari collector
# transport udp 9996 !! choosing port number
# source serial0/0 !!select interface klo ada banyak interface
# exit
monitor
# flow monitor NF_MON1
# exporter NF_EXPORTER1
# record netflow-original
!! assign monitor
# int serial 0/0
# ip flow monitor NF_MON1 input !! direction
# end
!! test
# show flow monitor name NF_MON1 cache
===================
IP SLA.
testing the network delay using UDP packet based jitter!
^ penting buat VOIP
R1------------R2
!! create responder
R2# ip sla responder udp-echo ipaddress 12.12.12.2 port 5000
!! generate traffic
R1# ip sla 1
# udp-jitter 12.12.12.2 16384 codec g711alaw
# frequency 30 // change default 60s to 30s
!! schedule ip sla test
R1# ip sla schedule 1 start-time now life forever
!! check on r2
R2# show ip sla responder
R1# show ip sla statistics 1
==================
!! design network.
OSI model --> design from top or bottom??
APP first?
cabling first?
design from bottom up cons:
- fast
- based on prev experience
- org reg
- failure problem -> high probability
^ need VOIP? buy cabling first, router, Gigabit ethernet, xyz
design top down :
- big picture
- time consuming
^ requirement of technology / application
^ need validation design.
2 method:
prototyping -> construct in lab environtment
pilot -> use small portion of production.
use small data. actual user, actual action.
connected to production network
=================
!! building modular network
core
distribution
access
modular --> troubleshooting quick
MTTR = mean time to repair.
break network into smaller convergence domain!
ospf area 0 -> dipecah jadi banyak area
1 convergence domain
2 scalability
3 resiliency -- network can take more overal fault.
=================
campus network:
- campus infrastructure
- datacenter
edge network:
- e-commerce
- internet connectivity
- remote access
- WAN connectivity
ISP:
-ISP1
-ISP2
-WAN
remote network:
- teleworker
- enterprise branch
- enterprise datacenter
======================
!! applying modularity
think hierarchical
- hub and spoke
- core, dist, access
core layer: speed,speed,speed // biasanya antar core layer di aggregate / etherchannel.
dist layer: aggregate, summarize, security policy ( biasanya multilayer switch, high speed port )
access layer: wired, wireless. ( mac based, not routing )
- collapsed core ( 2 tier topology )
^ core and distribution combined become 1 device ( saving cost )
^ access layer tetep ada.
^ tapi ga cocok buat large campus, yg punya banyak building.
- multilayer
===================
!! virtualization
physical vs logical : VLAN
segregation : VSAN
desegregation : connecting 2 dataenter long distance virtualization -> OTV / OVERLAY TRANSPORT VIRTUALIZATION.
^ JADI SEOLAH2 CONNECT SECARA L2 walaupun beda lokasi.
density / resource workload = how much ram / cpu per server. ( utilization )
High availability
==========================
VSS = virtual switching system.
^ multiple virtual switch connected!
=======================
!! consequence
1 fate sharing
^ kerusakan di 1 physical bakal ngefek ke beberapa virtual
2 suboptimal pathing
^ assymetric routing
3 overuse virtualization
=====================
nexus -> creating VDC / virtual device context
========================
!! campus design
end to end vs localized vlan approach
* best = localized ( simple, scalable )
end to end = differentiate sales vlan, hr vlan.
!! geographical
1st floor = vlan_1
2nd floor = vlan_2
====================
HSRP = CISCO PROP
VRRP = IETF
GLBP = GATEWAY LOAD BALANCING // using virtual mac.
!! best practice vlan
vlan default 1 => change.
^ ketika ada switch baru ga make default vlan. improved security
================
802.1D = legacy stp
802.1W = RAPID SPANNING TREE PROTOCOL
802.1S = MSTP
================
!!stp protocol
BPDU GUARD = put on access port on server / workstation.
ROOT GUARD = protecting new switch become the root bridge
LOOP GUARD
================
vss = virtual switching system. tied multiple switch become 1 ( logical )
cisco stackwise = using stacking cable
==================
!! designing enterprise security
defense in depth concept. -> layer of security.
attacker -> 1 layer then next layer -> tighten !
!! physical
^ use password security on console port device.
!! os security
^ device hardening
ex: auto secure di cisco
# auto secure
^ function : disabled unused service on interface ( scripting )
setting enable secret password
edit login banner
configuration local user database
setting blocking period ( how many second time after login failure )
setting maximum login failure attempt
configure ssh
configure CBAC firewall
===================
firewall security
packet -> ACL
stateful firewall -
Application layer gateway -> proxy
Next Generation -> look deep inside application traffic, apply IPS, Malware guard.
===================
cisco ASA ( adaptive security appliance ) -> NG Firewall
!! define inside network
!! define outside network
!! allow all inside, allow only appropriate several response from outside network.
# show nameif !! check interface name in ASA, security level
^ 0 = untrusted, 100 = completely trusted
# show run int gi0/1 !! check config interface
==================
Security firewall
!! Intrusion detection system
IDS -> have database of signature attack , recognize most form of attack ( inform the user there is an attackk!!! )
!! Instrusion prevention system
IPS -> drop known attack
cisco asa bisa dimasukin FirePower module
^ buat upgrade jadi fitur IPS
^ ++ URL Filtering, Application inspection, anti malware.
FW ++ IPS ++ NAC + AAA
NAC = meet defined posturing ! , correct patches, OS before entering network
multi factor authentication!
=================
nice
ReplyDeleteCISCO Certified Partner
Fortinet Certified Partner
Certified Paloalto Partner