Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1422
Views
0
Helpful
7
Replies

Real world network implementations

Go to solution
KB0010
Level 1
Level 1

‎03-19-2023 05:53 PM - edited ‎03-19-2023 05:55 PM

Hello everyone,

Let me start by saying that I'm a beginner network admin and new at my company. In addition, I'm a 100% remote, and that's where all my struggles come from (hard to build relations to ask networking design questions). I'm not interested in How-To-Configure XYZ because I can find the answer in the configuration docs. Most certifications and online training materials are about configuring protocols such as STP, NAT, VRRP, OSPF (learning materials focus on the history of the protocol, what problem it solves, how it works, and how to troubleshoot it), etc.. however, what I'm trying to understand is:

  • Where do you place a firewall, and why? Do you place it in front of your router or behind it (why would you choose one over another)?
  • How do network engineers implement NAT in their networks? Do they just right a single ACL "permit any" since all the internal subnets will use the Internet (I'm referring to basic NATing allowing users to access the Internet)?
  • How do you access your routers/switches remotely? Do you configure access to a single router remotely (via SSH), and from that single router, you connect to the rest of the routers/switches, or do you configure remote access on all of your devices?
  • Why are some companies still running MPLS where they can achieve the same results using VPNs (forgive me here because I might be missing other benefits of MPLS)?

I know this is a loaded question, but I would like some insights or pointers on how to gain these types of knowledge, and I would appreciate your feedback.

Thank you,

 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Kasun Bandara
VIP
VIP

‎03-19-2023 08:08 PM

Hi @KB0010 

all questions are somehow generalized and those are open debates for different requirements and different architectures i hope different expertise will explain answers in different angles. check my views below very briefly

1. this is totally depends on your requirement. firewall placement is OK for front of router or behind it. placing it before router can help to terminate public links like ILLs and configure VPNs or static NATs directly in FW. but some requirements are there which you need specific router to terminate links and pass traffic to firewall (most commonly in branch VPNs maintained by ISP using their MPLS/modem connections, etc)

2. this is depends on the device capabilities. in many firewalls you can do NAT in sperate policies and configure sperate NAT pools and customize them. some routers are there which can have only one NAT configuration per interface. 

3. to this my suggestion is to use sperate management network to manage devices (for local access) and allow that via remote VPN (for remote users). also use encrypted connections such as SSH or HTTPS (if available). also its recommended in many cases to use jump server to access devices (but always keep backup connectivity method in case of emergency)

4. i didnt understood this exactly what you mean. normally MPLS is new technology when compared with old modem connected networks. and have more capabilities compared to old methods. if you means L2, L3 terminations between sites as term 'VPN' here, that also using in many requirements. 

 

i hope these are not all, there are many other concerns. guess some others will write more.

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

View solution in original post

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame

‎03-20-2023 07:37 AM

Real "real-world"?

Ever hear the saying about real-estate "location, location, location"?

Well, with real-world networks it's "cost, cost, cost", especially if the network is a cost-center for the enterprise (the usual case).

To your specific questions, real-world, as @Kasun Bandara already noted, is often "it depends".

For example, even for your initial questions about FW inside or outside you router, have worked with both approaches, additionally router<>FW<>router (BTW, in the prior, the "inside" router is still considered somewhat "outside") and also designs where there's both an outside path via a FW and w/o a FW, concurrently.

To answer your 2nd posting, again like @Kasun Bandara, what often leads to doing anything well is knowledge, obtained by learning from "formal" education and/or experience.

"Formal" education is a huge time saver vs. experience, but experience often provides much deeper, but narrow scoped, knowledge.

 

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Kasun Bandara
VIP
VIP

‎03-19-2023 08:08 PM

Hi @KB0010 

all questions are somehow generalized and those are open debates for different requirements and different architectures i hope different expertise will explain answers in different angles. check my views below very briefly

1. this is totally depends on your requirement. firewall placement is OK for front of router or behind it. placing it before router can help to terminate public links like ILLs and configure VPNs or static NATs directly in FW. but some requirements are there which you need specific router to terminate links and pass traffic to firewall (most commonly in branch VPNs maintained by ISP using their MPLS/modem connections, etc)

2. this is depends on the device capabilities. in many firewalls you can do NAT in sperate policies and configure sperate NAT pools and customize them. some routers are there which can have only one NAT configuration per interface. 

3. to this my suggestion is to use sperate management network to manage devices (for local access) and allow that via remote VPN (for remote users). also use encrypted connections such as SSH or HTTPS (if available). also its recommended in many cases to use jump server to access devices (but always keep backup connectivity method in case of emergency)

4. i didnt understood this exactly what you mean. normally MPLS is new technology when compared with old modem connected networks. and have more capabilities compared to old methods. if you means L2, L3 terminations between sites as term 'VPN' here, that also using in many requirements. 

 

i hope these are not all, there are many other concerns. guess some others will write more.

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB
0 Helpful

Go to solution
KB0010
Level 1
Level 1
In response to Kasun Bandara

‎03-19-2023 09:16 PM

Hi @Kasun Bandara

Thank you for your response; it made lots of sense. I understand there are many ways to deploy these technologies (it will differ from one company to another). However, I was wondering if network design books/certs/courses will help with these types of questions I posted, or is it something you gain with experience?

Thanks again for your feedback.

0 Helpful

Go to solution
Kasun Bandara
VIP
VIP
In response to KB0010

‎03-19-2023 09:27 PM

@KB0010 its both experiance and learning. also cisco have verified CVDs for architectures. for design side cisco introduced CCDA and CCDP certs. now its going under 2 concentration exams (300-420 ENSLD and 300-425 ENWLSD)

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB
0 Helpful

Go to solution
KB0010
Level 1
Level 1
In response to Kasun Bandara

‎03-20-2023 09:37 PM

@Kasun Bandara, thank you for mentioning the CVDs; they're very valuable!

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame

‎03-20-2023 07:37 AM

Real "real-world"?

Ever hear the saying about real-estate "location, location, location"?

Well, with real-world networks it's "cost, cost, cost", especially if the network is a cost-center for the enterprise (the usual case).

To your specific questions, real-world, as @Kasun Bandara already noted, is often "it depends".

For example, even for your initial questions about FW inside or outside you router, have worked with both approaches, additionally router<>FW<>router (BTW, in the prior, the "inside" router is still considered somewhat "outside") and also designs where there's both an outside path via a FW and w/o a FW, concurrently.

To answer your 2nd posting, again like @Kasun Bandara, what often leads to doing anything well is knowledge, obtained by learning from "formal" education and/or experience.

"Formal" education is a huge time saver vs. experience, but experience often provides much deeper, but narrow scoped, knowledge.

 

0 Helpful

Go to solution
KB0010
Level 1
Level 1
In response to Joseph W. Doherty

‎03-20-2023 09:40 PM

@Joseph W. Doherty, thank you for your feedback; now I'm starting to see the big picture!

0 Helpful

Go to solution
empiremarketing121
Level 1
Level 1

‎10-05-2023 02:46 AM

Hi,

Much obliged to you for your reaction; it checked out. I comprehend there are numerous ways of conveying these advancements (it will contrast starting with one organization then onto the next). Notwithstanding, I was contemplating whether organization configuration books/certs/courses will assist with these sorts of inquiries I posted, or is it something you gain with experience?

Much appreciated again for your input.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card