cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
631
Views
10
Helpful
2
Replies
Highlighted
Beginner

CCDA design question

Hello,

Currently as a CCNA R/S, CCNA Sec holder I am attempting my CCDA and over my 700 pages of reading have culminated to the creation of an image. I was wondering if my image is correct as it relates to a potential CCDA network environment. If I have missed anything please let me know so I can grow in my design knowledge. See below for questions i'm looking for clarification on.

  • This represents the campus and enterprise modules, is the DMZ labeled correctly? If so why does the DMZ get an IPS, maybe this is a very budget less design, or traffic intense network? 
  • Are Distribution and Access layer protocols correctly placed? 
  • Are L2 protocols correctly listed and has anything been missed?
  • I also have a data center to consider not included in the image, the image in the book shows it connecting to the "Core" would this be considered the data centers core and theirs really a WAN circuit or VPN module in the Enterprise Edge connecting to back to the DC?
  • Am I missing anything?

Thanks again for your time, I appreciate it 

 network.png

 

 

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions

Re: CCDA design question

Hello

 

  • This represents the campus and enterprise modules, is the DMZ labeled correctly? If so why does the DMZ get an IPS, maybe this is a very budget less design, or traffic intense network? 
    The IPS/IDS appliances are supposed to be placed behind your firewall, so that the traffic analyzed would be filtered by rules in the firewall beforehand. The DMZ zone is an external-facing part of the network where you interact with other organizations/partners/businesses. It is typically composed of an Internal zone, commonly called iDMZ, and an External zone, called eDMZ.  Within the DMZ zone, iDMZ is a trusted domain within the DMZ, and eDMZ the untrusted domain. These deployments are commonly addressed with Virtual Firewalls providing segmentation between both parts of the DMZ. As the firewalls are filtering the traffic between zones, it would make sense to deploy an IPS/IDS system behind them. This certainly depends on your requirements and how specific they are. I have seen it in the iDMZ to protect your devices in the trusted zone you are placing within the DMZ. In the external DMZ, everything is simply denied unless otherwise.
  • Are Distribution and Access layer protocols correctly placed? 

I would add Port Security in the access layer to limit the amount of MAC addresses per port in user-facing ports.

  • Are L2 protocols correctly listed and has anything been missed?

read above :) - Although, Maybe MACSec :D but that would not be at the access layer.

 

  • I also have a data center to consider not included in the image, the image in the book shows it connecting to the "Core" would this be considered the data centers core and theirs really a WAN circuit or VPN module in the Enterprise Edge connecting to back to the DC?
    The DC can have its own edge module to manage external connectivity, or it can use the edge module placed in the enterprise design. It depends on its requirements, like a centralized model (traffic being delivered directly to the DC from external locations). Having its own edge module would be the safest option, as the failure domain would not be shared (edge module) and therefore its stability would not compromised.
  • Am I missing anything?

 

I dont think you are, please write your comments if you have more thoughts :D

 

Hope that helps

 

David

2 REPLIES 2

Re: CCDA design question

Hello

 

  • This represents the campus and enterprise modules, is the DMZ labeled correctly? If so why does the DMZ get an IPS, maybe this is a very budget less design, or traffic intense network? 
    The IPS/IDS appliances are supposed to be placed behind your firewall, so that the traffic analyzed would be filtered by rules in the firewall beforehand. The DMZ zone is an external-facing part of the network where you interact with other organizations/partners/businesses. It is typically composed of an Internal zone, commonly called iDMZ, and an External zone, called eDMZ.  Within the DMZ zone, iDMZ is a trusted domain within the DMZ, and eDMZ the untrusted domain. These deployments are commonly addressed with Virtual Firewalls providing segmentation between both parts of the DMZ. As the firewalls are filtering the traffic between zones, it would make sense to deploy an IPS/IDS system behind them. This certainly depends on your requirements and how specific they are. I have seen it in the iDMZ to protect your devices in the trusted zone you are placing within the DMZ. In the external DMZ, everything is simply denied unless otherwise.
  • Are Distribution and Access layer protocols correctly placed? 

I would add Port Security in the access layer to limit the amount of MAC addresses per port in user-facing ports.

  • Are L2 protocols correctly listed and has anything been missed?

read above :) - Although, Maybe MACSec :D but that would not be at the access layer.

 

  • I also have a data center to consider not included in the image, the image in the book shows it connecting to the "Core" would this be considered the data centers core and theirs really a WAN circuit or VPN module in the Enterprise Edge connecting to back to the DC?
    The DC can have its own edge module to manage external connectivity, or it can use the edge module placed in the enterprise design. It depends on its requirements, like a centralized model (traffic being delivered directly to the DC from external locations). Having its own edge module would be the safest option, as the failure domain would not be shared (edge module) and therefore its stability would not compromised.
  • Am I missing anything?

 

I dont think you are, please write your comments if you have more thoughts :D

 

Hope that helps

 

David

Beginner

Re: CCDA design question

The Cisco CCDA® certification is for network design engineers, technicians, and support engineers, who require a basic understanding of network design fundamentals. The CCDA curriculum focuses on but is not limited to designing basic campus, data center, security, voice, and wireless networks.

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards