Campus lan and Wireless lan solution Design Guide


BGP EVPN VXLAN network topology



Download 2,16 Mb.
Pdf ko'rish
bet23/73
Sana13.07.2022
Hajmi2,16 Mb.
#791104
1   ...   19   20   21   22   23   24   25   26   ...   73
Bog'liq
cisco-campus-lan-wlan-design-guide

 
BGP EVPN VXLAN network topology 
Figure 19. 
For organizations looking for an open standards-based overlay solution for their campus designs, and not 
needing the full intent-based networking security solution along with integrated wireless, BGP EVPN VXLAN can 
be a viable alternative to traditional campus virtualization options. 

© 2020 Cisco and/or its affiliates. All rights reserved. 
Page 25 of 76
Design Fundamentals: LAN Security Best Practices 
With any good network design, security must also be a focus. These tools below can help prevent attacks and 
make the network more secure and reliable. 
Note: 
These are a few fundamental tools to help with basic network security, check out the 
Enterprise 
Security Design Guide
for a more in depth look at campus security. 
DHCP Snooping 
Rogue DHCP servers can be detrimental to the security and usability of the network if not protected against 
properly. Rogue DHCP servers attack the network by assigning unrouteable IP addresses to clients causing 
them to lose connectivity. Also, Rogue DHCP servers can be used to issue malicious DNS servers. Users then 
looking to go to real websites will be sent to fake copies of these sites to steal credentials or information. 
DHCP Snooping is a tool used to combat rogue DHCP servers. It works by assigning one or more ports as 
trusted, meaning these ports lead to legitimate DHCP servers. The switch will then build a database of the 
untrusted hosts with leased IP addresses, MAC Address, switchport, and VLAN. Traffic being sent from these 
untrusted hosts will be filtered of any DHCP server messages, blocking any attempt of a malicious DHCP server. 
Dynamic ARP Inspection 
ARP cache poisoning is a malicious tool used to stage man-in-the middle attacks. It works by sending a forged 
ARP packet with the IP address of another device and the MAC address of itself to poison hosts ARP cache. 
This means traffic destined for the legitimate device will instead be sent to the attacker. The attacker can then 
forward the traffic to its intended destination making it look as if the traffic was never interrupted. 
Dynamic ARP Inspection (DAI) is a tool that can be used to mitigate this threat. DAI uses the DHCP snooping 
database for IP to MAC address bindings. DAI then intercepts all ARP packets and drops any packet where the 
IP to MAC address binding is not valid. 

Download 2,16 Mb.

Do'stlaringiz bilan baham:
1   ...   19   20   21   22   23   24   25   26   ...   73



Ma'lumotlar bazasi mualliflik huquqi bilan himoyalangan ©hozir.org 2024
ma'muriyatiga murojaat qiling
kiriting | ro'yxatdan o'tish
    Bosh sahifa
юртда тантана
Боғда битган
Бугун юртда
Эшитганлар жилманглар
Эшитмадим деманглар
битган бодомлар
Yangiariq tumani
qitish marakazi
Raqamli texnologiyalar
ilishida muhokamadan
tasdiqqa tavsiya
tavsiya etilgan
iqtisodiyot kafedrasi
steiermarkischen landesregierung
asarlaringizni yuboring
o'zingizning asarlaringizni
Iltimos faqat
faqat o'zingizning
steierm rkischen
landesregierung fachabteilung
rkischen landesregierung
hamshira loyihasi
loyihasi mavsum
faolyatining oqibatlari
asosiy adabiyotlar
fakulteti ahborot
ahborot havfsizligi
havfsizligi kafedrasi
fanidan bo’yicha
fakulteti iqtisodiyot
boshqaruv fakulteti
chiqarishda boshqaruv
ishlab chiqarishda
iqtisodiyot fakultet
multiservis tarmoqlari
fanidan asosiy
Uzbek fanidan
mavzulari potok
asosidagi multiservis
'aliyyil a'ziym
billahil 'aliyyil
illaa billahil
quvvata illaa
falah' deganida
Kompyuter savodxonligi
bo’yicha mustaqil
'alal falah'
Hayya 'alal
'alas soloh
Hayya 'alas
mavsum boyicha

yuklab olish