|
|
To identify the key components of your network infrastructure, the Network Topology tree requires that you define a certain portion of your physical network topology. Therefore, the structure that you define matters. The tree's definition identifies the routes between the gateways, networks, and hosts that compose your network, as well as the location of those networks and specific hosts to which you want to limit or restrict access by network users. However, a tree construct has inherent limitations when it comes to mapping your physical network topology: a tree cannot represent multiple paths between two network objects (for example, two paths between point A and point B). However, Cisco Secure Policy Manager provides a solution to this problem: Network Shortcuts.
The following sections explain how to represent basic network topologies and use Network Shortcuts effectively, and they provide guidelines for mapping between objects that reside on your network and objects that you can define within the Network Topology tree.
The layout of the Network Topology tree closely follows the logic behind the physical implementation of your network. For a basic setup, you only need to define each gateway object, such as a router, firewall, or switch, that is responsible for routing traffic across your network and identify the interfaces and networks attached to those gateway objects. You can use clouds to describe networks that reside behind gateways that are not actual Policy Enforcement Points, which are managed gateway objects. If you have a more complicated network topology, you can define additional hosts, authentication servers, and IP ranges.
When you describe the physical layout of your network, you want to define the different gateway objects on your network and the networks that are attached to those gateway objects. The Internet node is a special gateway object (a cloud) that represents the Internet to which all networks that you are defining are attached, directly or indirectly. Therefore, you should view your network from the connection to your Internet service provider (ISP) through the innermost gateway objects on your network.
Figure 2-1 depicts a simplistic example of when to use a cloud object. To use a cloud successfully in this example, three criteria must be satisfied:
1. The IOS Router node is the Policy Enforcement Point that exists on this network.
2. A single high-level policy can address the security concerns of each network depicted in the cloud.
3. An internal gateway object exists that can be used to reach, in some way, all networks depicted in the cloud.
Assuming these three criteria are true, we can define a single gateway address to reach all the networks within that cloud and to serve as the default gateway for those networks to reach the 172.16.1.0 network. Figure 2-2 shows how this topology would be represented in the Network Topology tree.
Assuming that you want to attach your local-area network (LAN) to a gateway object, such as your ISP, you can represent any of the three basic LAN topologies in the Network Topology tree of Cisco Secure Policy Manager:
The next three sections describe how to represent these topologies in the Network Topology tree.
To represent a simple bus topology, begin by defining a gateway object, presumably, a Policy Enforcement Point, that is attached to your ISP via a shared network or extended LAN interface. Next, define a single trusted network on the inside interface of the Policy Enforcement Point, which represents the simple bus network. In such a topology, you may need to explicitly define special hosts and IP ranges to ensure that you can define the requisite exceptional policies and appropriate Network Object Groups. Special hosts may include your administrative hosts so that you can test new services or the servers, such as your e-mail and web servers, that you want to be accessible to Internet-based users.
If you are using the Internet as your connection point to connect multiple bus topologies, simply repeat this structure, adding an additional interface to the Internet node for each unique ISP connection. This multi-bus topology is also known as a tree topology. A tree topology is a LAN topology similar to a bus topology, except that tree networks can contain branches with multiple nodes. Transmissions from a station propagate the length of the medium and are received by all other stations.
Another common tree topology includes one where a second trusted network is nested within, or upstream of, the first trusted network via a second gateway object.
 |
Tips You can use the Topology Wizard to define most of a bus topology. It helps you define the interface connection to the Internet node, your Policy Enforcement Point, and the internal network attached to the Policy Enforcement Point. To connect multiple bus topologies via the Internet, use the Topology Wizard to define another Policy Enforcement Point that is attached to the Internet node via a new interface. |
While the ring topology sounds like a loop, you can represent it exactly the same way as a bus topology with one exception: you define the Policy Enforcement Point interface to be a Token Ring interface. As you would with the bus topology, you can use the tree topology to create multiple connected rings or connect them via the Internet node.
 |
Note Your specification of interface type is as important as any other setting that you define. For example, the way that Cisco Secure Policy Manager generates routing rules (and other command sets) for a high-speed serial interface is different from the way that it generates commands for a FastEthernet interface. Likewise, the commands that it generates for an unnumbered interface are different from those generated for an interface with an address assigned to it. |
In addition, you should not take for granted the definition of core or access routers over which you do not have administrative control or do not want to use Cisco Secure Policy Manager to administer. Often, the definition of a downstream gateway object affects the rules generated for upstream objects, even if you are not controlling the downstream object.
The star topology, which is the most common topology in use today, is also easy to represent in the Network Topology tree. Following the bus and ring topology examples (except the star topology is not Token Ring), you simply specify additional internal interfaces and trusted networks on the Policy Enforcement Point(s) that are attached to the Internet node. To specify a simple extended star, you can follow the design of a tree topology and define additional interfaces and trusted networks that are attached to the second gateway object (upstream from the gateway object attached to the Internet node).
Some extended star topologies highlight a limitation with the tree construct that forms the basis of the Network Topology tree. The next section discusses this limitation in more detail and explains how Cisco Secure Policy Manager overcomes the limitation.
When you design certain extended star topologies, a tree structure alone cannot represent your physical network topology, namely when two gateway objects share a common upstream network. Figure 2-3 depicts the scenario where two gateway objects share a common upstream network (192.168.180.0).
In Cisco Secure Policy Manager, this issue is resolved using Network Shortcuts, which are references to networks that are defined elsewhere in the Network Topology tree. Network Shortcuts can only be defined using the Topology Wizard, which means that as you define a gateway object, such as a Policy Enforcement Point, you can specify that one of the interfaces on that gateway object is attached to a previously defined perimeter (originally defined during definition of the parent gateway object for that network). This reference to an existing perimeter creates a Network Shortcut, as depicted in Figure 2-4.
Like other shortcuts in the Microsoft Windows operating system, a Network Shortcut is a reference, or pointer, to an existing object, in this case a Network node. Using a Network Shortcut, you can define an upstream network that is common to multiple downstream gateway objects. In other words, you can represent multiple paths between any two network objects, overcoming the limitation of a tree structure.
Table 2-1 maps between common objects found in your network to objects within Cisco Secure Policy Manager that can be used to represent them.
|
Tips We encourage you to investigate the possible uses of Cloud nodes. Clouds are not included in the following table because, like IP ranges, they are logical grouping structures to accelerate the definition of the physical network topology. |
| Object on Your Network | Maps to Network Object in Network Topology Tree | Node Icon |
|---|---|---|
For: Access routers, default gateways, ISP connections, etc. | Use: The Internet node. | |
For: Cisco Secure Policy | Use: You must define the parent network on which the host resides, and then create a new Host node under that network. If you have defined the network correctly, you will be prompted to install the specific host based on the Windows NT computer name. The following icons will appear if you have defined the host node correctly:
| |
For: Certificate authority servers, TACACS+ authentication servers, Radius authentication servers, and syslog servers | Use: A Host node that runs the client/server product type matching the server's role in your network. | |
For: E-mail servers, web servers, FTP servers, etc. | Use: A Host node. | |
For: Generic routers or gateways that Cisco Secure Policy | Use: A Router node. Management options available under Feature Set in the General panel of the node:
| |
For: Cisco IOS Routers | Use: An IOS Router node. Management options available under Feature Set in the General panel of the node:
| |
For: Cisco Secure PIX | Use: A PIX Firewall node. Management options available under Feature Set in the General panel of the node:
| |
Posted: Thu May 25 13:14:47 PDT 2000
Copyright 1989 - 2000©Cisco Systems Inc.
