← Back

Network Design & Security

CTS1305C Cable Run -- Week 4

Topologies | VLANs/ACLs | Firewalls | VPN | NAT/PAT

Press to begin or use navigation below

Slide 2 of 14

Network Topologies

Physical and Logical Network Layouts

Star

  • Central switch/hub
  • Most common today
  • Single point of failure at center

Mesh

  • Every node connects to every other
  • Maximum redundancy
  • Expensive, complex cabling

Ring / Bus / Hybrid

  • Ring: token passing, one break = down
  • Bus: single backbone cable (legacy)
  • Hybrid: combines two or more
Slide 3 of 14

Three-Tier Hierarchical Design

Core / Distribution / Access

Core Layer Distribution Distribution Access Switch Access Switch Access Switch Access Switch End devices End devices End devices End devices

Core

  • High-speed backbone
  • Minimal processing
  • Redundant links
  • Connects distribution layers

Distribution

  • Policy enforcement
  • Routing between VLANs
  • ACL filtering
  • Aggregates access layer traffic

Access

  • Connects end devices
  • Port security
  • VLAN assignment
  • PoE for phones/APs
Slide 4 of 14

VLANs -- Virtual LANs

Logical Network Segmentation

What is a VLAN?

  • Logically segments a single physical switch into multiple broadcast domains
  • Devices in VLAN 10 cannot communicate with VLAN 20 without a router
  • Reduces broadcast traffic and improves security
  • VLANs can span multiple switches via trunk links

Common VLAN Design

VLANNamePurpose
1DefaultManagement (change this!)
10UsersWorkstations
20VoIPIP phones
30ServersServer farm
99ManagementSwitch management

Trunk vs Access Ports

  • Access port: Assigned to one VLAN, connects end devices
  • Trunk port: Carries traffic for multiple VLANs between switches using 802.1Q tagging
  • 802.1Q adds a 4-byte tag to Ethernet frames identifying the VLAN

VLAN Hopping Attacks

  • Switch spoofing: Attacker negotiates trunk mode
  • Double tagging: Nested 802.1Q tags
  • Mitigate: disable DTP, set native VLAN, prune unused VLANs
Slide 5 of 14

Access Control Lists (ACLs)

Traffic Filtering at the Network Layer

How ACLs Work

  • Ordered list of permit/deny rules applied to an interface
  • Processed top-down -- first match wins
  • Implicit deny at the end (if no rules match, traffic is dropped)
  • Applied inbound or outbound on router interfaces

ACL Types

  • Standard ACL (1-99): Filters by source IP only. Place close to destination.
  • Extended ACL (100-199): Filters by source/destination IP, port, protocol. Place close to source.

ACL Example

! Block HR subnet from accessing servers access-list 110 deny tcp 10.0.20.0 0.0.0.255 10.0.30.0 0.0.0.255 ! Allow everything else access-list 110 permit ip any any ! Apply to interface interface GigabitEthernet0/1 ip access-group 110 in

Wildcard mask is the inverse of a subnet mask. 0.0.0.255 means "match the first three octets exactly, ignore the last."

Slide 6 of 14

Firewalls

The First Line of Network Defense

Firewall Types

  • Packet filtering: Inspects headers (IP, port). Stateless.
  • Stateful inspection: Tracks connection state. Allows return traffic for established sessions.
  • Application layer (proxy): Inspects payload content. Deep packet inspection.
  • NGFW: Next-Gen Firewall -- combines stateful + IPS + application awareness + threat intelligence.

Firewall Deployment

  • Network-based: Hardware appliance at network perimeter
  • Host-based: Software on individual devices (Windows Firewall, iptables)
  • Cloud-based: WAF, DDoS protection (Cloudflare, AWS WAF)

Default Policies

  • Implicit deny: Block everything not explicitly allowed (recommended)
  • Implicit allow: Allow everything not explicitly blocked (risky)
Slide 7 of 14

DMZ -- Demilitarized Zone

Protecting Internal Networks From Public Services

Internet Untrusted Firewall Outer DMZ Web Mail DNS Firewall Inner Internal Trusted LAN

DMZ Purpose

  • Hosts public-facing services (web, email, DNS)
  • Isolated from internal network by a second firewall
  • If DMZ server is compromised, attacker still cannot reach internal LAN

Traffic Rules

  • Internet -> DMZ: allowed (specific ports only)
  • DMZ -> Internal: denied (blocked by inner firewall)
  • Internal -> DMZ: allowed (for management)
  • Internal -> Internet: allowed (via NAT)
Slide 8 of 14

NAT & PAT

Address Translation for Internet Access

NAT Types

  • Static NAT: One-to-one mapping. Private IP permanently maps to a public IP. Used for servers.
  • Dynamic NAT: Pool of public IPs assigned on demand. First come, first served.
  • PAT (Port Address Translation): Many-to-one. Multiple private IPs share one public IP, differentiated by port numbers. Most common (home routers).
Internal 10.0.0.10:50000 10.0.0.11:50001 10.0.0.12:50002 PAT Router Internet 203.0.113.5:* 3 private IPs -> 1 public IP Distinguished by source port
Slide 9 of 14

Wireless Security

Protecting the Air Interface

Wireless Security Standards

StandardEncryptionStatus
WEPRC4 (broken)Deprecated -- never use
WPATKIPLegacy -- avoid
WPA2AES-CCMPCurrent standard
WPA3AES-GCMP / SAELatest -- recommended

Enterprise vs Personal

  • Personal (PSK): Shared passphrase for all users. Simple but less secure.
  • Enterprise (802.1X): Individual credentials via RADIUS server. Per-user authentication.

Wireless Threats

  • Evil twin -- rogue AP with same SSID
  • Deauthentication attacks -- force disconnection
  • War driving -- scanning for open networks
  • Mitigate: WPA3, 802.1X, MAC filtering, disable SSID broadcast
Slide 10 of 14

Port Security

Controlling Physical Switch Access

What is Port Security?

  • Limits the number of MAC addresses allowed on a switch port
  • Prevents unauthorized devices from connecting
  • Mitigates MAC flooding and CAM table overflow attacks

Violation Modes

  • Protect: Drop frames from unknown MACs silently
  • Restrict: Drop frames + log violation + send SNMP trap
  • Shutdown: Disable port entirely (default, most secure)

802.1X Port-Based Authentication

  • Device must authenticate before getting network access
  • Supplicant: Client device requesting access
  • Authenticator: Switch that controls port state
  • Authentication server: RADIUS server that verifies credentials
  • Uses EAP (Extensible Authentication Protocol)
Slide 11 of 14

Virtual Private Networks (VPN)

Encrypted Tunnels Over Public Networks

VPN Types

  • Site-to-site: Connects two networks (branch office to HQ). Always-on tunnel between routers/firewalls.
  • Remote access: Individual user connects to corporate network from anywhere. Client software required.
  • SSL/TLS VPN: Browser-based, uses port 443. No special client needed for basic access.

VPN Protocols

ProtocolPortsNotes
IPsecUDP 500, 4500Industry standard, strong encryption
OpenVPNUDP 1194 / TCP 443Open source, highly configurable
WireGuardUDP 51820Modern, fast, minimal code
L2TP/IPsecUDP 1701Legacy, double encapsulation

Split Tunneling

  • Full tunnel: All traffic routes through VPN. Maximum security but slower internet.
  • Split tunnel: Only corporate traffic goes through VPN; internet traffic goes directly. Better performance but less control.
Slide 12 of 14

Network Documentation

The Map That Saves Hours of Troubleshooting

Essential Documents

  • Network diagram: Physical and logical topology maps
  • IP address plan: Subnet assignments, DHCP scopes, reservations
  • Cable management: Patch panel labels, cable runs, port maps
  • Configuration backups: Switch/router/firewall configs
  • Change log: What changed, when, who, why

Baseline Documentation

  • Record normal network performance metrics
  • Bandwidth utilization by time of day
  • CPU and memory usage on key devices
  • Compare against baseline when troubleshooting anomalies

Standard Operating Procedures

  • Step-by-step guides for routine tasks
  • Onboarding new devices
  • Backup and recovery procedures
  • Incident response playbooks
Slide 13 of 14

Network Security Best Practices

Defense in Depth

Perimeter

  • NGFW at network edge
  • IDS/IPS inline detection
  • DMZ for public services
  • DDoS mitigation

Internal

  • VLANs for segmentation
  • ACLs on routers/switches
  • 802.1X port authentication
  • Disable unused ports

Endpoint

  • Host-based firewall
  • Antivirus / EDR
  • Patch management
  • Least privilege access

Principle of Least Privilege

Every user and system should have only the minimum permissions necessary to perform their function. Reduces the blast radius of any compromise.

Slide 14 of 14

Week 4 Summary

Network Design & Security

Design

  • Topologies: star, mesh, ring, bus, hybrid
  • Three-tier: core/distribution/access
  • VLANs, trunk links, 802.1Q
  • Network documentation

Security

  • ACLs: standard and extended
  • Firewalls: stateful, NGFW, DMZ
  • NAT/PAT: address translation
  • Port security and 802.1X

Remote Access

  • VPN: site-to-site, remote access
  • IPsec, OpenVPN, WireGuard
  • Wireless: WPA2/WPA3, 802.1X
  • Defense in depth strategy

Up Next

Network Troubleshooting -- methodology, common issues, tools, and diagnostic techniques.

Scroll down for more content
1 / 14