The "Foundation Summary" section of each chapter lists the most important facts from the chapter. While this section does not list every fact from the chapter that will be on your CCSP exam, a well-prepared CCSP candidate should, at a minimum, know all the details in each "Foundation Summary" before going to take the exam.
The SAFE Enterprise network consists of various modules organized into three primary layers:
The enterprise campus
The enterprise edge
The service provider (SP) edge
The enterprise campus layer consists of the following modules:
The Management module
The Server module
The Building module
The Building Distribution module
The Core module
The Edge Distribution module
The enterprise edge layer is made up of the following modules:
The E-Commerce module
The VPN and Remote Access module
The Corporate Internet module
The WAN module
Table 18-17 shows the key devices in the Management module.
Key Device | Functions |
---|---|
Cisco IOS router/firewall | Provides encrypted network access to the end devices. Also filters traffic inbound to the Management module. |
OTP server | Authorizes OTP information relayed from the access-control server. |
Access-control server | Provides one-time, two-factor authentication services to the network devices. |
Syslog hosts | Aggregates log information for the firewall and the NIDS devices. |
Management host(s) | Provides for configuration, software, and content changes on network devices and IPS on other network-management hosts. |
NIDS Director | Provides alarm aggregation and analysis for all NIDS appliances throughout the Campus and Corporate Internet modules. |
Layer 2 switches | Include support for private VLANs. |
NIDS appliance | Provides deep packet inspection of traffic within the module. |
Terminal server | Provides access to the console port of other network devices. |
Network-monitoring host | Provides SNMP management and monitoring of network devices. |
Table 18-18 shows the key devices in the Building module.
Key Device | Functions |
---|---|
Layer 2 switches | Provide for Layer 2 connectivity to end-user systems and IP telephones. |
IP phones | Provide IP telephony services to end users. |
User workstations | Provide data services to users. |
Table 18-19 shows the key device in the Building Distribution module.
Key Device | Functions |
---|---|
Layer 3 switches | Provide for Layer 2 switch aggregation before the core, along with services such as filtering, routing QoS, CAR, and VLAN definition. |
Table 18-20 shows the key device in the Core module.
Key Device | Functions |
---|---|
Layer 3 switches | Route and switch traffic from one network module to another |
Table 18-21 shows the key devices in the Server module.
Key Device | Functions |
---|---|
Layer 3 switches | Provide Layer 3 services such as filters, QoS, VLANs, and private VLANs to the servers. Also provides for traffic inspection through the use of integrated NIDS. |
CallManager | Provides IP telephony services and call routing. |
Corporate and departmental servers | Provide services such as SMTP, WWW, POP, file and print services, and DNS to corporate users. |
Table 18-22 shows the key device in the Edge Distribution module.
Key Device | Functions |
---|---|
Layer 3 switches | Provide for traffic aggregation before the enterprise edge layer, along with advanced services. |
Table 18-23 shows the key devices in the E-Commerce module.
Key Device | Functions |
---|---|
Web server | Serves as the primary user interface for the e-commerce store. |
Application server | Provides application services required by the e-commerce design and communication with the database server. |
Database server | Stores transactions, customer information, and other business-critical data required by the e-commerce design. |
Firewalls | Provide network-level protection of resources through stateful filtering of traffic. Provides traffic negotiation and control among the various layers of the e-commerce design. |
NIDS appliance | Provides traffic monitoring and attack identification and mitigation. |
Layer 3 switch with IDS module | Provides stable traffic routing and control, along with up-front attack identification and mitigation. |
Table 18-24 shows the key devices in the VPN and Remote Access module.
Key Device | Functions |
---|---|
VPN concentrator | Authenticates remote-access users and terminates IPSec VPN tunnels. |
VPN router | Authenticates and terminates site-to-site GRE/IPSec VPN tunnels. |
Firewall | Provides network-level protection of resources through stateful filtering of traffic. Provides differentiation of traffic from remote users and sites. |
Dial-in server | Authenticates remote analog dial-in users using TACACS+/OTPs and terminates connections. |
NIDS appliance | Provides traffic monitoring, attack identification, and attack mitigation for traffic from remote users and sites. |
Table 18-25 shows the key devices in the Corporate Internet module.
Key Device | Functions |
---|---|
DNS server | Serves as the authoritative external DNS server; relays internal requests to the Internet. |
FTP server | Provides a public interface for file exchange between Internet users and the corporate network. Can be combined with the HTTP server to reduce cost. |
Firewall | Provides network-level protection of resources through stateful filtering of traffic. Can provide remote IPSec tunnel termination for users and remote sites. Also provides differentiated access for remote-access users. |
HTTP server | Provides public information about the enterprise or the organization. Can be combined with the FTP server to reduce cost. |
SMTP server | Provides e-mail service for the enterprise by relaying internal e-mail bound for external addresses; also can inspect content. |
Layer 2 switches | Provides for Layer 2 connectivity within the Corporate Internet module. Also provides support for private VLANs. |
NIDS appliance | Provides for deep packet inspection of traffic traversing various segments of the network. |
URL filtering server | Provides for URL-filtering services to the enterprise. |