The figure shows two internet clouds at the top. Each cloud connects to two routers, one on the left and one on the right. Below the routers are two layers 3 switches within a box labelled core layer. Each router connects to each of the switches.
The switches also have multiple lines between them with a circle around the lines. Below these two switches are two more switches within a box labelled distribution layer. Each of the top switches connects to each of the two switches below them.
Below the distribution layer switches are three-layer 2 switches and two access points within a box labelled access layer. Each access layer switch has a connection to each of the distribution layer switches. Each access point connects to just one of the access layer switches.
Below the access, layer box are two wireless tablets. Each wireless tablet connects wirelessly to a wireless a p. Also below the access layer box are four IP phones. Each phone has a p c attached. One phone connects to the left access layer switch, two phones connect to the middle access layer switch, and the last phone connects to the last access layer switch.
Hierarchical Design Model
The access layer provides endpoints and users direct access to the network. The distribution layer aggregates access layers and provides connectivity to services. Finally, the core layer provides connectivity between distribution layers for large LAN environments.
Typically, a firewall with two interfaces is configured as follows:
- Traffic originating from the private network is permitted and inspected as it travels toward the public network. Inspected traffic returning from the public network and associated with traffic that originated from the private network is permitted.
- Traffic originating from the public network and traveling to the private network is generally blocked.
A demilitarized zone (DMZ) is a firewall design where there is typically one inside interface connected to the private network, one outside interface connected to the public network, and one DMZ interface, as shown in the figure.
- Traffic originating from the private network is inspected as it travels toward the public or DMZ network. This traffic is permitted with little or no restriction. Inspected traffic returning from the DMZ or public network to the private network is permitted.
- Traffic originating from the DMZ network and traveling to the private network is usually blocked.
- Traffic originating from the DMZ network and traveling to the public network is selectively permitted based on service requirements.
- Traffic originating from the public network and traveling toward the DMZ is selectively permitted and inspected. This type of traffic is typically email, DNS, HTTP, or HTTPS traffic. Return traffic from the DMZ to the public network is dynamically permitted.
- Traffic originating from the public network and traveling to the private network is blocked.
To Get Email Updates when we post new contents, Click Here.