Cisco three-layer design model in practice - Question

Hi guys. I'm most tell that I'm not new to networks! Actually I do have a lot of experience on this topic. I'm now preparing myself for the CCNP and a question came into my mind regarding the "three-layer design model". I really want to have a good in-depth understanding about it! I don't want to be limited by the cisco explanation in their module.

Actually, what I want to know is how the information flows between those conceptual layers? From my understanding, it goes like Internet < --- > Core <----> Distribution <----> Access? However, they do say that we should avoid ACL, Firewalls, etc ... on the core layer! Now, in this case, at which layer is the firewall implemented? You might answer me that a firewall is built on the distribution layer! But then I have to ask ... Then we are excluding the core layer from our "natural" flow (it something like Access <---> Distribution < --- > Internet). Right?

Now, if we install a firewall at the core level to provide some security from the internet, well ... we are braking the rule now, right?

Can you get what my point/doubt is, guys?
LVL 11
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Think of it this way, you have one Core layer in the center of the network.  You have a distribution and access layer in the "enterprise edge" and the campus network.  A firewall would actually connect at the access layer of the enterprise edge connecting to the ISP.  It would look like this:

Internet<--->firewall(access layer)<---->distribution<--->core<--->distribution<--->access layer(campus network).

Probably not the best explanation but not the easiest to explain in text.
I'll give it a shot...
Core layer - keep everything as simple and as fast as possible. The whole concept is to create a non-blocking routing layer 2/3 backbone that connects the distribution points as fast as possible
Distribution layer - distribute functions between L2 and L3
Access layer - closest to the end users. This is where you apply user access controls.

Internet connection is another form of access layer. Access to the Internet. Access is highly controlled.

Physically, yes the firewall is typically co-located with the core equipment, but that is a physical location, not functional.

JFrederick29 must have posted as I was typing.
At least we agree that your firewall/Internet is another form of access-layer point..
What were the top attacks of Q1 2018?

The Threat Lab team analyzes data from WatchGuard’s Firebox Feed, internal and partner threat intelligence, and a research honeynet, to provide insightful analysis about the top threats on the Internet. Check out our Q1 2018 report for smart, practical security advice today!

rafael_accAuthor Commented:
"Physically, yes the firewall is typically co-located with the core equipment, but that is a physical location, not functional.

How can Internet be located at the access-layer and while phisically located in the core?!

rafael_accAuthor Commented:
Is this network model applied to Lan only?
Internet at the access-layer???? I'm not doubting but ... it's hard to believe guys?! Protecting my network from the internet bad guys, installing firewalls, etc ... Is this done at the access layer???? It just doesn't go with the theory! Sorry!

I hope someone could give me a better explanation than this one.
rafael_accAuthor Commented:
For example, is a DMZ another access-layer?!
rafael_accAuthor Commented:
I do know it's not a simple question! But this what this "place" for, right?! :)
Thanks anyway for your kind reply and sorry for the multiple posts. I'm just pretty much excited about this "chapter" !

I do agree with Irmoore and Jfrederick29.  They could not have described it better in such a short explanation.

Let's see if I can expand on this a little:

According to Cisco's model (the 3 layers you are talking about), your enterprise network design is actually divided into modules.

There is an enterprise edge module (where the WAN, remote access and Internet access is located), did you notice I said "access"?
There is a campus infrastructure module
There is a network management module
and there is a server farm module

Each of these modules can be further broken down into more specific functional modules.  Doing this allows to concentrate on smaller more manageable pieces at a time and simplifies the design.  It also has the benefit of scaling better and much more.

Anyway, back to you question, in those modules, you design according to the 3-layer model.  So, the enterprise edge can have a core, distribution and access.  Same for the campus.  And these connect to each other via their core (which is basically one core).  So, it certainly doesn't go against the rule to have an access layer at the edge and a different one in the campus.

If you want, check out any CCDA CCDP certification materials.  This is exactly what they teach you in much better detail.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Believe what you want, but the "real life" fact is that any connection to any 3rd party or connection outside your own network creates an access layer. This perimeter access layer typically connects to a firewall. This firewall can be considered your distribution layer, providing connectivity to multiple DMZ's. The firewall would then connect to the core.
What I meant was that typically, the central data center where most of the servers reside, where the core network switches reside, is ALSO where your Internet access comes in. The internet access router and firewall may be in the same equipment rack as your core switches. This does not make them "core" equipment.
The DMZ -

In the enterprise edge module, you have several "sub-modules":

- Internet Connectivity module (it is via there that internal users connect to the Internet)
- E-commerce module (where you place your servers for www, ftp, etc.)
- VPN/Remote access module (where you have your VPN concentrators, etc.)
- WAN module (where you can connect remote sites)

So, the DMZ could be considered the first three... it just depends how you set it up.  
rafael_accAuthor Commented:
About your last sentence ...
It's not a matter of what I want rather of what I most do ... :)

Can you provide me with some links to those resources? Can you tell me in which ccnp module is this information located?
NB! I do have access to all CCNPx online modules.

And again: Guys! Please don't get me wrong! I'm not doubting about your knowledge! I'm just a critical spirit trying to understand networking concepts in-depth!

Thnks for being pacient.
<<What I meant was that typically, the central data center where most of the servers reside, where the core network switches reside, is ALSO where your Internet access comes in. The internet access router and firewall may be in the same equipment rack as your core switches. This does not make them "core" equipment.>>

Right.  In smaller (or even larger) businesses, you don't always have separate physical devices for each layer.  You could for example setup your Catalyst 6500 series switches for core+distribution.  This definitely places the core+distribution layers in the same rack!

You just have to understand the logical model before you start the physical design.
rafael_accAuthor Commented:
ok, ok, ok guys! :)

So, it's pretty much obvious that I do have to accept that internet connectivit, dmz, vpns ... are done (create an additional) access layer.

I know the core layer have to provide fast connection points!!! Where is the purpose of avoiding filtering at the core layer then?! Is it true that the purpose for avoiding filtering and other "dont's" is because the core layer is where the interconnections between different subnets/lans take place, inside the company?!

rafael_accAuthor Commented:
Plemieux72, I agree with you. I believe I've understood the logical model so far! Actually I don't have any doubt about that. I'm trying now to understand how is this related to the physical world.

Here is a good book:

There is also the official CCDA study guide... just search for the DESGN exam 640-861.

However, one of the things you can read right away online which explains the modules and layers is the Cisco SAFE (Secure Architecture for Enterprises) blueprint.
rafael_accAuthor Commented:
Welll ... I'll have to split some points now ... ;)
Thanks for your help and take care ...
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.