N D A IS LYS A AN RK Y LOG O TO PO W N WORK ET IG A NETN ES ING D ESIGN D
TOPOLOGYa map of an internetwork that indicates segments, interconnection points and user communitiesFirst step in logical designHierarchical network design Scalable campus and enterprise networks Layered, modular model
HIERARCHICAL NETWORK DESIGNDevelop in discrete layersEach has a specific functionsTypical hierarchical topology is: core layer of high-end routers and switches that are optimized for availability and performance Distribution layer of routers and switches that implement policy Access layer that connects users via hubs, switches, and other devices
WHY USE A HIERARCHICAL NETWORK DESIGN CPU adjacencies and increased workload with broadcast packets Modular topology that limits the number of communicating routers Minimize costs by buying appropriate internetworking devices for each layer Keep design element simple and easy to understand Facilitates design changes Enables creating design elements that can be replicated Today’s routing protocols were designed for hierarchical topologies
FLAT VERSUS HIERARCHICAL TOPOLOGIESFlat is adequate for very small networksFlat is easy to design and implement and maintain
FLAT WAN TOPOLOGIESA WAN for a small company can consist of a few sites connected in a loop. Each site has a WAN router that connects to two other adjacent sites via point-to-point linksNot recommended for networks with many sites. Loop topology can mean many hops between routers If routers on opposite sides of a loop exchange a lot of traffic use a hierarchical topology Redundant routers or switches required for high availability
MESH VERSUS HIERARCHICAL-MESHTOPOLOGIESMesh topology helps meet availability requirementsFull-mesh topology every router or switch is connected to every other router or switch. Provides complete redundancy and offers good performance because there is just a single-link delay between any two sitesPartial-mesh network has fewer connections. Reach another router or switch might require traversing intermediate links
MESH TOPOLOGY (CONT’D)Disadvantages: Expensive to deploy and maintain Hard to optimize, troubleshoot, and upgrade Lack of modularity Difficult to upgrade just one part of the network Scalability limits for groups of routers that broadcast routing updates or service advertisements Limit adjacent routers that exchange routing tables and service advertisementsFor small and medium-sized companies the hierarchical model is often implemented as a hub-and-spoke topology with little or no meshing
THE CLASSIC THREE-LAYER HIERARCHICALMODELPermits traffic aggregation and filtering at three successive routing or switching levelsScalable to large international internetworksEach layer has a specific roleCore layer provides optimal transport between sitesDistribution layer connects network services to the access layer and implements policies regarding security, traffic loading and routingAccess layer consists of routers at the edge
THE CORE LAYERHigh-speed backbone of the internetworkShould design with redundant components because it is critical for interconnectivityHighly reliable and adaptable to changesUse routing features that optimize packet throughputHave a limited and consistent diameter to provide predictable performance and ease of troubleshootingFor connection to other enterprises via an extranet/internet should include one or more links to external networks.
THE DISTRIBUTION LAYER The demarcation point between the access and core layers of the network Roles include controlling access to resources for security reasons and controlling network traffic that traverses the core for performance reasons Often the layer that delineates broadcast domains Allow core layer to connect diverse sites while maintaining high performance Can redistribute between bandwidth-intensive access-layer routing protocols and optimized core routing protocols. Can summarize routes from the access layer Can provide address translation.
THE ACCESS LAYERProvides users on local segments access to the internetworkCan include routers, switches, bridges and shared-media hubsSwitches are used to divide up bandwidth domains to meet the demands of applications that require a lot of bandwidth.For small networks can provide access into the corporate internetwork using wide- area technologies such as ISDN, Frame relay, leased digital lines and analog model lines.
GUIDELINES FOR HIERARCHICAL NETWORKDESIGNControl diameter of hierarchical enterprise network topology Most cases the three major layers are sufficient Provides low and predictable latency Should make troubleshooting and network documentation easierStrict control at the access layer should be maintained
GUIDELINES FOR HIERARCHICAL NETWORK DESIGN (CONT’D)Avoid the design mistake of adding a chain (don’t add networks inappropriately)Avail backdoors – a connection between devices in the same layer. It can be an extra router, bridge, or switch added to connect two networksDesign access layer first, then the distribution layer and finally the core layer. More accurately plan capacity requirements for the distribution and core layers Also recognize optimization techniques needed
GUIDELINES FOR HIERARCHICAL NETWORKDESIGN (CONT’D)Design using modular and hierarchical techniques and then plan the interconnection between layers based on analysis of traffic load, flow, and behavior
REDUNDANT NETWORK DESIGN TOPOLOGIESLets you meet network availability by duplicating network links and interconnectivity devices.Eliminates the possibility of having a single point of failureCab be implemented in both campus and enterprise Campus goals for users accessing local services Enterprise goals for overall availability and performance Analyze business and technical goals of customer
BACKUP PATHSConsists of routers and switches and individual backup links between routers and switches that duplicate devices and links on the primary pathConsider 2 aspects of backup path How much capacity does it support How quickly will the network begin using itCommon to have less capacity than a primary path Different technologies Expensive
BACKUP PATHS (CONT’D)Manual versus automatic Manual reconfigure users will notice disruption and for mission critical systems not acceptable Use redundant, partial-mesh network designs to speed automatic recovery timeThey must be testedSometimes used for load balancing as well as backup
LOAD BALANCINGPrimary goal of redundancy is to meet availabilitySecondary goal is to improve performance by load balancing across parallel linksMust be planned and in some cases configuredIn ISDN environments can facilitate by configuring channel aggregation Channel aggregation means that a router can automatically bring up multiple ISDN B channel as bandwidth requirements increase
LOAD BALANCING (CONT’D)Most vendor implementations of IP routing protocols support load balancing across parallel links that have equal costSome base cost on the number of hops to a particular destination Load balance over unequal bandwidth pathsCan be effected by advanced switching (forwarding) mechanisms implemented in routers Often caches the path to remote destinations to allow faster forwarding of packets
DESIGNING A CAMPUS NETWORK DESIGNTOPOLOGYShould meet a customer’s goals for availability and performance by featuring small broadcast domains, redundant distribution-layer segments, mirrored servers, and multiple ways for a workstation to reach a router for off- net communicationsDesigned using a hierarchical model for good performance, maintainability and scalability.
VIRTUAL LANS Is an emulation of a standard LAN that allows data transfer to take place without the traditional physical restraints placed on a network. Based on logical rather than physical connections and are very flexible Communicate as if they were on the same network Allows a large flat network to be divided into subnets to divide up broadcast domains In the future fewer companies will implement large flat LANs and the need for VLANs will be less Hard to manage and optimize. When dispersed across many physical networks traffic must flow to each of those networks
REDUNDANT LAN SEGMENTSIn Campus LANs it is common to design redundant links between LAN switchesThe spanning-tree algorithm is used to avoid packet loops.Spanning-tree algorithm is good for loops but not necessarily for load balancingWhen multiple bridges or switches exist in a spanning tree, one bridge becomes the root bridge. Traffic always travels toward the root bridge. Only one path to the root bridge is active, other paths are disabled.
SERVER REDUNDANCY File, Web, Dynamic Host Configuration Protocol (DHCP), name, database, configuration, and broadcast servers are all candidates for redundancy in campus design When a LAN is migrated to DHCP servers the DHCP servers become critical. Use redundant DHCP servers. DHCP servers can be at the access or distribution layer. In small networks often in the distribution layer. In larger in the access layer. In large campus networks the DHCP server is often placed on a different network segments than the end systems that use it.
SERVER REDUNDANCY (CONT’D)Name servers are less critical than DHCP servers because users can reach services by address instead of name if the name server failsIf ATM is used it is a good idea to duplicate the ATM services used by clients running ATM LAN emulation (LANE) software LAN Emulation Configuration Server (LECS) LAN Emulation Server (LES) Broadcast and Unknown Server (BUS)
SERVER REDUNDANCY (CONT’D)Where cost of downtime for file servers is a major concern mirrored file servers should be recommendedIf complete redundancy is not feasible then duplexing of the file server hard drives is a good ideasmirrored file servers allow the sharing of workload between servers
WORKSTATION-TO-ROUTER REDUNDANCYWorkstation-to-router communication is critical in most designs to reach remote servicesMany ways to discover a router on the network depending on the protocol running and its implementation
APPLETALK WORKSTATION-TO-ROUTERCOMMUNICATIONAppleTalk workstations remember the address of the router that sent the most recent RTMP packetTo minimize memory and processing requirements remembers the address of only one router
NOVELL NETWARE WORKSTATION--TO-ROUTERCOMMUNICATIONBroadcasts a find-network-number request to find a route to the destinationRouters on the workstation’s network respondThe workstation uses the first router that responds
IP WORKSTATION-TO-ROUTER COMMUNICATIONImplementations vary in how they implement workstation-to-router communication.Some send an address resolution protocol (ARP) to find remote stationA router running proxy ARP responds to the ARP request with the router’s data-link- layer addressAdvantage of proxy ARP is that a workstation does not have to be manually configured with the address of a router
IP WORKSTATION-TO-ROUTER COMMUNICATION(CONT’D)Sometimes network administrators manually configure an IP workstation with a default routerA default router is the address of a router on the local segment that a workstation uses to reach remote servicesA number of protocols are used to identify routers such as Router Discovery Protocol (RDP) which uses Internet control Message Protocol (ICMP) ICMP router advertisement packet ICMP router solicitation packet
DESIGNING AN ENTERPRISE NETWORK DESIGNTOPOLOGYShould meet a customer’s goals for availability and performance by featuring redundant LAN and WAN segments in the intranet, and multiple paths to extranets and the InternetVirtual Private Networking (VPN) can be used
REDUNDANT WAN SEGMENTSBecause Wan links can be critical redundant (backup) WAN links are often included in the enterprise topologyFull-mesh topology provides complete redundancyFull mesh is costly to implement, maintain, upgrade and troubleshoot
CIRCUIT DIVERSITYLearn as much as possible about the actual physical circuit routingSome carriers use the same facilities which means the backup path is susceptible to the same failure as the primary pathCircuit diversity refers to the optimum situation of circuits using different pathsIt is becoming increasingly harder to guarantee circuit diversity because of mergers of carriersAnalyze your local cabling in addition to the carrier’s services
MULTIHOMING THE INTERNET CONNECTIONMeans to provide more than one connection for a systems to access and offer network servicesServer is multihomed is it has more than one network layer addressIncreasing used to refer to the practice of providing an enterprise network more than one entry into the InternetHas the potential to become a transit network that provides interconnections for other networks Means routers on the Internet learn they can reach other routers through the enterprise network
VIRTUAL PRIVATE NETWORKINGEnable a customer to use a public network to provide a secure connection among sites on the organization’s internetworkCan also be used to connect an enterprise intranet to an extranet to reach outside partiesGives the ability to connect geographically- dispersed offices via a service provider vice a private networkCompany data can be encrypted for routingFirewalls and TCP?/IP tunneling allow a customer to use a public network as a
SECURE NETWORK DESIGN TOPOLOGIESPlanning for Physical SecurityMeeting Security Goals with Firewall Topologies
PLANNING FOR PHYSICAL SECURITYInstall critical equipment in computer rooms that have protectionLogical design might have an impact on physical securityPlanning should start to allow lead times to build or install security mechanisms
MEETING SECURITY GOALS WITH FIREWALLTOPOLOGIESA firewall is a system or combination of systems that enforces a boundary between two or more networks Can be a router with access control lists (ACL) Dedicated hardware box Software running on a PC or UNIX systemShould be placed in the network topology so that all traffic from outside the protected network must pass through the firewallSecurity policy specifies which traffic is authorized to pass through the firewall
MEETING SECURITY GOALS WITH FIREWALLTOPOLOGIES (CONT’D)Especially important at the boundary between the enterprise network and the InternetCustomers with the need to publish public data and protect private data the firewall topology can include a public LAN that hosts Web, FTP, DNS and SMTP serversLarger customers should use a firewall in addition to a router between the Internet and the enterprise network
MEETING SECURITY GOALS WITH FIREWALLTOPOLOGIES (CONT’D)An alternative is to use two routers as the firewall and place the free-trade zone between them. This is the three-part firewall topologyThe configuration on the routers might be complex, consisting of many access control list to control traffic in and out of the private network and the free trade zone.Dedicated firewalls usually have a GUI that lets you specify a security policy an an intuitive fashion
SUMMARYDesigning a network topology is the first step in the logical designThree models for network topologies: hierarchical, redundant, and secure Hierarchical lets you develop a network consisting of many interrelated components in a layered, modular fashion Redundant lets you meet requirements for network availability by duplicating network components Secure protects core routers, demarcation points, cabling, modems and other equipment. Adding firewalls protects against hackers.