1 / 30

CHAPTER 5-part 2

CHAPTER 5-part 2. Designing a campus network design topology. Campus network. The topologies for campus network should meet a customer’s goal for : Availability Performance How to achieve this? Have small bandwidth domains, small broadcast domain, redundancy, mirrored servers. Continue.

joelle-harmon
Download Presentation

CHAPTER 5-part 2

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CHAPTER 5-part 2 Designing a campus network design topology

  2. Campus network • The topologies for campus network should meet a customer’s goal for : • Availability • Performance • How to achieve this? • Have small bandwidth domains, small broadcast domain, redundancy, mirrored servers

  3. Continue.. • Campus network should be design using a hierarchical. Modular approach so network can offer good performance, maintainability and scalability.

  4. Continue.. • Campus consists of • campus access layer • End-user workstations and IP phones connected to switches /wireless access point • Higher-end switches provide uplinks to the distribution layer. • Services offered : network access, broadcast control, protocol filtering and marking of packets for quality of service features.

  5. Continue.. • Campus distribution layer • The task for this layer is to aggregate wiring closets within a building and provide connectivity to the campus core via routers/switches with routing modules. • This module provides: routing, QoS and access control methods for meeting security and performance requirements. • Recommended to have redundancy and load balancing.

  6. Continue.. • Campus core layer • Interconnects the access and distribution modules with the data center, network management and edge modules. • Provides redundant and fast-converging connectivity. • It routes and switches traffic as quickly as possible from one module o another. • Use high-speed router/switches with routing capability and provide Qos and security features.

  7. Spanning tree protocol • The topology of each module and sub module of a campus network design is partially determined by the Spanning Tree protocol (STP). • It is a protocol that ensures a loop- free topology for any bridged /switch Ethernet LAN. • Basic function of STP is to prevent bridge/switch loops and the broadcast radiation that results from them. • STP also allows a network o include spare (redundant) links to provide automatic backup paths if an active links fails without the danger of bridge loops, or the need of manual enabling/disabling of these backup links. (wiki)

  8. Continue.. • Have redundant link between switch A and switch B • This setup creates the possibility of bridging loop. i.e. a broadcast / • multicast packet that transmits from station M and is destined for station N simply continues to circulate between both switches. • Run STP on both switches , then the link will look like this:

  9. Virtual lans • A campus network should be designed using small bandwidth and small broadcast domains. • A bandwidth domain = a set of devices that share bandwidth and compete for access to the bandwidth. • Traditional bus topology or hub=based Ethernet=single bandwidth domain. • A switch divides up bandwidth domain and is often used to connect each device so that the network consists of many extremely small bandwidth domains. • With switch, the bandwidth domain consists of the switch port and the device that connects it. • On network that experience collision (traditional Ethernet), a bandwidth domain= collision domain.

  10. Continue.. • By default, switches do not divide broadcast domain. • The campus access layer should use switches and provide broadcast control. • How? Use VLAN

  11. Vlans..continue.. • What is VLAN? • Is an emulation of a standard LAN that allow data transfer to take place without the traditional physical restraint placed on the network. • It is a set of LAN devices belong to an administrative group. • Group membership is based on configuration parameters and administrative policies rather than physical location. • Member in VLAN communicate with each other as if they were on the same wire or hub , actually there might be located at different physical LAN segment. • Since VLAN are based on logical instead of physical connections, they are extremely flexible.

  12. Continue.. • In modern network: • IP configuration is using DHCP • VLAN has become a method to subdivide physical switch-based LANs into many logical LAN. • VLANs allow a large, flat, switch-based network to be divided into separate broadcast domains. • A VLAN-enabled switch floods a broadcast out only to the ports that are part of the same VLAN as the sending station.

  13. Fundamental VLAN Designs • Figure 5-8 shows two switches , A and B. • Switch A connect station A. • Switch B connect station B. • When station A1 send a broadcast, station A2 and station A3 receive the broadcast. • None of station B receives the broadcast since both switches are not connected.

  14. Continue.. • Figure 5-9 show the same configuration using a single switch. • This allow two VLANs implemented in a single switch rather than 2 separate physical LAN. • The broadcast, multicast and unknown-destination traffic originating with any member of VLAN A is forwarded to all other members of VLAN A. • No packet is forwarded to VLAN B. • The protocol behavior is same as in figure 5.8

  15. Continue.. • VLANs can span multiple switches. • Figure 5.10 shows switches with VLAN A and VLAN B. • In this figure, all frames going from switch A to switch B take the same interconnection path.

  16. VLAN A VLAN A Station A1 Station A2 Station A3 Station A4 Station A5 Station A6 Switch A Switch B Station B1 Station B2 Station B3 Station B4 Station B5 Station B6 VLAN B VLAN B VLANs Span Switches Figure 5.10 AAB-2013

  17. Continue.. • How to recognize the destination of the packet? • Have VLAN tag – a special header , contains a VLAN identifier that specifies to which VLAN the frame belongs. • Since both switches have been configured to recognize VLAN A and VLAN B, they can exchange frames across the interconnection link. • The recipient switch can determine the VLAN into which those frames should be sent by examining the VLAN tag. • The link between the switches is called a trunk link/a trunk. • A major design consideration is determine the scope and how many switches it should span. • Most designer will keep the scope small, since VLAN is a broadcast domain. • A single broadcast domain should be limited to a few hundred workstations. • Another design consideration is trunk capacity. • 10 Mbps is sufficient to support small network/lab network for learning and testing purpose.

  18. Wireless LAns • User mobility become an important goal for many enterprises. • In a campus design network, one/more wireless LANs (WLAN) meet this goal by offering intranet and internet access in open areas on the campus. • Can be applied at office for cost effective. • A WLAN has an access point (AP) that communicate using radio frequency (RF) with wireless clients. • The area that a single access point can cover is known as a wireless cell.

  19. Continue.. • Designing a WLAN topology : • Designer need to determine the coverage area of each wireless cell • To decide how many cells will be required to meet total coverage needs. • Factors that affect the coverage of a single AP? • Data rate, power level, antenna choice, antenna positioning.

  20. Secure network design topologies • Discuss network security in relation to network topologies. • Planning for physical security. • When design the logical topology , start thinking of where to put the equipments. • Critical equipment must stored in a secured place where have protection from unauthorized access, theft, vandalism and natural disasters.

  21. Meeting security goal with firewall topology • Firewall= a system/combination of systems that enforces a boundary between two/more networks. • Firewall can be : • A router with ACLs • A dedicated hardware box • A software running on a PC or UNIX system.

  22. Continue.. • Put firewall in network topology so that all traffic from outside the protected network must pass through the firewall. • A security policy specifies which traffic is allowed to entered the network. • Firewall important at boundary between the enterprise network and the Internet. • A basic firewall topology = simply a router with a WAN connection to the Internet, a LAN connection to the enterprise network and software that has security features. • This is suitable for simple security policy which can be implemented on the router with ACLs. • The router can also use NAT to hide internal addresses from Internet hackers.

  23. Security Topologies Internet Firewall DMZ Enterprise Network Figure 5.16: DMZ Topology Web, File, DNS, Mail Servers AAB-2013

  24. Continue.. • For customer that need to publish data and protect private data: • the firewall topology can include a public LAN that hosts web, FTP,DNS and SMTP servers. • Public LAN=demilitarized zone (DMZ). • A host in DMZ is referred as a bastion host= a secure system that supports a limited number of applications for use by outsiders. • Web pages

  25. Continue.. • For a large customer- use dedicated firewall in addition to a router between the internet and the enterprise network. • To maximize security – run security features on the router and on the dedicated firewall ( this will minimize the performance…why???) • An alternate topology is to use two routers as the firewalls and place the DMZ between them. • Fig 5.17

  26. Security Topologies DMZ Enterprise Network Internet Web, File, DNS, Mail Servers Figure 5.17 AAB-2013

  27. Continue.. • This topology is known as a three-part firewall topology. • Disadvantage: • The configuration on the routers might be complex, have many ACLs to control traffic in and out of the private network and the DMZ. • Traffic for the enterprise network flows through the DMZ. The DMZ connect public servers that can be compromise and act as a launching pad for attacks into the enterprise network.

  28. Continue.. • How to strengthen this topology? • Use router with simple ACLs either at end of DMZ • Include firewall at either end that are configured with more complex ACLs. • The bastion hosts inside DMZ run firewall software and can be configured for a limited set of services.

  29. Summary • Use a systematic, top-down approach • Plan the logical design before the physical design • Topology design should feature hierarchy, redundancy, modularity, and security AAB-2013

  30. Review Questions • Why are hierarchy and modularity important for network designs? • What are the three layers of Cisco’s hierarchical network design? • What are the major components of Cisco’s enterprise composite network model? • What are the advantages and disadvantages of the various options for multihoming an Internet connection? AAB-2013

More Related