CSE 550Computer Network Design
Dr. Mohammed H. SqalliCOE, KFUPM
Spring 2007 (Term 062)
CSE-550-T062 Lecture Notes - 6 2
Outline
Network Topology Design Flat Network Topologies Hierarchical Network Design Model Mesh Network Topologies Redundant Network Design Topologies Modular Network Design Model Campus/LAN Network Design Topology Enterprise/WAN Network Design Topology Secure Network Design Topologies
Network Topology Design
CSE-550-T062 Lecture Notes - 6 4
Network Topology Design
First step in the logical design phase of the top-down network design methodology
During this phase, we identify: Networks and interconnection points Size and scope of networks Types of internetworking devices required
CSE-550-T062 Lecture Notes - 6 5
Network Topology Design
Questions to determine network topology: Is it a small LAN with few workstations? Is it a campus LAN or a massive enterprise
implementation? Is scalability important? How about network management? What about cost?
CSE-550-T062 Lecture Notes - 6 6
Network Topology Design
No one topology is right for every network environment
Each network topology can be an integral part of another topology design
Redundant and secure topologies should be part of every network design
CSE-550-T062 Lecture Notes - 6 7
Network Topologies
Network topologies covered: Flat Hierarchical Mesh Redundant Campus/LAN Enterprise/WAN Secure
Flat Network Topologies
CSE-550-T062 Lecture Notes - 6 9
Flat Network Topologies
Generally used for very small networks Each network device (e.g., hub, switch, …) is used
for a general rather than specific purpose Most network components are used for simple
broadcasting and providing limited switching capabilities
Based on a common broadcast domain There is no hierarchy Not generally created in a modular fashion Provide a consistent and easy-to-manage network
environment Scalability is not usually an important design
factor
CSE-550-T062 Lecture Notes - 6 10
Flat Network Topologies- Advantages - Lower initial cost – due to the smaller size of
network and lower equipment costs Special routing and switching components are not
used to a wide extent Reliability – due to the simplistic design and
general static nature of the topology Easy to design – due to the lack of need for
modularity and scalability Easy to implement – due to the lack of specialized
switching equipment Easy to maintain – as long as the network stays
small
CSE-550-T062 Lecture Notes - 6 11
Flat Network Topologies- Disadvantages -
Not modular – changes to the environment will usually affect all internetworking devices
Bandwidth domain – most if not all devices are usually in the same bandwidth domain (i.e., share the same bandwidth)
Broadcast domain – same broadcast domain that can lead to congestion
Lack of hierarchy makes troubleshooting difficult – inspect the entire network
CSE-550-T062 Lecture Notes - 6 12
Flat WAN Topologies
Flat loop topology: A WAN for a small company may consist of a few sites connected in a loop
Meets goals for low cost and reasonably good availability
Quick convergence of routing protocols Communication recovery when one link fails Not recommended for networks with many sites:
Significant delay and a higher probability of failure because of routers that are many hops away
CSE-550-T062 Lecture Notes - 6 13
Flat vs. Hierarchical WAN Topologies
Hierarchical redundant topology meets goals for scalability, high availability, and low delay
Hierarchical Network Design Model
CSE-550-T062 Lecture Notes - 6 15
Hierarchical Network Design Model (1/2)
When scalability is a major goal, a hierarchical topology is recommended
Created in layers to allow specific functions and features to be implemented in each of the layers
Each component is carefully placed in a hierarchical design for maximum efficiency and specific purpose
Routers, switches, and hubs all play specific role in routing and distributing data and packet information
The model can be used for switched networks as well as routed networks
CSE-550-T062 Lecture Notes - 6 16
Hierarchical Network Design Model (2/2)
Incorporates 3 key layers (Three-tier hierarchical model): Core layer Distribution layer Access layer
Each layer has a specific role Each layer provides a backbone for the layer below
Definition: A backbone is a network whose primary purpose is the interconnection of other networks
CSE-550-T062 Lecture Notes - 6 17
Three-layer Hierarchical Topology (1/4)
CSE-550-T062 Lecture Notes - 6 18
Three-layer Hierarchical Topology (2/4)
A Partial-Mesh Hierarchical Design
CSE-550-T062 Lecture Notes - 6 19
Three-layer Hierarchical Topology (3/4)
CSE-550-T062 Lecture Notes - 6 20
Three-layer Hierarchical Topology (4/4)
CSE-550-T062 Lecture Notes - 6 21
Three-layer Hierarchical Topology- Core Layer (1/3) - Main rule: Design the core layer for optimized
transport between sites Should be optimized for low latency and good
manageability Consists of high-end routers and switches that are
optimized for availability and performance Focus on redundancy and reliability
Adapt to changes quickly and continue to function with circuit outages
Should have a limited and consistent diameter Provides predictable performance and ease of
troubleshooting
CSE-550-T062 Lecture Notes - 6 22
Three-layer Hierarchical Topology- Core Layer (2/3) -
Provides optimal wide-area transport between geographically remote sites
Connects campus networks in a corporate or enterprise WAN
Services are typically leased from a telecom service provider
Need to efficiently use bandwidth because of provider tariffs
May use the public Internet as enterprise backbone
CSE-550-T062 Lecture Notes - 6 23
Three-layer Hierarchical Topology- Core Layer (3/3) - Includes one or more links to external networks (for
extranet or Internet connections). This centralization at the core: Reduces complexity and potential of routing
problems Minimizes security concerns, due to having only one
security structure to administer Means higher bandwidth costs
Avoid using packet filters or other features that slow down the manipulation of packets
Avoid connecting end stations to the core
CSE-550-T062 Lecture Notes - 6 24
Three-layer Hierarchical Topology- Distribution Layer (1/3) - Main rule: Connect network services and
implement policies at the distribution layer Demarcation point between access and core layers Acts as a concentrator point for many of its access
layer sites Delineates broadcast domains (can be done at the
access layer as well) Can be configured to route between VLANs Connects multiple networks (departments) within a
campus network environment (one or more buildings) Includes campus backbone network, based on
FDDI, Fast Ethernet, Gigabit Ethernet, or ATM Connects network services to the access layer
CSE-550-T062 Lecture Notes - 6 25
Three-layer Hierarchical Topology- Distribution Layer (2/3) - Links usually owned and/or controlled by the
organization Network policies are often implemented in this
layer: Consists of routers and switches that implement
policies Network security:
Firewall, filtering, encryption Access to services (admin privileges, etc.) Traffic patterns through definition of path metrics
(priority, preference, trust, etc) Route summarization / Address aggregation Network naming and numbering conventions Traffic loading, routing, and address translation
CSE-550-T062 Lecture Notes - 6 26
Three-layer Hierarchical Topology- Distribution Layer (3/3) - Controls access to resources for security reasons Controls network traffic that traverses the core for
performance reasons Redistribute between bandwidth-intensive access
layer routing protocols (e.g., IGRP), and optimized core routing protocols (e.g., EIGRP)
Should hide detailed topology information about the access layer from core routers Maximizes hierarchy, modularity, and performance
(e.g., route summarization) Should hide detailed topology information about
the core layer from the access layer (e.g., use one default route)
CSE-550-T062 Lecture Notes - 6 27
Three-layer Hierarchical Topology- Access Layer (1/3) - Main rule: Move users down to the access layer Provides end-user access to a network Where hosts are attached to the network (e.g., labs) Usually a LAN or a group of LANs Usually within a single building (or single floor) Typically uses Ethernet, Token Ring, or FDDI Can include routers, switches, bridges, shared-media
hubs, and wireless access points
CSE-550-T062 Lecture Notes - 6 28
Three-layer Hierarchical Topology- Access Layer (2/3) - Connects workgroups (e.g., marketing,
administration) Can be divided into two levels (workgroup level and
desktop level) Workgroup level: e.g., departmental level Desktop level: where end-user devices are attached
Provides logical network segmentation, traffic isolation, and distributed environment
Remote (dialup) users are connected at this tier
CSE-550-T062 Lecture Notes - 6 29
Three-layer Hierarchical Topology- Access Layer (3/3) - In a campus network, it provides switches or hubs
for end-user access Connects users via lower-end switches and wireless
access points Switches are used to divide up bandwidth domains
to meet the specific demands of certain applications (e.g., multimedia)
In a WAN design, it consists of the routers at the edge of the campus networks Provides remote access into the corporate
internetwork using WAN technologies, e.g., ISDN, Frame Relay, etc.
Can implement routing features, e.g., dial-on-demand (DDR) routing
CSE-550-T062 Lecture Notes - 6 30
Hierarchical Network Design- Guidelines (1/3) - Choose a hierarchical model that best fits your
requirements Do not always completely mesh all tiers of the
network (use the backbone for connections) Core connectivity, however, will generally be meshed
for circuit redundancy and network convergence speed Do not place end stations on backbones
Improves the reliability of the backbone Workgroup LANs should keep as much as 80% of
their traffic local to the workgroup Right positioning of the servers
Use specific features at the appropriate hierarchical level
CSE-550-T062 Lecture Notes - 6 31
Hierarchical Network Design- Guidelines (2/3) - Control the diameter of a hierarchical enterprise
network topology (in most cases, 3 major layers are sufficient) Provides low and predictable latency Helps predict routing paths, traffic flows, and capacity
requirements Makes troubleshooting and network documentation
easier Design the access layer first, then the distribution
layer, and finally the core layer Helps, more accurately, perform capacity planning at
the distribution and core layers
CSE-550-T062 Lecture Notes - 6 32
Hierarchical Network Design- Guidelines (3/3) - Avoid chains at the access layer (e.g., connecting a
branch network to another branch, adding a 4th layer)
Avoid backdoors (i.e., connection between devices in the same layer) Cause unexpected routing problems Make network documentation and troubleshooting
more difficult
CSE-550-T062 Lecture Notes - 6 33
Hierarchical Network Design Guidelines- A Chain and A Backdoor at the Access Layer -
CSE-550-T062 Lecture Notes - 6 34
Three-layer Hierarchical Topology- Advantages (1/4) - Modularity:
Keeps each design element simple and easy to understand Allows each component to perform a specific purpose in
the internetwork Easier and more organized network management
Enables creating design elements that can be replicated as the network grows Scalability
Example: Planning a campus network for a new site might simply mean replicating an existing campus network design
Scalability: Allows addition of routers, switches, etc. when needed with
minimum impact to design Hierarchical networks are built for maximum scalability As elements in a network require change, the cost of an
upgrade is contained to a small subset of the network
CSE-550-T062 Lecture Notes - 6 35
Three-layer Hierarchical Topology- Advantages (2/4) - Predictability:
Makes capacity planning for growth easier Manageability:
Easy to deploy network management instrumentation by placing probes at different levels of hierarchy
More automated Ease of troubleshooting:
Fault isolation is improved because network technicians can easily recognize the transition points in the network to help isolate possible failure points
Use “divide-and-conquer” approach: Temporarily segment the network Does not affect core tier network
CSE-550-T062 Lecture Notes - 6 36
Three-layer Hierarchical Topology- Advantages (3/4) - Ease of implementation:
Phased approach is more effective due to cost of resources Efficient allocation of resources in each phase of network
deployment Simplicity:
Minimizes the need for extensive training for network operations personnel
Testing a network design is made easy because there is clear functionality at each layer
Protocol support: Mixing new protocols is easier Merger of companies using different protocols is easier
CSE-550-T062 Lecture Notes - 6 37
Three-layer Hierarchical Topology- Advantages (4/4) - High availability:
Due to redundancy, alternate paths, optimization, and filtering
Low delay: Routers delineating broadcast domains Multiple paths for switching and routing
Cost efficient: Due to ability to optimize and tune switching and routing
paths Today’s fast-converging routing protocols were
designed for hierarchical topologies Route summarization is facilitated by hierarchical network
design
CSE-550-T062 Lecture Notes - 6 38
Three-layer Hierarchical Topology- Disadvantages -
Cost – due to redundancy that is often integrated into the network topology and switching equipment
CSE-550-T062 Lecture Notes - 6 39
Three-layer Hierarchical Model- Variations -
One-tier Design – Distributed
One-tier Design – Hub-and-Spoke
Two-tier Design
CSE-550-T062 Lecture Notes - 6 40
Three-layer Hierarchical Model- One-tier Design – Distributed -
Remote networks connect to a pseudo-core Good for small networks with no centralized server
location Advantage: Faster overall response time between
peers, simplicity, and cost effectiveness Disadvantage: Loss of centralized management
control and higher management cost because of duplicated management functions Responsibilities such as server backups and network
documentation are delegated to the access site
CSE-550-T062 Lecture Notes - 6 41
Three-layer Hierarchical Model- One-tier Design – Hub-and-Spoke -
Servers are located in central farms
Advantage: Increased management control (centralized)
Disadvantage: Single points of failure and bandwidth aggregation
CSE-550-T062 Lecture Notes - 6 42
Three-layer Hierarchical Model- A Hub-and-Spoke Hierarchical Topology -
CSE-550-T062 Lecture Notes - 6 43
Three-layer Hierarchical Model- Two-tier Design -
A campus backbone that interconnects separate buildings
VLANs can be used to create separate logical networks (i.e., broadcast domains)
CSE-550-T062 Lecture Notes - 6 44
How Can You Tell When You Have a Good Design? (P. Welcher)
When you already know how to add a new building, floor, WAN link, remote site, e-commerce service, and so on
When new additions cause only local change, to the directly connected devices
When your network can double or triple in size without major design changes
When troubleshooting is easy because there are no complex protocol interactions to wrap your brain around
Mesh Network Topologies
CSE-550-T062 Lecture Notes - 6 46
Mesh Network Topologies
Network designers often recommend a mesh topology to meet availability requirements
Constructed with many different interconnections between network nodes
Two types:1. Full-mesh topology
2. Partial-mesh topology
CSE-550-T062 Lecture Notes - 6 47
Mesh Network Topologies- Full-Mesh Topology (1/3) -
Every router or switch is connected to every other router or switch
Provides complete redundancy and excellent reliability
Offers good performance Nodes are typically located at core level or
backbone level of the enterprise network
CSE-550-T062 Lecture Notes - 6 48
Mesh Network Topologies- Full-Mesh Topology (2/3) -
Frequently supports mission-critical services and applications
Cannot guarantee that server or application failures will be avoided with just a fully meshed backbone
Not a cost-effective solution High number of links: (N*(N-1))/2 for N routers of
switches
CSE-550-T062 Lecture Notes - 6 49
Mesh Network Topologies- Full-Mesh Topology (3/3) -
CSE-550-T062 Lecture Notes - 6 50
Mesh Network Topologies- Partial-Mesh Topology (1/2) -
Has fewer connections than full-mesh topology Each network node or switch does not necessarily have
immediate connection to each other network node or switch
To reach another router, the network might require traversing intermediate links
Can still provide redundancy through alternate paths Allows mission critical applications to continue
processing If a network connection fails, the network will remain
operational with reduced bandwidth and service levels More likely to be implemented in an enterprise network
CSE-550-T062 Lecture Notes - 6 51
Mesh Network Topologies- Partial-Mesh Topology (2/2) -
CSE-550-T062 Lecture Notes - 6 52
Mesh Network Topologies- Advantages -
Good Reliability
Redundancy – provided by having multiple links connecting each network site
CSE-550-T062 Lecture Notes - 6 53
Mesh Network Topologies- Disadvantages - Mesh networks can be expensive to deploy and
maintain: Due to redundancy and high circuit cost
Hard to optimize, troubleshoot, and upgrade Devices not optimized for specific functions Containing network problems is difficult because of lack
of modularity Difficult to upgrade just one part of the network
Have scalability limits for groups of routers that broadcast routing updates (i.e., processing increases) A hierarchical design limits the number of router
adjacencies
CSE-550-T062 Lecture Notes - 6 54
Mesh Network Topologies- A Partial-Mesh Hierarchical Design -
Redundant Network Design Topologies
CSE-550-T062 Lecture Notes - 6 56
Redundant Network Design Topologies- Introduction (1/3) -
Provide network availability by duplicating network links and interconnectivity devices
Eliminate the possibility of having a single point of failure (SPOF) on the network Goal: Duplicate any required component whose
failure could disable critical applications Need to consider redundancy in transmission
media, routers, workstations, and servers Designer can select different media types to
provide redundancy (e.g., satellite and data circuits)
CSE-550-T062 Lecture Notes - 6 57
Redundant Network Design Topologies- Introduction (2/3) -
CSE-550-T062 Lecture Notes - 6 58
Redundant Network Design Topologies- Introduction (3/3) - Should be incorporated into all network designs Extremely important at the core or backbone layer Help the designer meet the availability goals for
users accessing local services (in campus networks)
Help the designer meet the overall availability and performance goals (in enterprise networks)
Add complexity to the network topology and to network addressing and routing
Note: Select a level of redundancy that matches your customer’s requirements for availability and affordability
CSE-550-T062 Lecture Notes - 6 59
Redundant Network Design Topologies- Example -
CSE-550-T062 Lecture Notes - 6 60
Advantages: Provides high network availability Secures data transactions from hardware
failures Allows easier and more cost-effective
network management of redundant nodes Disadvantages:
Could be costly if not well designed
Redundant Network Design Topologies- Advantages & Disadvantages -
CSE-550-T062 Lecture Notes - 6 61
Redundant Network Design Topologies- Backup Paths (1/3) - A backup path:
Consists of routers and switches and individual backup links between routers and switches that duplicate devices and links on the primary path
Maintains interconnectivity even when one or more links are down
Two aspects of the backup path to consider: How much capacity does the backup path support? How quickly will the network begin to use the backup
path? Use a modeling tool to predict network
performance when backup is in use: It can be acceptable that the performance of the
backup path is worse than that of the primary path
CSE-550-T062 Lecture Notes - 6 62
Redundant Network Design Topologies- Backup Paths (2/3) - Backup paths usually have less capacity than
primary paths, e.g., a leased line with a backup dial-up line However, requirements may state that both must
provide the same performance this is expensive Tradeoff: Cost vs. Reliability
Automatic fail-over is necessary for mission-critical applications Where disruption is not acceptable If manual reconfiguration is required to switch to a
backup path, users will notice disruption Redundant partial mesh network design speeds
automatic recovery time when a link fails, e.g., spanning tree
CSE-550-T062 Lecture Notes - 6 63
Redundant Network Design Topologies- Backup Paths (3/3) -
Backup path must be tested Do not wait for a catastrophe to happen
Some backup links are used for load balancing as well as redundancy Advantage: Backup path is a tested solution that is
regularly used and monitored
CSE-550-T062 Lecture Notes - 6 64
Redundant Network Design Topologies- Load Sharing -
Redundancy improves performance by supporting load sharing across parallel links
Load sharing must be planned and in some cases configured However, some protocols do not support load sharing
by default (e.g., running RIP on IPX) Some internetworking devices support sharing
across multiple parallel paths
Modular Network Design Model
CSE-550-T062 Lecture Notes - 6 66
Modular Network Design Model
A fundamental concept related to hierarchy is modularity Cisco uses the Enterprise Composite Network Model
(ECNM) to describe different modules of a typical enterprise network
The ECNM comprises three major areas Each area is made up of modules Modules can be added if necessary Modules may have submodules Each area should be designed using a systematic, top-
down approach, applying hierarchy and redundancy where appropriate
Use ECNM to simplify the complexity of a large internetwork
CSE-550-T062 Lecture Notes - 6 67
Enterprise Composite Network Model (1/3)
Enterprise campus: Includes modules required to build a robust campus
network Contains all elements for independent operation within one
campus location An enterprise can have more than one campus
Enterprise edge: Aggregates the connectivity from various elements at the
edge of an enterprise network Functional area filters traffic from the edge modules and
routes it into the enterprise campus Contains all elements for efficient and secure
communication between the enterprise campus and remote locations, business partners, mobile users, and the Internet
CSE-550-T062 Lecture Notes - 6 68
Enterprise Composite Network Model (1/3)
Service provider edge: Modules within are not implemented by the
enterprise Enable communication with other networks using
WAN technologies and ISPs
CSE-550-T062 Lecture Notes - 6 69
Enterprise Composite Network Model (3/3)
Campus/LAN Network Design Topology
CSE-550-T062 Lecture Notes - 6 71
Campus Network Design Topology - Introduction (1/2) - Should meet a customer’s goals for availability and
performance: Small bandwidth domains Small broadcast domains Redundancy Mirrored servers Multiple ways for a workstation to reach a router for
off-net communications Should be designed using a hierarchical and
modular approach To offer good performance, maintainability, and
scalability
CSE-550-T062 Lecture Notes - 6 72
Campus Network Design Topology - Introduction (2/2) - Features a high performance, switched backbone,
i.e., campus backbone: Connects buildings and different parts of the campus Switched LANs:
Can provide dedicated bandwidth to specific users
High-capacity, centralized server farm: Connects to the backbone and provides internal
server resources to users, e.g., e-mail Must provide access to management devices that
support monitoring, logging, security, etc.
CSE-550-T062 Lecture Notes - 6 73
Campus Network Design Topology - Virtual LANs (1/3) - VLAN: A logical grouping of nodes, consisting of
clients and servers that reside in a common broadcast domain
Nodes within one VLAN: Need not be physically connected to the same switch or
even be in the same physical location Appear as though they are connected to one Layer 2
bridge or switch
Primary purpose of Virtual LANs (VLANs) is to reduce broadcast and multicast traffic
Allow a large, flat, switch-based network to be divided into separate broadcast domains
CSE-550-T062 Lecture Notes - 6 74
Campus Network Design Topology - Virtual LANs (2/3) -
VLANs allow for more flexibility in the positioning of end stations and servers: They can be placed physically anywhere in the building
and still remain in the same logical LAN (i.e., VLAN) They can be placed physically in the same location but
move to a new logical LAN Simplify moves, adds, and changes in a campus network
CSE-550-T062 Lecture Notes - 6 75
Campus Network Design Topology - Virtual LANs (3/3) -
CSE-550-T062 Lecture Notes - 6 76
Virtual LANs - VLAN Types -
There are three basic VLAN memberships for determining and controlling how a packet gets assigned: Port-based VLANs (Fastest) MAC-address-based VLANs Protocol-based VLANs
CSE-550-T062 Lecture Notes - 6 77
VLAN Types - Port-Based VLANs (1/2) - A VLAN is a collection of
ports across one or more switches A device attached to one of these
ports is a member of this VLAN Manually assign a switch port
to a particular VLAN number Example: Assign switch port 8 to
a VLAN called Finance Connect multiple VLAN switch
ports to form a common VLAN Example: Switch port 1 can
connect to marketing employees in HQ building, port 2 can connect to marketing employees in Sales building, etc.
CSE-550-T062 Lecture Notes - 6 78
VLAN Types - Port-Based VLANs (2/2) - Advantages
Setup is quick and easy to understand
Disadvantages Can not have a single port in more than one VLAN Manual tracking of all VLAN names, port numbers, and
connected associated nodes Changing ports for a user requires reconfiguration of the
VLAN setup
CSE-550-T062 Lecture Notes - 6 79
VLAN Types- MAC-Based VLANs (1/2) - VLAN membership is determined by the device MAC
address Add individual MAC addresses manually to specific
VLANs End station, no matter where it is on a network, will be
a member of that VLAN
CSE-550-T062 Lecture Notes - 6 80
VLAN Types- MAC-Based VLANs (2/2) - Advantages
No need to reconfigure with mobility If you move the PC / notebook (i.e., NIC, and MAC address)
Switch will retain original VLAN membership
Disadvantages Every MAC address needs to be entered manually or added
to a VLAN Performance degradation on ports with several MACs on
different VLANs Many docking stations for notebooks have the NIC card
installed in them instead of in the notebooks If NIC or PC is faulty and replaced, the switch VLAN
configuration needs to be updated
CSE-550-T062 Lecture Notes - 6 81
VLAN Types - Layer 3/Protocol-Based VLANs (1/2) - A VLAN group is based on protocol type (e.g., IP)
or on network address Must be running more than one protocol Set up a VLAN based on what specific protocol is
in use
CSE-550-T062 Lecture Notes - 6 82
VLAN Types - Layer 3/Protocol-Based VLANs (2/2) - Advantages
Often, particular applications use a specific protocol Allows you to create an application-specific VLAN A single port can participate in multiple VLANs Can segment by Network Operating System (NOS) server
by choosing NetWare and NT as policies (most common use of this kind of VLAN)
Disadvantages Must read layer-3 addresses in packets Analyzing the protocol type on every packet is very time-
consuming (vs. MAC- and port-based VLAN switching)
CSE-550-T062 Lecture Notes - 6 83
VLAN Types - Layer 3/IP Network Address VLANs (1/2) -
Similar to protocol-based method in that it uses Layer-3 info to determine VLAN membership
Different IP nodes can be grouped together to form one VLAN
Works very well with IP LANs, where each node can have a unique IP subnet address
CSE-550-T062 Lecture Notes - 6 84
VLAN Types - Layer 3/IP Network Address VLANs (2/2) -
Advantages Works well if VLAN grouping matches the physical IP
subnet structure
Disadvantages Network address-based VLANs only work for IP-based
nodes
CSE-550-T062 Lecture Notes - 6 85
VLAN Types - IP Multicast Address-Based VLANs - Use a proxy address for a larger group of IP
addresses If a frame needs to go to the group of IP addresses, it
is sent first to the proxy IP address and then forwarded to the entire group
Membership in the group is voluntary Useful in networks where video or audio data is
being broadcast and only a select few users are allowed or want to view or listen to the info
Setup at Layer 3 or higher Temporary; nodes can leave the multicast domain at
any time
CSE-550-T062 Lecture Notes - 6 86
VLAN Types - Summary of VLAN Membership Options (1/2) -
CSE-550-T062 Lecture Notes - 6 87
VLAN Types - Summary of VLAN Membership Options (2/2) -
CSE-550-T062 Lecture Notes - 6 88
Virtual LANs - Broadcast Domains with VLANs and Routers (1/3) -
A VLAN is a broadcast domain created by one or more switches
Both scenarios show how three separate broadcast domains are created using three separate switches Layer 3 routing allows the router to send packets to the different
broadcast domains
CSE-550-T062 Lecture Notes - 6 89
Virtual LANs - Broadcast Domains with VLANs and Routers (2/3) -
In this scenario, a VLAN is created using one router and one switch However, there are three separate broadcast domains
The router routes traffic between the VLANs using Layer 3 routing The switch forwards frames to the router interfaces:
If it is a broadcast frame If it is in route to one of the MAC addresses on the router
CSE-550-T062 Lecture Notes - 6 90
Virtual LANs - Broadcast Domains with VLANs and Routers (3/3) -
Implementing VLANs on a switch causes the following to occur: The switch maintains a separate bridging table for each
VLAN If the frame comes in on a port in VLAN 1, the switch searches
the bridging table for VLAN 1 When the frame is received, the switch adds the source
address to the bridging table if it is currently unknown The destination is checked so a forwarding decision can be
made
CSE-550-T062 Lecture Notes - 6 91
Virtual LANs - Disadvantages -
No association between the physical layout and the logical layout
Extra traffic through the backbone if more than one switch cover a broadcast domain
CSE-550-T062 Lecture Notes - 6 92
Virtual LANs - Distributed VLANs -
S2 S3
S1
S5 S6
S4
Router
Subnet 2 VLAN
Subnet 15 VLAN
Subnet 230 VLAN
Subnet 18 VLAN
Subnet 135 VLANSubnet 9 VLAN
Traffic for 2, 15 & 230Traffic for 9, 18 & 135
Key
CSE-550-T062 Lecture Notes - 6 93
Virtual LANs - VLAN Tagging - Inter Switch Link (ISL) (Cisco Proprietary) and 802.1Q are
two types of encapsulation that are used to carry data from multiple VLANs over trunk links
802.1Q VLANs “tag” frames by adding four bytes of VLAN info where the Type or Length field was, and slides down the original bytes
PreambleStart of frame
delimiter
Data, the payload CRC
7 bytes 1 byte
46 to 1500 bytes 4 bytes
IFG
96b
Destination address Source addressType or Length
6 bytes6 bytes 2 bytes
IEEE 802
Done in hardwareDone in software
VLAN Tag
4 bytes
Done in switch
CSE-550-T062 Lecture Notes - 6 94
Virtual LANs - VLAN Tag Format - Two-byte Tag Protocol Identifier field (only used for Token
Ring, FDDI - set to 0x8100 for Ethernet) Three-bit User Priority field (for 802.1p prioritization) One-bit Canonical Format Indicator (CFI - used for Token
Ring encapsulation in Ethernet) Twelve-bit VLAN ID (4096 possible VLANs)
CFIUserPriority
VLAN IDTagProtocolIdentifier
3 Bits 1 Bit 12 Bits
Tag Control Info
2 Bytes 2 Bytes
CSE-550-T062 Lecture Notes - 6 95
Virtual LANs - VLAN Trunking - VLAN tags can be used to allow multiple VLAN
traffic across a common link (called VLAN trunking)
S1 S2
Subnet 2 VLAN
Subnet 15 VLAN
Subnet 2 Traffic
Subnet 15 Traffic
Key
CSE-550-T062 Lecture Notes - 6 96
Campus Network Design Topology - Wireless LANs - Wireless LANs (WLANs) support user mobility Offers access in open areas on the campus Enables deployment of LANs where it is not cost-
effective or practical to install cabling Designer needs to determine the converge area of
each wireless cell (a single access point (AP)) and decide how many cells are needed
APs should be positioned for maximum coverage Whenever possible, a WLAN should be a separate
subnet to simplify addressing while roaming, and to improve management and security
CSE-550-T062 Lecture Notes - 6 97
Design redundant links between LAN switches Topology of each module and sub-module is partially
determined by the Spanning Tree Protocol (STP) Most LAN switches implement IEEE 802.1d
spanning tree algorithm Loops in network traffic are avoided Algorithm guarantees that only one path is active between
two stations Good solution for redundancy, but not for load sharing
Can combine IEEE 802.1d and VLANs in some switches to implement one spanning tree per VLAN Redundant links can offer load sharing and fault tolerance
Campus Network Design Topology - Redundant LAN Segments (1/3) -
CSE-550-T062 Lecture Notes - 6 98
Campus Network Design Topology - Redundant LAN Segments (2/3) -
CSE-550-T062 Lecture Notes - 6 99
A is the root bridge for VLANs 2, 4, and 6 B can become root bridge if A fails
B is the root bridge for VLANs 3, 5, and 7 A can become root bridge if B fails
This design scale to very large campus networks Has been tested on a network with:
8000 users 80 access-layer switches 14 distribution-layer switches 4 core campus routers
Campus Network Design Topology - Redundant LAN Segments (3/3) -
CSE-550-T062 Lecture Notes - 6 100
Campus Network Design Topology- Server Redundancy (1/2) - Depends on the customer’s requirements Services include: file, web, DHCP (Dynamic Host
Configuration Protocol), name, database, etc. Use redundant servers when needed Example: DHCP
The servers should hold redundant (mirrored) copies of the DHCP database
DHCP servers can be placed at either the: Access layer - for large networks
Avoids excessive traffic between access and distribution layers
Each DHCP server serves a smaller % of users Distribution layer - for small networks
CSE-550-T062 Lecture Notes - 6 101
Campus Network Design Topology- Server Redundancy (2/2) -
CSE-550-T062 Lecture Notes - 6 102
Campus Network Design Topology- Workstation-to-Router Redundancy - Routers may implement HSRP (Hot Standby Router
Protocol): Cisco proprietary Provides automatic router backup when configured on
Cisco routers Allows one router to automatically assume the function of a
second router if the second router fails Provides a way for an IP workstation to keep
communicating on an internetwork even it its default router becomes unavailable
Useful when users on one subnet require continuous access to resources in a network
VRRP (Virtual Router Redundancy Protocol) is an industry standard that provides very similar features and functions as the HSRP
CSE-550-T062 Lecture Notes - 6 103
Workstation-to-Router Redundancy- HSRP (1/3) - HSRP works by creating a phantom router with its
own IP and MAC addresses
CSE-550-T062 Lecture Notes - 6 104
Workstation-to-Router Redundancy- HSRP (2/3) - Each workstation uses the
phantom as its default router
When a workstation broadcasts an ARP frame to find its default router, the active HSRP router responds with the phantom’s MAC address
If the active HSRP router goes offline, a standby router takes over as active router
CSE-550-T062 Lecture Notes - 6 105
Workstation-to-Router Redundancy- HSRP (3/3) -
HSRP routers on a LAN communicate to designate an active and standby router
Uses a priority scheme to determine which HSRP-configured router is to be the default active router
Exchange of multicast messages advertise priority among HSRP-configured routers
When the active router fails to send a hello message within configurable period of time, the standby router with the highest priority becomes the active router
CSE-550-T062 Lecture Notes - 6 106
Workstation-to-Router Redundancy- MHSRP (1/2) - Multigroup HSRP (MHSRP)
Extension of HSRP that allows a single router interface to belong to more than one Hot Standby group
CSE-550-T062 Lecture Notes - 6 107
Workstation-to-Router Redundancy- MHSRP (2/2) - Load Sharing
Half of workstations on a LAN are configured for router A, and other half are configured for router B
CSE-550-T062 Lecture Notes - 6 108
There are two types of backbone design:
Distributed backbones
Collapsed backbones
Campus Network Design Topology- Backbone Design -
CSE-550-T062 Lecture Notes - 6 109
Backbone Design- Distributed Backbones in Buildings (1/3) -
Each floor’s router is directly connected to a centralized backbone
The backbone is typically and FDDI ring This provides maximum fault tolerance
Generally, do not contain a single point of failure Requires extra input and output ports for each
component Advantage: Faults quickly corrected by isolation
process Disadvantage: High cost (also because of fiber)
CSE-550-T062 Lecture Notes - 6 110
Backbone Design- Distributed Backbones in Buildings (2/3) -
CSE-550-T062 Lecture Notes - 6 111
Backbone Design- Distributed Backbones in Buildings (3/3) -
Drawbacks: Multiple IP network numbers
Difficult to add, move, or change users (not flexible) More expensive Migration to switching not easy Less-flexible approach to wiring a building
CSE-550-T062 Lecture Notes - 6 112
Backbone Design- Distributed Backbones on the Campus -
More resource-efficient solution than in a building Example: high cost might be acceptable here
Drawback: Lack of flexibility in connecting to other buildings on the campus (because of routers) Switching allows for more flexibility (but not easily
deployed on campus) Logical groups are defined within each building
CSE-550-T062 Lecture Notes - 6 113
Backbone Design- Collapsed Backbones in Buildings (1/4) -
Has a single concentration point connecting all floors All floor-to-floor connectivity passes through the
backbone component Single point of failure (Router)
Solution: Router with HSRP
More flexible and cost-effective approach to wiring a building Although more cabling is required to support this
topology
CSE-550-T062 Lecture Notes - 6 114
Backbone Design- Collapsed Backbones in Buildings (2/4) -
CSE-550-T062 Lecture Notes - 6 115
Backbone Design- Collapsed Backbones in Buildings (3/4) -
Problem isolation is simple, while finding problem’s root cause is difficult Because any troubleshooting changes can
potentially impact other segments attached to the same device
Changes can be easily made Moving users is easier, because all of them are
directly attached to the central concentration point Can be extended to accommodate VLANs
CSE-550-T062 Lecture Notes - 6 116
Backbone Design- Collapsed Backbones in Buildings (4/4) -
VLANs in a building More flexibility in positioning of end stations and
servers
CSE-550-T062 Lecture Notes - 6 117
Backbone Design- Collapsed Backbones on the Campus -
VLANs across a campus One switch acts as the backbone for the entire campus Assign stations to VLANs such that only 20% of their
traffic is destined to other VLANs
Enterprise/WAN Network Design Topology
CSE-550-T062 Lecture Notes - 6 119
Enterprise Edge Network Topology - Introduction - Enterprise edge network design topology should
meet a customer’s goals for availability and performance: Redundant LAN and WAN segments in the intranet Multiple paths to extranets and the Internet
Extranet: an internal internetwork that is accessible by outside parties, e.g., suppliers, resellers, etc.
CSE-550-T062 Lecture Notes - 6 120
Enterprise Edge Network Topology- Redundant WAN Segments -
Usually uses a hierarchical partial-mesh topology
Circuit diversity: physical circuit routing of backup WAN links and primary WAN links should be different than each other Different carriers sometimes use the same facilities
Backup path is susceptible to same failure Backup should be really a backup
CSE-550-T062 Lecture Notes - 6 121
Enterprise Edge Network Topology- Multihoming the Internet Connection (1/2) -
Multihoming the Internet connection: provides an enterprise network more than one entry into the Internet (i.e., redundancy and fault tolerance)
Definition: Multihoming - provides more than one connection for a system to access and offer network services Example: A server is multihomed if it has more than
one network-layer address Options for multihoming the Internet connection
(i.e., the enterprise network is multihomed to the Internet)
CSE-550-T062 Lecture Notes - 6 122
Enterprise Edge Network Topology- Multihoming the Internet Connection (2/2) -
CSE-550-T062 Lecture Notes - 6 123
An enterprise network design alternative A public network, such as the Internet, is used as a
backbone for the enterprise network Link remote offices together Can connect business suppliers and distributors
through a third-party proprietary network No permanent link is required Inexpensive compared to private leased lines
Enterprise Edge Network Topology- Virtual Private Networks (VPNs) (1/2) -
CSE-550-T062 Lecture Notes - 6 124
Control of network infrastructure is not in your hand!
Provide a secure connection among sites on the organization’s internetwork
Private data is encrypted for routing through the public network
Can use Dial-on-demand routing (DDR)
Enterprise Edge Network Topology- Virtual Private Networks (VPNs) (2/2) -
CSE-550-T062 Lecture Notes - 6 125
Enterprise Edge Network Topology- Remote-Access VPN for a Retail Company -
CSE-550-T062 Lecture Notes - 6 126
Enterprise Edge Network Topology- WAN Topologies -
Star or Hub-and-SpokeFull-Mesh
Partial-Mesh
CSE-550-T062 Lecture Notes - 6 127
Enterprise Edge Network Topology- Three-layer Design Model (WAN version) -
Secure Network Design Topologies
CSE-550-T062 Lecture Notes - 6 129
Policy and Standardization: Allow network users freedom to use network services
securely Access management (different levels for different ranks) Remote access management Data encryption and authentication Firewalls Physical security
Secure Network Design Topologies - Three Main Areas (1/2) -
CSE-550-T062 Lecture Notes - 6 130
Implementation: Firewalls are commonly used Not everyone needs to know what level of security is
implemented!
Audit and Review: Review and audit of network security is critical Should be aware of latest news on hacker activity and
threats to your network systems Stay current on new technologies as well as latest
software patches, security holes, and enhancements
Secure Network Design Topologies - Three Main Areas (2/2) -
CSE-550-T062 Lecture Notes - 6 131
Secure Network Design Topologies- Physical Security & Firewalls - Planning for physical security
Protection from unauthorized access, theft, vandalism, and natural disasters (e.g., floods, fires, storms, and earthquakes)
Not an aspect of logical network design, but it has an impact on it
Meeting security goals with firewall topologies Definition: (National Computer Security Association (NCSA))
Firewall – a system or combination of systems that enforces a boundary between two or more networks
CSE-550-T062 Lecture Notes - 6 132
Secure Network Design Topologies - Firewall Topologies (1/3) - A firewall can be either:
a router with access control lists (ACLs), or a dedicated hardware box (e.g., PIX), or a software running on a PC or UNIX system
A firewall should be placed in the network so that all traffic from outside the protected network must pass through the firewall
A firewall is especially important at the boundary between the enterprise network and the Internet
A basic firewall topology is simply a router with: a WAN connection to the Internet, and a LAN connection to the enterprise network, and a software that has security feature
CSE-550-T062 Lecture Notes - 6 133
Secure Network Design Topologies - Firewall Topologies (2/3) - A router can also use Network Address Translation
(NAT) to hide internal addresses from Internet hackers
Larger companies use a dedicated firewall in addition to a router (with security features) between the Internet and the enterprise network
A firewall topology can include a public LAN that hosts Web, FTP, DNS, and SMTP servers (for customers who need to publish public data) This public LAN is referred to as: demilitarized or
free-trade zone (DMZ)
CSE-550-T062 Lecture Notes - 6 134
Secure Network Design Topologies - Firewall (DMZ) Topologies (3/3) -
CSE-550-T062 Lecture Notes - 6 135
References
P. Oppenheimer, “Top-Down Network Design,”
Cisco Press, 2nd edition, 2004
Dr. Marwan Abu-Amara (COE, KFUPM), CSE 550
Lecture Slides, Term 052
“Cisco Internetwork Design” edited by Matthew H.
Birkner. Cisco Systems, 2000
http://www.cisco.com/