NETWORK DESIGN

CHAPTER 1 : NETWORK DESIGN

CONCEPTS (PART II)
 RECAP
PREVIOUS
LESSON?
 Flat Network Design

Local traffic will remains local.

Only traffic that is destined for other networks is moved to a
higher level.
Can control broadcast traffic efficiently.
Better network performance
 Modular Framework
Enterprise campus: This area contains the
network elements required for independent
operation within a single campus or branch
location.
Server Farm: A component of the enterprise
campus, the data center server farm protects
the server resources and provides redundant,
reliable high-speed connectivity.
Enterprise Edge: This area filters traffic from
the external resources and routes it into the
enterprise network. It contains all the
elements required for secure communication
between the enterprise campus and remote
locations, remote users, and the Internet.
 Benefits of modular framework
It creates a clearly defined boundaries between
modules which let the network designer knows
exactly where the traffic originates and where it
flows.
It eases the design task by making each module
independent.
It provides scalability by allowing enterprises to add
modules easily.
It enables the designer to add services and solutions
without changing the underlying network design.
Example of modular framework design
Steps in network design project
 Benefits of server farm
A server farm is a group of computers acting as servers and
housed together in a single location. A server farm is sometimes
called a server cluster
Business owner should centralizes servers in server farms. Server
farms are typically located in computer rooms and data centers .
Network traffic enters and leaves the server farm at a centralized
point. This makes it easier to secure, filter, and prioritize traffic.
Redundancy backup
Load balancing and failover can be provided between servers
and between networking devices.
The number of high-capacity switches and security devices is
reduced, helping to lower the cost.
 Protecting server farm

1.Firewall
2.DMZs
 DMZ (demilitarized zone)
DMZ (demilitarized zone) is a physical or logical sub-
network that separates an internal local area network
(LAN) from other untrusted networks, usually the
Internet.
External-facing servers, resources and services are located
in the DMZ so they are accessible from the Internet but
the rest of the internal LAN remains unreachable.
This provides an additional layer of security to the LAN as
it restricts the ability of hackers to directly access internal
servers and data via the Internet.
DMZ Operation
Hierarchical Network Design
 1. Core Layer Design
The core layer is a high-speed
switching backbone and should be
designed to switch packets as fast
as possible.
This layer of the network should
not perform any packet
manipulation, such as access lists
and filtering, that would slow down
the switching of packets
 Technology used at Core Layer
1. Multilayer Switches
A multilayer switch is a
network device that has
the ability to operate at
higher layers of the OSI
reference model.
A multilayer switch can
perform the functions of a
switch as well as that of a
router at incredibly fast
speeds.
2. Redundancy and Load Balancing
Redundancy is a system design in which a
component is duplicated so if it fails there will be
a backup.
Redundancy has a negative implication when the
duplication is unnecessary or is simply the result
of poor planning.
Network load balancing (commonly referred to as
dual-WAN routing or multihoming) is the ability
to balance traffic across two WAN links without
using complex routing protocols like BGP.
3. High Speed and Link
Aggregation
(EtherChannel)
Take many links, bundle
them into a single logical
link.
Provides High Speed Link
 Link aggregation (collection) provides the
following benefits:
I. Logical aggregation of bandwidth
II. Load balancing
III. Fault tolerance
4. Routing protocols
Implementation between router
These protocols have been designed to allow the
exchange of routing tables, or known networks,
between routers.
 Marking & prioritizing traffic

Congestion is caused when the demand on the network

resources exceeds the available capacity.
Separating traffic with similar characteristics into classes, and
then marking that traffic, is a function of the network devices at
the Access and Distribution Layers.
 Network convergence
Network convergence occurs when all
routers have complete and accurate
information about the network.
The faster the convergence time, the
better. Factors that affect convergence time
include:
The speed at which the routing updates reach
all of the routers in the network
The time that it takes each router to perform
the calculation to determine the best paths
 Techniques To Limit Network
Failure
Limiting the Size of Failure Domains: it is easiest and usually least
expensive to control the size of a failure domain in the Distribution Layer.
In the Distribution Layer, network errors can be contained to a smaller
area, with the use of router.

Switch Block Deployment (Routers & Multilayer): Routers, or

multilayer switches, are usually deployed in pairs. This configuration is
referred to as a building or departmental switch block. Each switch block
acts independently of the others. As a result, the failure of a single device
does not cause the network to go down.
 2. Distribution Layer Design
The distribution layer is the
smart layer in the three-
layer model. Routing,
filtering, and QoS policies
are managed at the
distribution layer.
Distribution layer devices
also often manage
individual branch-office
WAN connections.
Provides policy-based
connectivity and controls the
boundary between the
access and core layers
Improve Network reliability & Stability
: Redundant links
To reduce downtime, the network
designer deploys redundancy in the
network.
Providing multiple connections to Layer
2 switches can cause unstable behavior
in a network unless STP is enabled.
Without STP, redundant links in a Layer
2 network can cause broadcast storms.
By disabling one of the links, STP
guarantees that only one path is active
between two devices.
If one of the links fails, the switch
recalculates the spanning tree topology
Spanning Tree Protocol (STP) is a Layer 2 protocol
and automatically begins using the that runs on bridges and switches. The
alternate link. Usually RSTP is used in specification for STP is IEEE 802.1D. The main
this case. purpose of STP is to ensure that you do not create
loops when you have redundant paths in your
network. Loops are deadly to a network
 Security & Traffic Management :
Access Control Lists (ACLs )
Access control lists (ACLs) are a tool that can
be used at the Distribution Layer to limit
access and to prevent unwanted traffic from
entering the Core layer.
ACL statements identify which packets to
accept or which to deny.
To filter network traffic, the router examines
each packet and then either forwards or
discards it, based on the conditions specified
in the ACL. There are different types of ACLs
for different purposes.
Standard ACLs filter traffic based on the
source address. Extended ACLs can filter based
on multiple criteria including:
Source address
Destination address
Protocols
Port numbers or applications
Whether the packet is part of an
established TCP stream
 Routing Protocol
Another important function that occurs at the Distribution
Layer is route summarization.
Route summarization has several advantages for the
network, such as:
One route in the routing table that represents many other
routes, creating smaller routing tables
Less routing update traffic on the network
Lower overhead on the router
Classless routing protocols such as RIPv2, EIGRP, OSPF, and
IS-IS, support route summarization based on subnet
addresses on any boundary.
 3. Access Layer Design
The access layer, which is the lowest level of
the Cisco three tier network model, ensures
that packets are delivered to end user
devices.
This layer is sometimes referred to as the
desktop layer, because it focuses on
connecting client nodes to the network.
 VLAN at Access Layer
A virtual LAN (VLAN) is
any broadcast domain
that is partitioned and
isolated in a computer
network at the data
link layer (OSI layer 2)
To subdivide a network
into virtual LANs, one
configures network
equipment. (what
devices???)
Where is Network Edge?
Services at Network Edge
 Security Threats At Network Edge
User error and
carelessness account for a
significant number of
network security
breaches.
Permitting network access
to only known or
authenticated devices
limits the ability of
intruders to enter the
network.
Security Mitigation (Security Procedure)
Change passwords on routers and switches.
Locking wiring closets and restricting access to
networking devices
Equip wiring closets with additional security, such as
cameras or motion detection devices and alarms.
Put keypad locks, which can record which codes are
used to enter the secured areas.
Some extra steps to secure access:
Setting strong passwords
Using SSH to administer devices
Disabling unused ports
Switch port security and network access control can
ensure that only known and trusted devices have
access to the network.
 LAB ACTIVITY 1.1

1. Check Routing Protocol for every router

2. Router And Router Should Be Ping Each Other
3. Ping : Host On Access 1A --> 1B-->2A -->2B
3. Analyze Route From Where To Where
From the desktop of PC HR2, ping the HR server at IP address
192.168.40.2.
From the desktop of PC HR2, ping the Sales server at IP address
192.168.10.2.
From the desktop of PC HR2, ping the Web server at IP address
192.168.0.3.