Network design WAN topology Topic 5. Agenda Enterprise topology Functions and components Security Design goals Physical standards Topologies WAN link

  • Published on

  • View

  • Download

Embed Size (px)


<ul><li><p>Network designWAN topologyTopic 5</p></li><li><p>AgendaEnterprise topologyFunctions and componentsSecurityDesign goalsPhysical standardsTopologiesWAN link types</p></li><li><p>Enterprise Composite Network ModelA hierarchal and scalable blue-print for network designersEnterprise campusThe elements for network operation within one campus (building)Designed to provide high availability, scalability, and flexibilityIncludes a campus backbone, a server farm, building access and building distribution modules and a network management moduleEnterprise edgeEfficient and secure communication between the enterprise campus and remote locations, business partners, mobile users, and the InternetAggregates connectivity, provides traffic filtering and inspection and routing to the enterprise campusIncludes WAN, VPN, internet access, and e-commerce modulesService provider edgeEnables communication with other networksUses different WAN technologies and Internet service providers (ISPs)</p></li><li><p>Enterprise Composite Network Model</p></li><li><p>Service ProvidersTier 1 providerNational or international backbone with at least DS-3, OC-3 to OC-48 connectivityAll its routes from bilateral peering arrangements24/7 network operations centerCustomers are primarily other providers, but it may support a large enterprise alsoTier 2 ProviderRegional or national presenceHigh bandwidth backbones and 24/7 operationsBuys transit (discounted) from a Tier 1 provider for traffic that goes outside the regionGets all its regional routes through peering arrangements.Tier 3 ProviderTypically a regional provider for a small or medium-sized regionBuys transit from multiple upstream providers Runs a default-free routing tableTier 4 and Tier 5 ProvidersMetropolitan provider multi-homed to two regional providersSmall, single-homed provider that connects end users via dialup, cable modem, or wireless service</p></li><li><p>Enterprise edge moduleEdge distributionInterface to the enterprise networkWeb security appliances and Intrusion Prevention appliancesE-commerceDMZ security zones with internet facing servers, network services such as DNS, FTP and NTP, email, websites and web portalSeparates internal and external services such as DNS, intranet and collaboration servicesInternet connectivitySafe and secure access to internet for corporate users, and remote usersRemote access VPNCorporate access to remote users such as tele-workers and mobile workersWANWan networks such as Frame Relay and ATM to other sitesSite-to-site VPNs for branch and partner sitesProtection services such as Intrusion Protection services</p></li><li><p>Inner switchProvide connectivity between core and campus VLANs and firewallFirewallStateful access control and deep packet inspectionControlling users internet bound trafficProtecting public services in DMZOuter switchesProvides connectivity between the firewall and the edge routerEdge routersRoute traffic from enterprise to the internet via one or more ISPs Security such as ACLs and uRPFRemote access appliancesTerminate remote-access VPNs such as SSL and Ipsec VPNsComponents</p></li><li><p>Design goals for the edgeAvailabilityEliminate any single point of failure on the networkRedundancyHigh availability for internet, extranet, and virtual private network (VPN) with redundant interfaces, standby devices, redundant links and devicesReliability by duplicating any required component whose failure could disable critical applications a channel service unit (CSU), a power supply, a WAN trunk, internet connectivityAffordability Trade-offs may be required</p></li><li><p>Design goals for the edgeBackup pathsHow much capacity does the backup path support?How quickly will the network begin to use the backup path?Common for a backup path to have less capacity than a primary path and use different technologiesAutomatic failover is necessary for mission-critical applicationsWhat about the cable to the ISP often the weakest linkMulti-homing the internet connectionProviding an enterprise network with more than one entry into the Internet. Circuit diversityDifferent carriers sometimes use the same facilitiesEnsure that your backup really is a backup</p></li><li><p>Design goals for the edgeManagementConfigurationsMonitor traffic flowsMonitor protocol and process efficiencySecurity baselinesDevice accessRouting securityDevice resiliencePolicy enforcement</p></li><li><p>Designing processWhat are the business and technical goals for the Enterprise Edge?Who are the user communities?What is the health of the existing network?Where are the traffic flows?What technologies?What topology?What link type?</p></li><li><p>Security and remote accessBusiness and technical goalsConfidentiality and privacyIntegrityAvailabilitySecurity technologiesSecurity zones, ACLs and network address translationAccess controlAAA servicesAuditingProtectionApplication inspectionMonitoring and intrusion protectionPrivacyEncryption Remote accessRemote access VPNS, SSL and Ipsec VPNSSite-to-site VPNS </p></li><li><p>WAN topologiesFull mesh Every router is connected to every other router for complete redundancyGood performance because there is just a single link delay between any two sitesThe number of links in a full-mesh topology is (N * (N 1)) / 2Expensive to deploy and maintain, hard to optimize, troubleshoot, and upgradeScalability limits for groups of routers that broadcast routing updates or service advertisements (20% broadcast rule) Partial meshNot every router is connected to every other routerCompromise solutionPartial redundancyLess costLess performance as some destinations might require traversing intermediate linksHub and spoke (Star)Common hierarchical designDestinations are reached via the hubPeerNo redundancy, least expensive, easiest setup</p></li><li><p>Choosing a WAN link connectionWhat is the purpose of the WAN?What is the geographic scope?What are the traffic requirements? Type, volume, quality and securityShould the WAN use a private or public infrastructure?For a private WAN, should it be dedicated or switched?For a public WAN, what type of VPN access do you need?Which connection options are available locally?What is the cost of the available connection options?</p></li><li><p>WAN link connection methodsPrivateDedicatedLeased lines Point-to-Point and Point-to-Multipoint PPP HDLCSwitchedCircuit Switched, PSTN, ISDNPacket Switched, Frame Relay, X.25, ATM (cells)PublicInternetDSL, cable, broadband wirelessSatelliteMetro Ethernet </p></li><li><p>Leased linesPermanent dedicated connections leased from carrierT1 1.544 Mb/sT3 44.736 Mb/sE1 2.048 Mb/s (Australia)E3 34.064 Mb/s (Australia)A router serial port is required for each leased line connection. A CSU/DSU and the actual circuit from the service provider are also required.CSU/DSU is a Channel Service Unit/Data Service Unit that terminates T1/E1 carrier linesLower latency and jitterNo call setup required</p></li><li><p>Public networksDSLAlways-on connection technology that uses existing PSTN infrastructure and DSL access multiplexer (DSLAM) at the provider locationVarying data rates of up to 8.192 Mb/s and distance limitationsCableAlways-on connection that uses existing cable TV infrastructureBandwidth shared by usersBroadband wireless WiMaxHigh-speed broadband service over metro distances for many usersProvides broad coverage like a cell phone networkSatelliteRural users, upload speed is about one-tenth of download speedSatellite dish, two modems (uplink and downlink), and coaxial cablesMetro Ethernet Reduced expenses and administrationEasy integration with existing networks</p></li><li><p> Circuit switchingEstablishes a circuit between hosts before communication can startInitial very fast call setup to establish a dedicated circuit or path which cannot be used by others until call tear downISDNTime-division multiplexed (TDM) digital signalsUses 64 kb/s bearer channels (B) for carrying voice or data and a signaling, delta channel (D) for call setup and call managementBasic Rate Interface (BRI)-ISDN is intended for the home and small enterprise and provides two 64 kb/s B channels and a 16 kb/s D channelPrimary Rate Interface (PRI)-ISDN provides 30 B channels and one D channel, for an E1 link of 2.048 Mb/sISDN links are used by enterprises as an extra capacity and backup link</p></li><li><p>Packet switchingPackets are routed individually and can follow different paths to destination and arrive out of orderConnection oriented packet switching verifies the existence of the destination with a 3-way handshakeFrame RelayPermanent and shared connectivity for voice and data traffic using virtual circuits (up to 4 Mbp/s)Frame Relay is ideal for connecting enterprise LANsAsynchronous Transfer Mode (ATM)Small, fixed-length cells carrying data, voice and video traffic over private and public networks</p></li><li><p>Physical WAN serial standardsStandards to define how to transmit and receive signalsEIA/TIA-232 EIA/TIA-449EIA-530High-Speed Serial Interface (HSSI)V.24V.35X.25X.21G.703</p></li><li><p>AgendaEnterprise topologyFunctions and componentsSecurityDesign goalsPhysical standardsTopologiesWAN link types</p><p>READ</p><p>Service Provider (SP) Edge This border part of the Internet edge infrastructure consists of routers that interface directly to the Internet. Internet-facing border routers peer directly to the Internet SP. Careful consideration must be made to routing design, redundancy, and security of these border routers. Corporate Access and DMZ One of the major functions of the Internet edge is to allow for safe and secure Internet access by corporate users while providing services to the general public. The firewalls in this module secure these functions through implementation and enforcement of stateful firewall rules and application-level inspection. Users at the campuses may access email, instant messaging, web browsing, and other common services through the Internet edge firewalls. Optionally, the same infrastructure may serve users at the branches that are mandated to access the Internet over a centralized connection. Public-facing services, such as File Transfer Protocol (FTP) servers and websites, can be provided by implementing a demilitarized zone (DMZ) within this network domain. The web application firewall is another appliance that protects web servers from application-layer attacks (such as XML). The web application firewall also resides in the DMZ infrastructure and provides primary security for Hypertext Transfer Protocol (HTTP)-based and E-commerce applications. Remote Access VPN The remote access infrastructure that provides corporate access to remote users through protocols such as Secure Socket Layer (SSL) point-to-point IPSec VPN and Easy VPN. Edge Distribution The edge distribution infrastructure provides the interface for the Internet edge network devices to the rest of the enterprise network. Appliances, such as the Web Security Appliances (WSA), reside in this part of the network. Within the edge distribution infrastructure, you can also implement an Intrusion Prevention Appliance (IPS) to guard against worms, viruses, denial-of-service (DoS) traffic, and directed attacks. Branch Backup Some branches may adopt an Internet connection to provide a backup link to a WAN network. This backup functionality may be performed by using dedicated appliances, such as a Cisco ASR 1000 Series router. </p><p>*Here is the topology map showing the design modules </p><p>The enterprise comapus consisting of building access, distribution and backbone or core notice the server farm also connected to the core and it all managed by the network management module</p><p>The enterprise edge has ecommerce or DMZ module for public facing serversInternet connectivity VPB, remote access and WAN modules the Enterprise edge is connected to the enterprise campus via edge distribution and the service provider edge contaoins the linsk and technologies to connect to the ISPs********</p></li></ul>