Network design WAN topology Topic 5

Agenda Enterprise topology Functions and components Security Design goals Physical standards Topologies WAN link types

Enterprise Composite Network Model A hierarchal and scalable blue-print for network designers Enterprise campus – The elements for network operation within one campus (building) – Designed to provide high availability, scalability, and flexibility – Includes a campus backbone, a server farm, building access and building distribution modules and a network management module Enterprise edge – Efficient and secure communication between the enterprise campus and remote locations, business partners, mobile users, and the Internet – Aggregates connectivity, provides traffic filtering and inspection and routing to the enterprise campus – Includes WAN, VPN, internet access, and e-commerce modules Service provider edge – Enables communication with other networks – Uses different WAN technologies and Internet service providers (ISPs)

Enterprise Composite Network Model

Service Providers Tier 1 provider – National or international backbone with at least DS-3, OC-3 to OC-48 connectivity – All its routes from bilateral peering arrangements – 24/7 network operations center – Customers are primarily other providers, but it may support a large enterprise also Tier 2 Provider – Regional or national presence – High bandwidth backbones and 24/7 operations – Buys transit (discounted) from a Tier 1 provider for traffic that goes outside the region – Gets all its regional routes through peering arrangements. Tier 3 Provider – Typically a regional provider for a small or medium-sized region – Buys transit from multiple upstream providers – Runs a default-free routing table Tier 4 and Tier 5 Providers – Metropolitan provider multi-homed to two regional providers – Small, single-homed provider that connects end users via dialup, cable modem, or wireless service

Enterprise edge module Edge distribution – Interface to the enterprise network – Web security appliances and Intrusion Prevention appliances E-commerce – DMZ security zones with internet facing servers, network services such as DNS, FTP and NTP, , websites and web portal – Separates internal and external services such as DNS, intranet and collaboration services Internet connectivity – Safe and secure access to internet for corporate users, and remote users Remote access VPN – Corporate access to remote users such as tele-workers and mobile workers WAN – Wan networks such as Frame Relay and ATM to other sites – Site-to-site VPNs for branch and partner sites – Protection services such as Intrusion Protection services

Inner switch – Provide connectivity between core and campus VLANs and firewall Firewall – Stateful access control and deep packet inspection – Controlling user’s internet bound traffic – Protecting public services in DMZ Outer switches – Provides connectivity between the firewall and the edge router Edge routers – Route traffic from enterprise to the internet via one or more ISPs – Security such as ACLs and uRPF Remote access appliances – Terminate remote-access VPNs such as SSL and Ipsec VPNs Components

Design goals for the edge Availability Eliminate any single point of failure on the network – Redundancy High availability for internet, extranet, and virtual private network (VPN) with redundant interfaces, standby devices, redundant links and devices Reliability by duplicating any required component whose failure could disable critical applications – a channel service unit (CSU), a power supply, a WAN trunk, internet connectivity – Affordability Trade-offs may be required

Design goals for the edge Backup paths – How much capacity does the backup path support? – How quickly will the network begin to use the backup path? – Common for a backup path to have less capacity than a primary path and use different technologies – Automatic failover is necessary for mission-critical applications – What about the cable to the ISP – often the weakest link Multi-homing the internet connection – Providing an enterprise network with more than one entry into the Internet. Circuit diversity – Different carriers sometimes use the same facilities – Ensure that your backup really is a backup

Design goals for the edge Management – Configurations – Monitor traffic flows – Monitor protocol and process efficiency – Security baselines Device access Routing security Device resilience Policy enforcement

Designing process What are the business and technical goals for the Enterprise Edge? – Who are the user communities? – What is the health of the existing network? – Where are the traffic flows? What technologies? What topology? What link type?

Security and remote access Business and technical goals – Confidentiality and privacy – Integrity – Availability Security technologies – Security zones, ACLs and network address translation – Access control AAA services Auditing – Protection Application inspection Monitoring and intrusion protection – Privacy Encryption Remote access – Remote access VPNS, SSL and Ipsec VPNS – Site-to-site VPNS

WAN topologies Full mesh – Every router is connected to every other router for complete redundancy – Good performance because there is just a single link delay between any two sites – The number of links in a full-mesh topology is (N * (N – 1)) / 2 – Expensive to deploy and maintain, hard to optimize, troubleshoot, and upgrade – Scalability limits for groups of routers that broadcast routing updates or service advertisements (20% broadcast rule) Partial mesh – Not every router is connected to every other router – Compromise solution Partial redundancy Less cost Less performance as some destinations might require traversing intermediate links Hub and spoke (Star) – Common hierarchical design – Destinations are reached via the ‘hub’ Peer – No redundancy, least expensive, easiest setup

Choosing a WAN link connection What is the purpose of the WAN? What is the geographic scope? What are the traffic requirements? Type, volume, quality and security Should the WAN use a private or public infrastructure? For a private WAN, should it be dedicated or switched? For a public WAN, what type of VPN access do you need? Which connection options are available locally? What is the cost of the available connection options?

WAN link connection methods Private – Dedicated Leased lines Point-to-Point and Point-to-Multipoint PPP HDLC – Switched Circuit Switched, PSTN, ISDN Packet Switched, Frame Relay, X.25, ATM (cells) Public – Internet DSL, cable, broadband wireless Satellite Metro Ethernet

Leased lines Permanent dedicated connections leased from carrier – T Mb/s – T Mb/s – E Mb/s (Australia) – E Mb/s (Australia) A router serial port is required for each leased line connection. A CSU/DSU and the actual circuit from the service provider are also required. – CSU/DSU is a Channel Service Unit/Data Service Unit that terminates T1/E1 carrier lines Lower latency and jitter No call setup required

Public networks DSL – Always-on connection technology that uses existing PSTN infrastructure and DSL access multiplexer (DSLAM) at the provider location – Varying data rates of up to Mb/s and distance limitations Cable – Always-on connection that uses existing cable TV infrastructure – Bandwidth shared by users Broadband wireless – WiMax – High-speed broadband service over metro distances for many users – Provides broad coverage like a cell phone network Satellite – Rural users, upload speed is about one-tenth of download speed – Satellite dish, two modems (uplink and downlink), and coaxial cables Metro Ethernet – Reduced expenses and administration – Easy integration with existing networks

Circuit switching Establishes a circuit between hosts before communication can start Initial very fast call setup to establish a dedicated circuit or path which cannot be used by others until call tear down ISDN – Time-division multiplexed (TDM) digital signals – Uses 64 kb/s bearer channels (B) for carrying voice or data and a signaling, delta channel (D) for call setup and call management – Basic Rate Interface (BRI)-ISDN is intended for the home and small enterprise and provides two 64 kb/s B channels and a 16 kb/s D channel – Primary Rate Interface (PRI)-ISDN provides 30 B channels and one D channel, for an E1 link of Mb/s ISDN links are used by enterprises as an extra capacity and backup link

Packet switching Packets are routed individually and can follow different paths to destination and arrive out of order Connection oriented packet switching verifies the existence of the destination with a 3-way handshake Frame Relay – Permanent and shared connectivity for voice and data traffic using virtual circuits (up to 4 Mbp/s) – Frame Relay is ideal for connecting enterprise LANs Asynchronous Transfer Mode (ATM) – Small, fixed-length cells carrying data, voice and video traffic over private and public networks

Physical WAN serial standards Standards to define how to transmit and receive signals – EIA/TIA-232 – EIA/TIA-449 – EIA-530 – High-Speed Serial Interface (HSSI) – V.24 – V.35 – X.25 – X.21 – G.703

Agenda Enterprise topology Functions and components Security Design goals Physical standards Topologies WAN link types