Chapter 2

Structuring and Modularizing the Network

 Introduction
• To optimize bandwidth the network must be organized
• Using the three-layer hierarchical design model helps to organize
the network.
• This model divides the network functionality into three distinct
layers:
• Access Layer,
• Distribution Layer, and
• Core Layer.

• Each layer is designed to meet specific functions.

Hierarchical Network Design Layers

■ The access layer

• Provides connectivity for the users.

■ The distribution layer

• Used to forward traffic from one local network to another.

■ The core (or backbone) layer

• Provides high-speed transport to satisfy the connectivity and
transport needs of the distribution layer devices
  Access Layer
• It connects end devices, such as PCs, printers, and IP phones, to provide
access to the rest of the network.

• It can include routers, switches, bridges, hubs, and wireless access points
(AP).

• Its main purpose is

• To provide a means of connecting devices to the network and
• Controlling which devices are allowed to communicate on the
network.
  Distribution Layer
• Aggregates the data received from the access layer switches before it
is transmitted to the core layer.

• Perform routing functions between virtual LANs (VLANs) defined

at the access layer.

VLANs allow you to segment the traffic on a switch into separate

subnetworks.

E.g. in a university you might separate traffic according to faculty,

students, and guests.

• Distribution layer switches are high-performance devices that have

redundancy to ensure reliability.
 Core Layer

• Is the high-speed backbone of the internetwork.

• The core layer is critical for interconnectivity between distribution

layer devices.

• It should be highly available and redundant.

• The core area can also connect to Internet resources.

• The core aggregates the traffic from all the distribution layer, so it
must be capable of forwarding large amounts of data quickly.
 Benefits of a Hierarchical Network

• Scalability

• Redundancy

• Performance

• Security

• Manageability
  Scalability

• The modularity of the design allows you to replicate design elements

as the network grows.

• Because each instance of the module is consistent, expansion is easy

to plan and implement.

• As you add more distribution layer switches to accommodate the

load from the access layer switches, you can add additional core
layer switches to handle the additional load on the core.
  Redundancy

• As a network grows, availability becomes more important.

• You can increase availability through redundant implementations with hierarchical

networks.

• Access layer switches are connected to two different distribution layer switches to

ensure path redundancy.

• If one of the distribution layer switches fails, the access layer switch can switch to the

other distribution layer switch.

• Additionally, distribution layer switches are connected to two or more core layer

switches to ensure path availability if a core switch fails.

• The only layer where redundancy is limited is at the access layer.

• End node devices, such as PCs, printers, and IP phones, do not have the ability to
connect to multiple access layer switches for redundancy.
  Performance
• Communication performance is enhanced by increasing the performance of
the networking devices.

• Data is sent through aggregated switch port links from the access layer to the
distribution layer.

• The distribution layer then uses its high performance switching capabilities to
forward the traffic up to the core.

• Because the core and distribution layers perform their operations at very
high speeds, there is less controversy for network bandwidth.
  Security
• Security is improved and easier to manage, in heretical design.

• Access layer switches can be configured with various port security options that

provide control over which devices are allowed to connect to the network.

• You also have the flexibility to use more advanced security policies at the

distribution layer.

• You may apply access control policies that define which communication

protocols are deployed on your network and where they are permitted to go.

For example, if you want to limit the use of HTTP to a specific user connected at

the access layer, you could apply a policy that blocks HTTP traffic at the

distribution layer
 Manageability
• Manageability is relatively simple on a hierarchical network.

• Each layer of the hierarchical design performs specific functions

that are consistent throughout that layer.

• If you need to change the functionality of an access layer switch,

you could repeat that change across all access layer switches in the
network because they
 perform the same functions at their layer.

• Deployment of new switches is also simplified because switch

configurations can be copied between devices with very few
modifications.

• All configurations should be documented.

 Using a Modular Approach to Network Design
Enterprise Campus Modules
• A campus site is a large site that is the
corporate a major office.

• Regional offices and mobile workers

might have to connect to the central
campus for data and information.

• The Campus functional area includes:-

Campus Infrastructure module and

 Server Farm module.

  Campus Infrastructure Module
• The Campus Infrastructure design consists of several buildings connected across
a Campus Core.
• It connects devices within a campus to the Server Farm and Enterprise Edge
modules.

• The Campus Infrastructure module includes three layers:

■ The Building Access layer
■ The Building Distribution layer
■ The Campus Core layer

NOTE In the most general model, the Building Access layer uses Layer 2
switching, and the Building Distribution layer uses multilayer switching.
o Building Access Layer
• The Building Access layer,
 Located within a campus building,
 Aggregates end users from different workgroups
 Provides uplinks to the Building Distribution layer.
 Provides important services, such as
 Broadcast
 Protocol filtering,
 Network access,
 IP multicast, and
 QoS.
 The access switches are dual-attached to the distribution layer
switches.
 Also provide Power over Ethernet (PoE)
 o Building Distribution Layer
• It aggregates the wiring closets within a building and provides
connectivity to the Core layer.
• Provides aggregation of the access layer networks using
multilayer switching.
• Performs routing, QoS, and access control.
• Redundancy and load balancing with the Building Access and
Campus Core layer are recommended.
• If one connection to the Campus Core layer fails, all routes
immediately switch over to the remaining path.
o Campus Core Layer
• This layer interconnects the Building Distribution layer with the
Server Farm and Enterprise Edge modules.
• The Campus Core layer provides redundant and fast-converging
connectivity.
• It routes and switches traffic as quickly as possible from one
module to another.
  Server Farm Module
• Server farm module provides users with internal server resources.

• Supports network management services for the enterprise.

• The Server Farm module contains

 Application,
 File,
 E-mail, and
 Domain Name System (DNS) services.
 Enterprise Edge Modules

• This modules aggregate the connectivity from the various elements

outside the campus
• The Enterprise Edge functional area is composed of four main
modules:
 E-commerce module: The E-commerce module includes the
devices and services necessary for an organization to provide e-
commerce applications.
Internet Connectivity module: The Internet Connectivity
module provides enterprise users with Internet access.
 Remote Access and VPN module: This module terminates
VPN traffic and dial-in connections from external users.
 WAN and MAN and Site-to-Site VPN module: This module
provides connectivity between remote sites and the central site
over various WAN technologies.
Cont.…
E-commerce Module
• The E-commerce module enables enterprises to successfully
deploy e-commerce applications.
• The majority of traffic is initiated external to the enterprise.
• To build a successful e-commerce solution, the following network
devices might be included:
 Web servers: Act as the primary user interface for e-commerce
navigation
 Application servers: Host the various applications
 Database servers: Contain the application and transaction
information that is the heart of the e-commerce
Firewalls or firewall routers: provide security between the
system’s various users
 Network Intrusion Detection: Monitor key network segments
in the module to detect and respond to attacks against the network
Internet Connectivity Module
• This module provides internal users with connectivity to Internet services,
such as HTTP, FTP, Simple Mail Transfer Protocol (SMTP), and DNS.
• Additionally, this module accepts VPN traffic from remote users.
• Major components used in the Internet Connectivity module include the
following:
 SMTP mail servers: Act as a relay between the Internet and
the intranet mail servers.
 DNS servers: Serve as the authoritative external DNS server
for the enterprise and relay internal DNS requests to the
Internet.
 Public servers (for example, FTP and HTTP): Provide
public information about the organization.
 Firewalls or firewall routers: Provide network-level protection
of resources.
 Edge routers: Provide basic filtering and multilayer
connectivity to the Internet.
 Remote Access and VPN Module
• Internet Connectivity module to initiate VPN connections to remote sites.
• The module terminates dial-in connections received through the public switched
telephone network(PSTN) and, after successful authentication, grants dial-in
users access to the network.
• Major components used in the Remote Access and VPN module include the
following:
Dial-in access concentrators: Terminate dial-in connections and authenticate
individual users
 Cisco Adaptive Security Appliances (ASA): Terminate IPsec tunnels,
authenticate individual remote users, and provide firewall and intrusion
prevention services
 Firewalls: Provide network-level protection of resources and
o stateful filtering of traffic,
o provide differentiated security for remote access users,
o authenticate trusted remote sites, and
o provide connectivity using IPsec tunnels
 NIDS appliances: Provide Layer 4 to Layer 7 monitoring of key network
segments in the module
 WAN and MAN & Site-to-Site VPN Module
• The WAN and MAN and Site-to-Site VPN module uses various WAN
technologies, to route traffic between remote site and central site.
• Some of the technology used including:-
 Leased lines and
 Frame Relay
 ATM,
 DSL,
 MPLS,
 Metro Ethernet,
 wireless, and
 service provider VPNs.

• KEY POINT
• The WAN and MAN and Site-to-Site VPN module does not include the
WAN connections or links; it provides only the interfaces to the WAN.
 Service Provider Modules
• The enterprise itself does not implement these modules; however, they
are necessary to enable communication with other networks, using a variety
of WAN technologies, and with Internet service providers (ISP).
• The modules within the Service Provider functional area are as follows:
 Internet Service Provider module
 PSTN module
 Frame Relay/ATM module
 Cont…
• Internet Service Provider Module

The Internet Service Provider module represents enterprise IP connectivity to

an ISP network for:-
 Basic access to the Internet or
 Enabling Enterprise Edge services, such as those in the E-
commerce, Remote Access and VPN, and Internet
Connectivity modules.

Enterprises can connect to two or more ISPs to provide

redundant connections to the Internet.
The physical connection between the ISP and the enterprise can
use any of the WAN technologies.
 Cont.….
PSTN Module
The PSTN module represents the dialup infrastructure for accessing the
enterprise network using ISDN, analog, and wireless telephony (cellular)
technologies.
Frame Relay/ATM Module
The Frame Relay/ATM module covers all WAN technologies for
permanent connectivity with remote locations

Frame Relay is a connection-oriented, packet-switching technology designed to

efficiently
transmit data traffic at data rates of up to those used by E3 and T3 connections.

NOTE E3 is a European standard with a bandwidth of 34.368 megabits per second

(Mbps).
T3 is a North American standard with a bandwidth of 44.736 Mbps

Its capability to connect multiple remote sites across a single physical connection
reduces the number of point-to-point physical connections required to link sites
 Cont.…

oATM is a higher-speed alternative to Frame Relay.

• It is a high-performance, cell-oriented, switching and multiplexing
technology for carrying different types of traffic.

oLeased lines provide the simplest permanent point-to-point connection

between two remote locations.
• The carrier (service provider) reserves point-to-point links for the
customer’s
private use.

• Because the connection does not carry anyone else’s communications,

the service provider can ensure a given level of quality.
• The fee for the connection is typically a fixed monthly rate.
 Cont…

oCable technology uses existing coaxial cable TV cables.

Coupled with cable modems, this technology provides much greater bandwidth
than telephone lines and can be used to achieve extremely fast access to the Internet.

oDSL uses existing telephone lines to transport high-bandwidth data, such as

voice, data, and video.
• DSL is sometimes referred to as last-mile technology because it is used
only for connections from a telephone switching station (at a service
provider) to a home or office, not between switching stations

oWireless bridging technology interconnects remote LANs using point-to-point

signal transmissions that go through the air over a terrestrial radio or microwave
platform, rather than through copper or fiber cables.
• One of the advantages of bridged wireless is its capability to connect users in
remote areas without having to install new cables.

• However, this technology is limited to shorter distances, and weather conditions

can degrade its performance.
 Cont….

• MPLS combines the advantages of multilayer routing with the

benefits of Layer 2 switching.
• With MPLS, labels are assigned to each packet at the edge of the
network.
• Rather than examining the IP packet header information, MPLS
nodes use this label to determine how to process the data, resulting
in a faster, more scalable, and more flexible WAN solution
 Remote Enterprise Modules
• The three modules supporting remote enterprise locations are
Enterprise Branch,
Enterprise Data Center, and
Enterprise Teleworker.
 Enterprise Branch Module
• The Enterprise Branch module extends the enterprise by providing each
location with a resilient network architecture with integrated security.
• A branch office generally accommodates employees who have a
compelling reason to be located away from the central site, such as a
regional sales office.
• A branch office is sometimes called a remote site, remote office, or sales
office.
• Branch office users must be able to connect to the central site to access
company information.
• Therefore, they benefit from high-speed Internet access, VPN
• Enterprise Data Center Module
• The Enterprise Data Center module may include the following components:
At the networked infrastructure layer: Gigabit Ethernet, 10-Gigabit
Ethernet, with storage switching and optical transport devices
• At the interactive services layer: Services include storage fabric services,
computer services, security services, and application optimization services
• At the management layer: Tools include Fabric Manager (for element and
network management.
•
Enterprise Teleworker Module
• The Enterprise Teleworker module provides people in
geographically dispersed locations, such as home offices or
hotels, with highly secure access to central-site applications and
network services.

• The Enterprise Teleworker module supports a small office with

one to several employees or the home office of a telecommuter.
 Services Within Modular Networks
• A network service is a supporting and necessary service, but not an
ultimate solution.
 Security services: Ensure that all aspects of the network are secure, from devices
connecting to the network to secured transport to data theft prevention

 Mobility services: Allow users to access network resources regardless of their physical
location.

 Storage services: Provide distributed and virtual storage across the infrastructure

 Voice and collaboration services: Deliver the foundation by which voice can be carried
across the network, such as security and high availability

 Compute services: Connect and virtualize compute resources based on the application

 Identity services: Map resources and policies to the user and device