1
UNIVERSITY OF NAIROBI
FACULTY OF ENGINEERING
DEPARTMENT OF ELECTRICAL AND INFORMATION ENGINEERING
ENTERPRISE LEVEL NETWORK DESIGN AND OPTIMIZATION
PROJECT INDEX: PRJ 072
BY
MBUTHIA MICHAEL MWANGI
F17/1754/2006
SUPERVISOR: DR. C. WEKESA
EXAMINER: DR. KAMUCHA
PROJECT REPORT SUBMITTED IN PARTIAL FULFILMENT OF THE
REQUIREMENT FOR THE AWARD OF THE DEGREE
OF
BACHELOR OF SCIENCE IN ELECTRICAL AND ELECTRONIC
ENGINEERING OF THE UNIVERSITY OF NAIROBI 2011
Submitted on:
18th
May, 2011
i
DECLARATION AND CERTIFICATION
This BSc. work is my original work and has not been presented for a degree award in this or any
other university.
Signed……………………………………….. Date……………………..
MBUTHIA MICHAEL MWANGI
F17/1754/2006
This report has been submitted to the Dept. of Electrical and Information Engineering,
University of Nairobi with my approval as supervisor:
Signed……………………………………….. Date…………………….
DR. CYRUS WEKESA
(Supervisor)
ii
ACKNOWLEDGEMENTS
I thank the Almighty God for giving me the mental and physical strength to undertake this
project.
My gratitude also goes to Dr. Wekesa, my supervisor, who greatly assisted and supported me
throughout the project preparation period. Finally, I thank Mr. Aseda of KENET, proof-reader
Catherine Wanjiru, and my colleagues for their continued support.
iii
TABLE OF CONTENTS
Contents
DECLARATION AND CERTIFICATION i
ACKNOWLEDGEMENTS ii
TABLE OF CONTENTS iii
LIST OF ABBREVIATIONS v
ABSTRACT vii
CHAPTER 1: INTRODUCTION 1
1.1 Background 1
1.2 Problem Definition 1
1.3 Objective 2
CHAPTER 2: NETWORK DESIGN METHOLOGIES 3
2.1 Introduction 3
2.2 Network Design Methodologies 3
2.2.1 Bottom-up Network Design 3
2.2.2 Top-down Network Design 3
2.3 Requirements Analysis 4
CHAPTER 3: LOGICAL NETWORK DESIGN 8
3.1. Network Topology 8
3.2 Designing a Network Addressing and Naming Model 11
3.2.1 Addressing 11
3.2.2 Naming 13
3.3 Selecting and Implementing Switching and Routing Protocols 14
3.3.1 Routing Protocols 14
3.3.2 Protocols and the Hierarchical Design Model 16
3.4 Network Management 16
3.4.1 Network Management Architecture 17
3.4.2 Network Traffic 18
3.4.3 Network Security 18
CHAPTER 4: PHYSICAL NETWORK DESIGN 20
4.1 Introduction 20
iv
4.2 Technologies and Hardware for the LAN 20
4.2.1 Ethernet 20
4.2.2 LAN Cabling 22
4.2.3 Internetworking Devices 23
4.3 Technologies and Hardware for the WAN 24
4.3.1 Remote Access 24
4.3.2 Internetworking Devices 27
CHAPTER 5: TESTING AND OPTIMIZING THE NETWORK DESIGN 28
5.1 Introduction 28
5.2 Testing the Network Design 28
5.2.1 Building and Testing a Prototype 28
5.2.2 Testing Tools 29
5.3 Optimizing the Network Design 30
5.3.1 Performance Mechanisms 30
CHAPTER 6: APPLYING THE METHOLOGY 34
6.1 Background 34
6.2 Business and Technical Goals 34
6.3 Structure 35
6.4 Current Network 36
6.4.1 Traffic flows 37
6.4.2 Inherent Problems of the Current Design: 38
6.5 Proposed Design 38
6.5.1 Connectivity 38
6.5.2 Logical Network Design 39
6.5.3 Physical Network Design 46
6.5.4 Testing and Optimization 50
6.6 Simulation Environment 51
CHAPTER 7: CONCLUSIONS AND RECOMMENDATIONS 54
7.1 Conclusions 54
7.2 Recommendations 54
v
LIST OF ABBREVIATIONS
OSI – Open Systems Interconnect
RMON – Remote Monitoring
RIP – Routing Information Protocol
IGRP – Interior Gateway Routing Protocol
EIGRP – Enhanced Interior Gateway Routing Protocol
OSPF – Open Shortest Path First
BGP – Border Gateway Protocol
ATM – Asynchronous Transfer Mode
PKI – Public Key Infrastructure
LAN – Local Area Network
WAN – Wide Area Network
VLAN – Virtual Local Area Network
IPX – Internetwork Packet Exchange
IP – Internet Protocol
TCP – Transport Control Protocol
DNS – Domain Name Service
DHCP - Dynamic Host Configuration Protocol
NIC - Network Interface Card
MAC - Media Access Control
NAT - Network Address Translation
CPU – Central Processing Unit
vi
DMZ – Demilitarized Zone
RTMP – Routing Table Maintenance Protocol
LSA – Link State Advertisement
WLAN – Wireless Local Area Network
VPN – Virtual Private Network
FDDI – Fiber Distributed Data Interface
RSVP – Resource Reservation Protocol
MCU – Multi-point Control Unit
ISP – Internet Service Provider
vii
ABSTRACT
In the business world, technology plays a major role in shaping the manner in which business is
carried out. Computer networks play an important role in a business environment, since
technological trends have made the computer a vital ingredient in modern business processes.
Internetworks are important to facilitate communication so as to enhance provision of goods
and services. However, these networks ought to be reliable, secure and scalable. This is usually
not the case, as many designers do not make important considerations at the design stage.
This project report tackles enterprise network design using a top-down approach. Firstly,
customer requirements are considered and analyzed, as described in chapter 2. Thereafter, the
logical topology of the network is designed. This is covered in chapter 3 whereby addressing
and naming models are designed and suitable protocols chosen. Other vital areas of concern are
the management and security of the network, which have to be carefully studied and sound
decisions made.
The physical design of the network is discussed in chapter 4. Here, technologies such as
Ethernet are analyzed and networking devices and cabling types examined. The campus area is
considered first, and then the design for the WAN is tackled.
The final stage of this network design approach is the testing of the network and application of
optimization techniques. This is an important stage as it demonstrates the ability of the
designed network to achieve the intended goals. This forms chapter 5 of this report.
A case scenario was then considered. Requirements for the network design process were
analyzed and the design was carried out in a systematic manner in accordance to the top-down
methodology.
It was noted that a structured and systematic network design approach yielded a functional
network that conforms to modern business practices.
1
CHAPTER 1: INTRODUCTION
1.1 Background
Internetworks are an important requirement in facilitating communication and transactions
within an enterprise and between the enterprise and external parties such as customers and
partners. Large internetworks consist of the following three distinct components:
• Campus networks consisting of locally connected users in a building or group of
buildings
• Wide-area networks (WANs) which connect campus networks together
• Remote connections which link remote offices or single users to the main campus
network or to the Internet.
With the ever-changing characteristics of business, it is crucial to develop a network that can
keep pace with the accelerating changes created by business requirements.
1.2 Problem Definition
Most networks created often do not accommodate changes in the business environment. These
changes could be an increase in the number of users on the network, incorporation of video and
voice data, wireless capabilities or e-commerce services. This problem is usually as a result of
poor network design.
Proper internetwork design is employed to come up with a functional network that addresses the
following goals:
• Functionality – the availability, usability and performance of the network.
• Scalability – the ability to support growth in the network.
• Manageability – the ease of management of the network and network resources.
• Adaptability – the ability to implement changes in areas such as technologies, legislation,
and business practices.
2
• Affordability – the cost-effectiveness of the network.
• Security – measures to ensure security problems do not interfere with the company's
ability to conduct business efficiently.
Therefore, designing a suitable internetwork that achieves the above goals is a challenge which
should be carefully and systematically tackled.
1.3 Objective
This project aims at applying structured network design techniques to design and optimize a
modern-day enterprise network which meets business requirements. The top-down network
design methodology is applied.
3
CHAPTER 2: NETWORK DESIGN METHOLOGIES
2.1 Introduction
This chapter introduces network design methodologies and also discusses requirements analysis.
2.2 Network Design Methodologies
There are two main approaches to network design. This classification is roughly based on how
the seven-layer OSI model is traversed. The two methodologies are:
Bottom-up network design methodology
Top-down network design methodology
2.2.1 Bottom-up Network Design
This approach is based on past projects and implementation that worked on the current network
layout. This makes this methodology generally faster. Bottom-up design is cell-based as it
employs a cell-oriented architecture.
Under this methodology, the physical network is considered first. This is because the physical
network layout has to support the applications, and generally, the customer always has a fixed
estimate of the equipment to deploy.
The disadvantage of this approach is that it may not take all necessary applications and services
into consideration, leading to a design that may not meet all the needs of the organization.
2.2.2 Top-down Network Design
Under this methodology, network design is tackled by considering the upper layers of the OSI
reference model moving downwards to the lower layers. The applications and sessions are
considered before selecting the protocols and devices such as routers and switches.
A logical model of the network is developed before the physical model. The logical model is a
representation of the basic building blocks and structure of the system. On the other hand, the
physical model represents networking devices and technologies and their implementation within
the internetwork.
4
The top-down approach is a systematic design methodology that helps meet an organization's
requirements, regardless of the newness or complexity of applications and technologies. This
makes this approach more preferred as compared to the bottom-up network design.
This approach can be broken down to:
1. Analyzing customer's needs and goals.
2. Logical network design.
3. Physical network design
4. Testing and optimizing the network design.
2.3 Requirements Analysis
This is the first stage of top-down network design whereby the customer’s technical goals and
business goals are identified and analyzed. The process of requirements analysis provides a
means for analyzing the network and the environment in which it is contained.
It is essential to understand the company business model, business drivers and projected growth
from a business perspective. This builds the foundation for a network design that serves the
business, technical and operational requirements of the company.
Analyzing the Existing Network
The first step under requirements analysis is to analyze the existing network, if any. This
includes analyzing network health, business constraints and problems that could arise due to
anticipated growth. Data collected under this section is broadly classified as administrative and
technical.
Administrative issues include business goals and policies, corporate structure of the business,
staff matters and politics. It is important to know who in the company supports the change in
network design and who doesn’t. Furthermore, the technical capabilities of the current
employees also come into play as skilled persons will be required to maintain the network. This
may create or eliminate jobs.
5
It is important to document these issues that come into play before embarking on the design
work. Information about the requirements of the network design can be gathered from managers
and users.
When analyzing customer requirements, the following major aspects are considered:
a) Business constraints- resource allocation, time schedule, staff issues.
b) Security requirements- security risks and their mitigation.
c) Management requirements- account management, fault management.
d) Applications requirements- new applications, peak hours.
e) Network traffic- users effect on traffic load.
f) Performance requirements- availability, scalability, manageability, usability, adaptability,
efficiency, utilization.
The following steps provide a guideline to follow when characterizing the current network:
1. Characterize the applications and protocols in use.
2. Analyze the current topology.
3. Characterize the network performance.
4. Analyze network ‘health’ (reliability, availability and utilization).
5. Analyze the status of network devices, for instance, router configurations.
Network Traffic
It is crucial to analyze network traffic patterns so as to guide in selecting appropriate logical and
physical network design solutions to meet the enterprise’s goals. This involves characterizing
traffic flow, traffic volume, and protocol behavior.
Traffic flows are analyzed and bandwidth utilization by protocol measured. This is achieved by
placing a protocol analyzer or RMON probe on every major network segment. The response time
for network-service protocols is tested.
6
User applications are considered and it is determined if they are mission-critical, real-time, or
interactive. Considering the protocols and number of users, the approximate bandwidth used by
the applications is computed.
It is important to characterize traffic load with traffic flow. Traffic load is the total data that
network nodes are ready to send at a given time.
This analysis can be carried out by first approximating the size of objects transferred across
networks by applications. This will entail e-mail messages, general web browsing, and other
applications which transfer data to the Internet.
Then the traffic overhead for protocols is considered. The estimated traffic overhead for some
major protocols is as tabulated in Table 2.1.
Table 2.1: Protocol Overhead Traffic
Protocol Total Bytes/Packet
Ethernet Version II 38
IEEE 802.3 with 802.2 46
IEEE 802.5 with 802.2 29
IPX 30
IP 20
TCP 20
[2]
Traffic overhead for routing protocols is also an important factor to consider. RIP consumes a lot
of bandwidth while OSPF and EIGRP use very little bandwidth. Table 2.2 shows sizes of packets
transmitted in RIP and IGRP.
7
Table 2.2: Packet Transmission in Routing Protocols
Routing
Protocol
Default Update
Timer (Seconds)
Route Entry
Size (Bytes)
Routes
Per
Packet
Network and
Update Overhead
(Bytes)
Size of
Full
Packet
IP RIP 30 20 25 32 532
IP IGRP 90 14 104 32 1488
[2]
An important checklist to consider is:
Ethernet segments should not exceed 40% utilization.
WAN segments should not be saturated (links should below 70% utilization).
Broadcast traffic should be less than 20% of all traffic on any network segment.
Collisions on Ethernet segments should not exceed 0.1% of total packets.
Network response time should be less that 100ms.
Routers should not be over-utilized (75% utilization).
Routers should not drop more than 1% of packets.
8
CHAPTER 3: LOGICAL NETWORK DESIGN
This is the stage of top-down network design that immediately supersedes requirements analysis.
After the goals and constraints of the enterprise have been analyzed, the logical network
architecture is then designed.
Logical network design involves:
1. Designing the network topology.
2. Designing an addressing and naming model.
3. Selecting and implementing network protocols.
4. Selecting network management options.
3.1. Network Topology
A map is drawn to describe the geometry of the internetwork. This map is known as the network
topology. It shows network segments and interconnection points.
A hierarchical network design model is used. This is a layered model to tackle network design. It
consists of three major layers (refer to figure 2.1):
Core layer – consists of high end routers. This is the high-speed backbone of the
internetwork. Redundancy is of paramount importance.
Distribution layer – consists of switches and routers. This layer controls network traffic
and does address translation.
Access layer – Includes lower-end switches, hubs and wireless access points to provide
users access to the network.
9
Figure 3.1: Hierarchical topology
Advantages of hierarchical model
1. Cost saving. Only appropriate devices for a particular layer are bought.
Furthermore, management costs are reduced as network management systems can
be distributed to the appropriate layers.
2. Simplicity. The network is fairly easy to understand, no intensive staff training is
required. Testing and fault isolation are consequently straight-forward.
3. Facilitation of change. When change is required, such as adding a device, this is
done on a particular segment without altering the entire network.
4. Saves on CPU load and bandwidth consumption.
10
Flat Topology
A small company may use a flat topology for its relatively small network. Using a mesh
topology ensures redundancy thus guaranteeing network availability.
A full mesh topology provides complete redundancy. Furthermore, there is just a single-link
delay between any two sites; hence the network has good performance.
Figure 3.2: Full mesh network
Full mesh networks are expensive, difficult to troubleshoot, upgrade and optimize. Thus, it is not
advisable to implement this topology, unless it is incorporated into a partial-mesh hierarchical
design.
Generally, when designing a network using the hierarchical model, the access layer is designed
first, then the distribution layer, and finally the core layer. This ensures proper capacity planning
for the distribution and core layers.
Virtual LANs (VLANs)
A VLAN is a logical local area network (LAN) that extends over a group of LAN segments. It is
an emulation of a standard LAN that allows data to flow between devices that are not on the
same physical LAN.
11
VLANs allow for seamless accessibility even when there is physical relocation. This also ensures
that important resources such as databases for a particular department are accessible only to the
concerned persons (users within that VLAN).
Wireless LANs (WLANs)
Wireless local area networks are important to ensure access to the network by roaming users.
Wireless access points use radio frequency (RF) to communicate with wireless clients. A
wireless cell is the area that is covered by a wireless access point. The extent of a wireless cell
should be carefully selected so as to balance the bandwidth and the number of users sharing it.
It is important to place the WLAN on a separate subnet to ease addressing, network management
and security since most of the users are roaming.
3.2 Designing a Network Addressing and Naming Model
3.2.1 Addressing
To meet a customer's goals for scalability, manageability and performance, it is important to
develop a systematic model to allocate and aggregate address space. This eliminates the problem
of running out of addresses or duplication of addresses and simplifies integration of new devices.
The following steps act as a guideline for developing a proper network-layer addressing and
naming model:
1. Design a structured, hierarchical method for addressing the autonomous
systems, subnets and end stations.
2. Come up with a plan for route summarization/aggregation.
3. Plan how the administrative authority of assigning addresses will be
delegated.
4. Develop a model whereby addresses reflect geographical location of the
network segments.
5. Plan to identify special stations such as servers with specific node IDs.
6. Use dynamic addressing for end stations to maximize flexibility.
12
7. For Internet access, use gateways to map private addresses to external
addresses.
Data link layer addresses are known as Media Access Control (MAC) addresses or physical
addresses. These are six-octet numbers that uniquely identify a host, as they are ‘hardcoded’ into
the Network Interface Card (NIC) by the manufacturer.
Network-layer addresses are IP or IPX addresses assigned to a terminal. These can be manually
assigned by typing in the address or automatically assigned using a protocol such as DHCP.
Dynamic Host Configuration Protocol (DHCP)
DHCP does IP address allocation using a client/server model whereby servers allocate network
layer addresses and save data about which addresses have been allocated, while clients
dynamically request address configuration from the servers.
DHCP supports three modes for IP address allocation:
1. Automatic – the DHCP server assigns a permanent IP address to a client.
2. Dynamic – the DHCP server assigns an IP address to a client for a limited time period.
Once the time is up, the address is renewed or released for use by other nodes. This is
referred to as leasing.
3. Manual - the DHCP informs the client of the permanent IP address assigned by the
network administrator.
Dynamic allocation is most commonly used because of its manageability and scalability.
Route Summarization/Aggregation (Supernetting)
This is the process of condensing routing information. This helps reduce the load on the router
and entire network.
For instance:
172.20.130.0
172.20.135.0
172.20.150.0
13
172.20.155.0
The above addresses can be summarized as 172.20.130.0/20. The 20 bits are: 8 bits in the first
octet, 8 bits in the second and 4 bits in the third. This implies that all packets with the first 20 bits
set to 172.20.130.0 should be forwarded to this router.
Public Addresses and Private Addresses
IP addresses are either public or private. Public addresses are registered with a numbering
authority and are globally unique. Private addresses are never routed on the global Internet.
Specific ranges of addresses are reserved for private use:
10.0.0.0 to 10.255.255.255
172.16.0.0 to 172.31.255.255
192.168.0.0 to 192.168.255.255
Network Address Translation (NAT)
This is a mechanism for translating private addresses to public addresses, and vice versa. NAT
has a provision for static addresses for servers (such as web and e-mail servers) that need a fixed
address.
NAT can also offer port translation (overloading addresses) for mapping several addresses to the
same address. This ensures that all traffic from an enterprise has the same address. Port numbers
are used to distinguish separate conversations. This feature reduces the number of required
public addresses.
3.2.2 Naming
It is important that proper naming of network resources (hosts, routers, servers and printers) be
implemented as a good naming model strengthens the performance and availability of a network.
A user should transparently access a service by name rather than address. To map names to
addresses, a suitable naming protocol should be deployed. DNS (Domain Name Service) is a
suitable service to carry out these tasks.
To offer efficient manageability, the naming and addressing of a network should be centrally
managed, though authority can be subordinated.
14
3.3 Selecting and Implementing Switching and Routing Protocols
This is a very important stage in the network design process as the appropriate protocols need to
be selected so as to comply with the technical and business requirements. An understanding of
the switching and routing protocols that a switch or router supports helps the designer select the
best protocol.
3.3.1 Routing Protocols
Routing protocols provide the means for routers to share information so as to make a functional
internetwork. They provide routers with information on the nature of segments they support and
the most efficient paths to reach the destination locations.
There are to broad categories of routing protocols:
1. Distance-vector protocols.
2. Link-state protocols.
3.3.1.1 Distance-Vector Routing Protocols
These protocols communicate information about all known links to peer routers. A distance-
vector routing protocol sends its entire routing table to all neighbours. This consumes a lot of
bandwidth in large internetworks; hence these protocols are mainly associated with medium-
sized or small networks.
These protocols specify the length of the distance vector (course) with a hop count. A hop count
specifies the number of routers or links that must be traversed to reach a destination network.
Examples are:
Routing Information Protocol, RIP (both version 1 and 2)
AppleTalk Routing Table Maintenance Protocol (RTMP)
Novell NetWare Internetwork Packet Exchange Routing Information Protocol (IPX RIP)
The following are derivatives of distance-vector routing protocols:
Border Gateway Protocol (BGP)
Interior Gateway Routing Protocol (IGRP)
15
Enhanced IGRP (EIGRP)
3.3.1.2 Link-State Routing Protocols
These protocols only convey information about directly connected routers. They do not exchange
routing tables and each router learns enough information about links in the internetwork from
peer routers to build its own routing table.
Routers use a hello protocol to establish a relationship (adjacency) with neighbour routers. Each
router sends link-state advertisements (LSAs) to each adjacent router. The LSAs identify links
and metrics. These advertisements are propagated throughout the routers in the network.
Eventually each router has a link-state database that describes the nodes and links in the
internetwork.
Link-state routing uses more CPU and memory resources, but uses less bandwidth than distance-
vector routing, hence is preferred.
Examples:
Open Shortest Path First (OSPF)
IP Intermediate System-to-Intermediate System (IS-IS)
NetWare Link Services Protocol (NLSP).
Link-state routing is recommended when a hierarchical network design is implemented and there
are knowledgeable personnel.
Distance-vector routing is preferred for a flat-topology network where network administrators do
not have enough knowledge to operate link-state protocols.
Open Shortest Path First (OSPF)
This is a link-state hierarchical interior gateway protocol. It features least-cost routing, multi-
path routing and load balancing. It minimizes CPU usage and bandwidth utilization. This is
because an OSPF router propagates only route changes. This is achieved by multicasting link-
state advertisements (LSAs) to all other routers within the same hierarchical area.
OSPF networks are grouped into areas connected to the main backbone. The topology of an area
is hidden from the rest of the autonomous system thus reducing routing traffic. An autonomous
16
system is a group of routers exchanging routing information via a common routing protocol. An
area border router (ABR) connects an area to the backbone (Area 0) as indicated in Figure 3.3.
All traffic between areas travels through Area 0. Area 0 should have high availability,
throughput, and bandwidth. It is desirable to have more than one ABR per area to offer high
availability.
Figure 3.3: OSPF Areas
3.3.2 Protocols and the Hierarchical Design Model
Routing protocols should be selected for different layers of the hierarchical design model.
Core layer – An important consideration is redundant links and load sharing between
equal-cost paths. Protocols suitable are EIGRP, BGP, OSPF and IS-IS.
Distribution layer - protocols used here include EIGRP, OSPF and IS-IS.
Access layer - equipment here is less powerful than distribution and core layer
equipment, with regards to processing power and memory. Protocols suitable are EIGRP
and OSPF.
3.4 Network Management
Network management should be a day-to-day activity comprising of reactive actions to solve
network performance issues. A suitable approach is proactive management. This means checking
the health of the network under normal operation to identify potential problems, optimize
performance, and plan upgrades.
17
This requires that the network administrator be aware of problems before they negatively affect
network performance. Effective network management helps an organization measure how well
design goals are being met and adjust network parameters if these are not being met.
Main areas of network management are:
1. Implementation and change – installation, configuration, user management and billing.
2. Monitoring and diagnosis – problem isolation and resolution.
3. Design and optimization – base lining, trend analysis, topology design and
procurement.
The International Organization for Standardization (ISO) defines five types of network
management processes:
• Performance management - measurement of network behavior and effectiveness.
• Fault management - detecting, isolating, diagnosing, and correcting problems and
informing end users and managers of these problems.
• Configuration management – keeping track of network devices and information on how
devices are configured.
• Security management - includes processes for generating, distributing, and storing
encryption keys and other authentication and authorization information. Security and
audit logs are maintained.
• Accounting management - facilitates usage-based billing, whereby individual
departments are charged for network services. It shows which terminal or network
segment is responsible for whatever amount of traffic.
3.4.1 Network Management Architecture
A network management architecture consists of managed devices, agents, and NMSs arranged in
a topology that fits into the internetwork topology. A Network Management System (NMS) is a
software platform that runs on a workstation. It runs applications to: display management data,
monitor and control managed devices, and communicate with agents.
18
In the case of in-band monitoring, network management data flows with user traffic. This makes
the network management architecture easy to develop, but susceptible to problems on the
internetwork.
In out-of-band monitoring, network management data travels on paths different from those used
by user data. This offers availability, but calls for extra management as separate links are used.
A centralized monitoring architecture is preferred, whereby network management is
administered from a central location.
3.4.2 Network Traffic
After you determine the management protocols to be used, estimate the amount of traffic caused
by network management. A protocol analyzer would be helpful in getting such statistics.
Management traffic should use less than 5 percent of a network's capacity.
3.4.3 Network Security
Security is a very critical aspect of a network. Network resources such as servers and databases
should be protected from unauthorized access. The logical topology of the network should
incorporate security measures such as firewalls.
A suitable approach to network security would be to create a demilitarized zone (DMZ). A DMZ
is an area between a company's private network and the outside public network. A dedicated
firewall is placed between the Internet and the enterprise network. A public LAN that hosts the
public servers including web, mail, and primary DNS servers is placed behind the firewall but
not within the enterprise private network (Refer to Figure 3.4). This topology enables outsiders
to access only data that they require, such as web pages, and not private company data.
The DMZ hosts intercept traffic and broker requests for the enterprise network. A DMZ host
receives requests from users within the private network for web access. The DMZ host then
initiates sessions for these requests on the public network, but the DMZ host cannot initiate a
session back into the private network.
19
Figure 3.4: Simple DMZ Topology
A network design should ensure that user services are secured. Remote access and wireless
access pose security challenges; therefore, measures must be taken to ensure security prevails on
the network. This is made possible by making use of features such as user authentication and
authorization, data encryption and implementing packet filters and firewalls. For instance, the
RADIUS (Remote Authentication Dial-In User Service) server provides a platform and database
for authenticating users and authorizing services permitted to users.
20
CHAPTER 4: PHYSICAL NETWORK DESIGN
4.1 Introduction
Physical network design involves the selection of LAN and WAN technologies for the
internetwork comprising of campus and enterprise network designs. During this stage of the
network design process, issues considered are cabling, physical and data link layer protocols, and
internetworking devices (switches, routers, and wireless access points).
A suitable approach to physical network design is to consider campus network solutions (LAN)
first, then enterprise network (remote access and WAN) solutions.
4.2 Technologies and Hardware for the LAN
4.2.1 Ethernet
This is a physical and data link layer technology for the transmission of frames on a LAN. It is
by far the most popular data-link standard as it offers many advantages compared to other
technologies such as Token Ring, FDDI and ATM.
Ethernet technology has several implementations:
• 100-Mbps Ethernet
• 1000-Mbps (Gigabit) Ethernet
• Metro Ethernet
• Long-Reach Ethernet (LRE)
Full-Duplex Ethernet supports simultaneous transmitting and receiving. For example, on a link
between a switch port and a station, both the switch and the station can transmit data at the same
time. In cabling, this is achieved by dedicating one wire pair for transmitting and another for
receiving.
4.2.1.1 100-Mbps Ethernet
This is also known as Fast Ethernet or 100BASE-T Ethernet. It is easy to understand, install,
configure, and troubleshoot and thus used as the standard Ethernet.
21
100-Mbps Ethernet has two main physical implementations:
100BASE-TX. Two pairs of Category 5e or Category 6 UTP cabling. This is the most
popular implementation.
100BASE-FX. Two multimode optical fibers.
The round-trip propagation delay in one Ethernet collision domain must not exceed the time it
takes a sender to transmit 512 bits, which is 5.12 ms on 100-Mbps Ethernet. 100-Mbps Ethernet
has a maximum diameter of 205 meters when UTP cabling is used but the switch-to-switch
maximum is 100m.
4.2.1.2 Gigabit Ethernet
Gigabit Ethernet allows network transfers at 1Gbps or 10Gbps using standard Cat 5 or Cat 6
UTP cabling. The 802.3 standard for Gigabit Ethernet specifies multimode and single-mode
fiber-optic cabling, UTP cabling, and shielded twinax copper cabling implementations,
categorized as:
1000BASE-SX
1000BASE-LX
1000BASE-CX
1000BASE-T
10-Gbps Ethernet is fast gaining popularity as a backbone technology. It supports full-duplex
transmission over fiber-optic cabling. When single-mode fiber-optic cables are used, a 10-Gbps
Ethernet link can cover a distance of up to 40 km.
It is important to provide for redundancy of the Ethernet links. This can be achieved by having
an extra link between the backbone switch and the departmental switches.
22
4.2.2 LAN Cabling
A good cabling infrastructure should be implemented, keeping in mind availability and
scalability goals. There are two types of cabling schemes:
1. Centralized cabling scheme - most or all of the cable runs terminate in one area of the
design environment. An example is star topology.
2. Distributed cabling scheme - cable runs are terminated throughout the design
environment. Ring, bus, and tree topologies make use of distributed cabling.
A centralized scheme with all cables terminating in a communications room on one floor is
suitable for an enterprise housed within a small building.
To connect up several buildings in a campus area, a distributed scheme offers better availability
than a centralized scheme. This is because the distributed topology includes a redundant link.
However, in real life situations, it might not be practical to have multiple cable conduits due to
environmental and management constraints.
4.2.2.1 Cable Types
Major cables used in networking are:
• Shielded copper - shielded twisted pair (STP), coaxial (coax), and twin-axial (twinax)
cables.
• Unshielded copper – unshielded twisted pair (UTP) cables
• Fiber-optic cables
Category 5 Enhanced (CAT 5e) and Category 6 (CAT 6) are the common UTP cabling
implementations.
Fiber-optic cables are growing increasingly popular as they are not affected by cross talk, noise,
and electromagnetic interference. They offer greater bandwidth for longer distances. A single
strand of fiber-optic cabling can handle a capacity of 40 Gbps.
Though single-mode fiber cables support higher bandwidth rates over longer distances than
multimode fiber, the latter is cheaper hence preferred.
23
4.2.3 Internetworking Devices
Four basic types of internetworking devices are used:
Hubs (concentrators)
Bridges
Switches
Routers
Hubs are used to connect several users to a single physical device, which connects to the
network. Hubs and concentrators regenerate the signal as it passes through them, thereby acting
as repeaters.
Bridges are used to logically separate network segments within a network. They operate at Layer
2 (data link layer) and are independent of higher-layer protocols.
Switches are quite similar to bridges but usually have more ports. They provide a unique
network segment on each port, thereby separating collision domains. Switches are replacing hubs
to increase network performance and bandwidth. There are Layer 2 and Layer 3 switches.
Routers separate broadcast domains and are used to connect different networks. They direct
network traffic based on the destination network layer address (Layer 3) rather than the data link
layer or MAC address. Furthermore, they are protocol dependent. Additional features of routers
include filtering, firewalling, and advanced queuing and forwarding processes.
The following should be considered when selecting internetworking devices:
• The number of ports.
• Processing speed, memory, latency.
• Throughput.
• LAN and WAN technologies supported. For instance, bridging technologies and routing
protocols supported.
• Full-duplex operation.
• Media (cabling) supported.
• Ease of configuration and manageability.
24
• Cost.
• Parameters such as Mean time between failure (MTBF) and mean time to repair (MTTR).
• Support for security measures (encryption, packet filters, etc.), hot-swappable
components and redundant power supplies.
• Availability and quality of technical support and training, if required.
• Availability of independent test results that confirm the performance of the device.
• For wireless capabilities, the range and speeds supported.
It is important to know where to place a switch and where to place a router. Switches are used to
separate network segments while routers are used to forward traffic to destinations on different
networks. Routers terminate broadcasts that would otherwise degrade the network performance.
Furthermore, protocol limitations on number of users should also be considered. The IP protocol
supports up to 500 workstations on a non-routed network.
4.3 Technologies and Hardware for the WAN
The types of WAN architecture and protocols to be used greatly influence the network devices to
be utilized. When designing the WAN it is important to fulfill these goals:
1. Bandwidth efficiency should be optimized
2. Bandwidth costs should be kept to a minimum.
4.3.1 Remote Access
Remote access is the ability of a user to get access to an enterprise’s private network from a
remote (off-site) location. People at branch offices, telecommuters and travelling employees may
need access to the company's network. This is achieved by using the Internet or via leased lines.
Dedicated lines (leased lines) are more expensive and less flexible but offer faster data rates.
The Internet is widely used to remotely connect users by making use of Virtual Private Networks
(VPNs). VPNs provide an enterprise with secure private network connections over the public
25
Internet. Use is made of security features such as encryption and tunneling thus ensuring only
authenticated users can access the enterprise’s network.
4.3.1.1 Remote Access Technologies
Remote access technologies are employed to provide network access to employees in remote
offices, telecommuters and travelling workers.
Packet transmission delivery methods are either connection-oriented or connectionless.
• Connection-oriented methods – A virtual connection is used between two peer systems.
This ensures that data is delivered error-free.
• Connectionless-oriented methods – There is no true connection between source and
destination. It offers higher speeds but no guarantee of data delivery.
Point-to-Point Protocol (PPP) is a standard data link layer protocol for transporting various
network layer protocols across serial, point-to-point links. It can be used to connect one or
several remote users to a central office. It makes use of frame relay, ISDN or point-to-point links
such as digital leased lines.
A point-to-point link is a dedicated network connection between two network locations.
Leased Lines
These are dedicated digital circuits connecting one location to another at a certain data-carrying
rate. A leased line is a point-to-point link carrying only traffic for a specific customer who
‘leases’ the link for a specified period of time.
WiMax (Worldwide Interoperability for Microwave Access)
WiMax is a point-to-point technology that makes use of microwaves to connect two points. It
offers high QoS and low interference while traversing large distances of up to 50km.
4.3.1.2 Implementation
Point-to-point connectivity across the public internetwork is provided by a tunneling protocol.
Tunneling is the technique whereby packets of one protocol are encapsulated inside another
26
protocol. Logical, point-to-point connections across connectionless IP networks are provided by
tunnels, thus enabling application of advanced security features.
Point-to-Point Tunneling protocol (PPTP)
This is a tunneling protocol whereby computer certificates are issued without requiring a public
key infrastructure (PKI). PPTP-based VPN connections provide data confidentiality but not data
integrity or data origin authentication.
Layer Two Tunneling protocol (L2TP)
This protocol supports use of computer certificates as the authentication method for Internet
Protocol security (IPSec). Computer certificate authentication requires a PKI to issue computer
certificates to the VPN server computer and all VPN client computers. L2TP/IPSec VPN
connections provide data integrity, data confidentiality and data authentication. Thus this
protocol is preferred to PPTP.
IPSec is used in a client-initiated remote access model whereby the encrypted tunnel is
established by client software. IPSec provides a secure path between remote users and a VPN
concentrator (a hardware platform that aggregates a large volume of simultaneous VPN
connections (usually more than 100 connections).
A remote access server is dedicated to remote access requests.
Figure 4.1: Remote Access
The remote access server is directly connected to the main Internet router to authenticate users
into the company’s network as indicated in Figure 4.1.
27
Features of a good access server include:
Authenticates remote users by using certificates.
Has a firewall to prevent unauthorized access.
Remote access policy is defined to govern remote user access.
Acts as an IP router for the VPN.
A suitable example is the Ms Windows Server 2008 suite which also acts as a network address
translator (NAT) for connecting a private network to the Internet and as an IP router for
connecting subnets of a private network.
4.3.2 Internetworking Devices
High-performance routers should be used in WAN design. They should offer high throughput,
high availability, and advanced features to optimize the utilization of WAN circuits, which are
normally costly. The routers should also provide the necessary WAN interfaces to support
bandwidth requirements.
Other devices such as VPN concentrators and switches should also be carefully selected, keeping
in mind the goals of the design process.
Provisioning
This is the process of selecting the right amount of capacity that the WAN must provide. This is
done by analyzing traffic flows and scalability goals.
A suitable service provider should be selected. This provider should offer high WAN
performance and be very reliable.
28
CHAPTER 5: TESTING AND OPTIMIZING THE NETWORK DESIGN
5.1 Introduction
Once the network has been designed, it is important to test and optimize the design so as to
ensure it meets the customer’s goals. This chapter discusses testing the network design and
optimization techniques to ensure bandwidth efficiency.
5.2 Testing the Network Design
This is an important stage in the analytical approach to network design. The proposed design has
to meet business and technical requirements for it to be implemented.
There are several test methods available from vendors and independent test labs which can be
used to test the internetwork design. Testing procedures and tools should be selected depending
on the goals for the testing project.
Performance analysis is a critical aspect in testing. Building a prototype of the network is
necessary to evaluate performance characteristics such as throughput, end-to-end delay and
availability.
5.2.1 Building and Testing a Prototype
A prototype is a model of the network design. The final implementation of the design is
patterned on this prototype. The prototype should be fully functional but on a smaller scale than
the actual implementation. For smaller networks, a pilot could be used. This is a scaled-down
prototype.
A prototype is usually deployed in a test environment. However, it can be integrated into the
entire network but tested during off-hours. On the other hand, it can be implemented in one
network segment to prove functionality and to correct any shortcomings. Upon approval, the
design is rolled out throughout the internetwork.
Tests run on the prototype should include:
29
Performance analysis - examines the level of service offered by the system in terms of
throughput, delay, response time, and efficiency.
Stress analysis - examines any degradation of service due to increased network load.
Failure analysis – examines network availability and analyzes causes of network outages.
5.2.2 Testing Tools
Tools for testing the internetwork design fall into four broad categories:
1. Network-management and monitoring tools. These tools usually run on a dedicated
network-management station (NMS) in a production environment to alert network
managers about problems and significant network events. They also help in testing a
network design. An example is the Cisco Internetwork Operating System (IOS). Protocol
analyzers help in the analysis of traffic behavior, errors, bandwidth utilization and
efficiency, and rates of broadcasts and multicasts.
2. Traffic-generation tools. Powerful, multiport traffic generators can send multiple streams
of network traffic, emulate protocols, and analyze network performance.
3. Modeling and simulation tools. These allow the designer to develop a model of a network
and estimate the performance of the network. An accurate simulation tool is often
preferred to implementing an extensive prototype system.
4. QoS and service-level-management tools. These tools analyze end-to-end performance
for network applications. Examples are NetPredictor from NetPredict Inc and VitalSuite
from Lucent Technologies.
Other examples of network testing tools available in the industry:
WANDL's Network-Planning and Analysis Tools.
CiscoWorks Internetwork Performance Monitor (IPM).
OPNET Technologies software.
Agilent's RouterTester.
30
5.3 Optimizing the Network Design
Network performance should be optimized to meet QoS requirements. This is especially
important for modern networks which have a combination of data, voice and video traffic.
Performance is optimized for traffic flows in a particular network segment or throughout the
whole network.
A performance architecture is the set of performance mechanisms defined to configure, operate,
provision, manage and account for network resources that support traffic flows. This architecture
shows where the mechanisms are applied within the network.
It incorporates:
Admission and rate controls – control of traffic inputs.
Traffic/capacity engineering – performance adjustment.
Prioritizing, scheduling, and conditioning traffic flows – network control for service
delivery.
Implementing a feedback loop to users, management, applications and devices – for
modification of controls, if necessary.
5.3.1 Performance Mechanisms
These mechanisms provide the means to identify traffic flow types, analyze their characteristics,
and undertake appropriate actions to improve their performance.
They include:
Quality of Service.
Resource control.
Service-level agreements (SLAs).
31
5.3.1.1 Quality of Service
IP QoS is a class of mechanisms that provision and apply priority levels in the IP layer of the
network.
There are two types of services that offer QoS assurances:
Controlled-load service. Provides a client data flow with a QoS approximately equal to an
unloaded network QoS. This service is suitable for applications that are highly sensitive
to overload conditions.
Guaranteed service. This service provides firm bounds on end-to-end packet-queuing
delays. Applications whereby guarantee that a packet arrives no later than a certain time
after transmission by its source use this service.
The Resource Reservation Protocol
RSVP is a setup protocol used for QoS requests. A host uses RSVP to request specific qualities
of service from the network for specific application data flows. Routers use RSVP to deliver QoS
requests to other routers along a flow path. RSVP is not a routing protocol but occupies the place
of a transport protocol in the protocol stack.
RSVP is a QoS signaling protocol, more specifically; it offers out-of-band signaling. QoS
signaling is a means of delivering QoS requirements across a network. Out-of-band signaling
implies that in addition to data frames, hosts send additional frames to indicate that for a
particular traffic flow, a certain QoS service is desired.
RSVP only transfers QoS parameters. It does not define the parameters or the different types of
services that an application can request.
5.3.1.2 Resource control
This encompasses prioritization, traffic management, scheduling, and queuing.
(a) Prioritization
This is the process of determining which user, application, device, flow, or connection gets
service before others. Competition between traffic flows for network resources necessitate
prioritization, which determines who gets resources first, and how much they get.
32
Priority levels should be set for traffic flows, users, applications and devices. These determine
the relative importance and urgency of the flows.
(b) Traffic management
Management of network traffic is important and it consists of admission control and traffic
conditioning.
Admission control is the ability to deny access to network resources. It uses priority levels to
permit, deny, or sometimes delay access. For instance, if voice and video traffic flows are
assigned higher priority, they are given access before other traffic flows.
Traffic conditioning is a set of mechanisms that increase or decrease performance to traffic
flows. Traffic flows are classified (identified) and metered. Metering is measuring performance
characteristics of traffic flows. Conforming traffic is within performance boundaries; while non-
conforming traffic is traffic not within performance boundaries. Conforming traffic is forwarded
with no alterations but non-conforming traffic has to be shaped or dropped (discarded).
(c) Scheduling
Scheduling is the mechanism that determines the order in which traffic is processed for
transmission. It uses priority levels to perform this task. Scheduling is done after traffic has been
prioritized and conditioned.
In switches and routers, scheduling is provided through network management.
(d) Queuing
This is the storage of IP packets within a network device as they wait processing.
Several queuing mechanisms available in network devices:
• First in first out (FIFO). Queuing packets are stored in a single queue, and are transmitted
onto the network in the order that they were received.
• Class-based queuing (CBQ). Multiple queues with differing priorities are maintained and
higher-priority queues are processed before lower-priority queues. This ensures that higher-
priority traffic is assigned more network resources, enhancing performance.
33
• Weighted fair queuing (WFQ). Weights (priorities) are assigned to queues. High-priority
traffic flows are processed first.
• Random early detect (RED). The packet dropping process across a queue is random. Packets
are dropped early to force traffic flows.
• Weighted RED (WRED). Operates in a manner similar to RED but supports multiple priority
levels.
5.3.1.3 Service-level agreements (SLAs)
An SLA is a formal contract between a provider of a service and a user, defining the terms of the
provider’s responsibility to the user. The provider can be an ISP providing the Internet
connection to the enterprise. The SLA defines performance characteristics in terms of capacity,
delay and reliability.
SLAs are used as checks to ensure that the network is performing as stipulated. This prompts for
optimization techniques if the performance falls short of expectation.
34
CHAPTER 6: APPLYING THE METHOLOGY
6.1 Background
A production company dealing with the manufacture of petroleum products such as cooking fat,
soaps and detergents is considered. ‘Deban Ltd’ is the name assigned to this company for privacy
intents. The company has about 350 employees working in various departments within the
company premises. Customers for the products are within the province and neighbouring
counties.
In recent years, the staff numbers have been increasing and the network performance has been
diminishing. Moreover, profit margins have been dwindling. The company intends to increase its
profits by increasing the efficiency of internal processes.
A manufacturing support system is to be introduced to keep track of production schedules and
work orders. A new accounting system will also be introduced to ensure proper financial records
are maintained enhancing financial analysis. It is intended to incorporate a Research and
Development Department whose staff will come up with more efficient production and waste
management methodologies. This department will not be housed within the company premises.
There are two dedicated network and systems administrators who oversee the operations of the
network.
6.2 Business and Technical Goals
Come up with and implement a cost-effective network design.
Incorporate e-commerce and remote access services to enhance mobility.
Improve the performance reliability and security of the network.
Network should have high availability (be available 99.8% of the time).performance.
Introduce secure wireless access in the customer support department should be secure.
Research and Development Department should securely access the company’s network.
Fault tolerance. The MTBF should be about 4200 hours (about 6 months).
Provide for continued growth in staff numbers.
35
Provide a practical and user-friendly naming and addressing scheme.
Increase production output by enabling extensive Internet research on efficient production
methodologies.
6.3 Structure
Deban Ltd has several departments which run a number of applications on the current network.
The departments and main applications run are:
Sales and Marketing – main applications run are minimal web browsing and e-mail
communications with other departments, external customers and business partners. Office
applications such as word-processing and spreadsheets packages are also run. Users are
about 80.
Finance –mainly spreadsheet packages and other host applications. A new accounting
system will be installed here. Users are about 40.
Human resource and Administration – mainly office applications and e-mail. Users are
about 50.
Technical (Manufacturing and ICT) – deals with custom production line and systems
monitoring software run on high-performance PCs. A manufacturing support system will
run here, which will keep track of production schedules and work orders. This system is
to be hosted on a server within the department. Users here also engage in extensive web
browsing (with numerous downloads and uploads) and e-mail. Involves 80 users.
Customer Support – deals with customer queries, e-mail and other office applications.
Users are about 80.
Research and Development – will be introduced. Expected features are a lot of web
browsing and use of custom development software run on high-performance PCs by
about 40 users.
All the departments are located within the company premises with the exception of the Research
and Development department which will be located 2km off-site.
36
Within the headquarters, one building hosts the Finance, Sales and Marketing, and Human
Resource and Administration departments while the Technical department is on a different
building. The Customer Support offices, where the reception area is, are housed within a
different building.
The Customer Support area should have wireless capability in which in-house staff, customers,
business partners, and generally any interested parties can access the company’s network.
6.4 Current Network
The current campus network is a hierarchical network architecture whereby a single router
provides Internet access (refer to Figure 6.1). The Internet link a 2Mbps link provided by a local
ISP.
Each department has an Ethernet switch (48-port) which connects all workstations, local printers
and servers via Category-5 UTP cables. These switches are all then connected via fiber optic
cables to a switch in the Technical Department, which is in turn connected to the router. All
these connections are based on 100 Mbps Ethernet.
Every department houses its file server and the Finance and Sales departments also house their
own database server.
A private addressing scheme is used whereby all network workstations are within a 192.168.5.0
subnet. A subnet mask of 255.255.255.0 is used. A DHCP server manages the addressing of all
PCs and a DNS does the naming. However, public servers such as the web server and e-mail
sever have public addresses.
37
Figure 6.1: Current Network Layout
6.4.1 Traffic flows
With the help of protocol analyzers and interaction with the users, traffic flows and loads were
analyzed. The applications, protocols and number of workstations were considered. General web
browsing and applications running Internet uploads was found to use up most of the bandwidth.
38
After observing bandwidth utilization on several links in a 10-minute window, the utilization on
the Ethernet links was found to be about 55%. The WAN link was found to have an average
utilization of about 78%, which was approaching saturation.
A large number of broadcasts was using up bandwidth in the network. Broadcast traffic
accounted for about 30% of all traffic on the campus network.
TCP/IP protocol is dominant throughout the network.
6.4.2 Inherent Problems of the Current Design:
All devices are within the same broadcast domain.
The Internet link and Ethernet links are overloaded.
The network has run out of IP addresses. Only 254 devices are allowed on the network,
according to the current addressing scheme.
There are difficulties in transmitting video and voice traffic due to minimal bandwidth
availability.
6.5 Proposed Design
After considering the existing network and the technical and business goals, a network design
was proposed.
6.5.1 Connectivity
Each building will have a wiring closet and each workstation will be connected to the wiring
closet in its respective building through Category-5 UTP cables. These wiring closets are
eventually connected to a computer center within the Technical department’s offices through
fiber optic cables.
All the user terminals have 100Mbps Fast Ethernet switched connections. Users in the Finance
and Human Resource and Administration departments are connected to 24-port switches at a
ratio of 20 users to a switch. Within the Sales department, 48-port switches are used with a
maximum of 40 terminals connected to a single switch. These departments require fewer
computing resources, thus will be allocated lower bandwidth compared to the Technical
39
department. The technical department’s users are connected to 24-port Fast Ethernet switches at
a ratio of 16 users to a switch. The Research and Development department also employs this
ratio.
The Finance, Human Resource and Administration and Sales departments each have their own
file servers, but other major servers used in the company are within the server farm located in the
Technical department. This server farm is connected to the backbone switch via a Gigabit
Ethernet link. Servers located here include the DNS, DHCP, Remote Access Server, RADIUS,
Proxy and database servers.
The Research and Development department is connected to the campus network via a wireless
point-to-point link.
Wireless access points are placed within the reception area in the Customer Support building.
These allow users to access the company’s public network.
6.5.2 Logical Network Design
Hierarchical network design has been used here.
At the core layer is the main router where the Internet link from the ISP terminates. There is a
dedicated firewall behind this router and a DMZ is created. Public servers are placed within the
DMZ.
A core switch is then placed behind a firewall to form the distribution layer. This is a layer 3
switch that forms the backbone of the enterprise network. It is from this switch that the different
departments of the enterprise are connected. The server farm is directly connected to the
backbone switch.
At the access layer, Ethernet switches are located at departmental offices to offer connectivity to
network terminals.
Several VLANs are configured in the network. These are:
The Sales and Marketing Department forms one VLAN.
The Finance department is placed in one VLAN.
Another VLAN is defined for the Administration department.
40
The Technical and Research and Development departments are placed in the same
VLAN.
Another VLAN is configured for the Customer Support Department.
Wireless users are placed a separate VLAN. Wireless access provides access to the
company’s public network only.
The layer 3 core switch performs inter-VLAN routing.
Addressing
The range of addresses used is 10.2.0.0 to 10.2.20.254, which is summarized as 10.2.0.0/16.
Each department is placed in its own subnet. A full Class C address is assigned to each
department as:
Technical – 10.2.1.0
Research and Development – 10.2.2.0
Finance – 10.2.3.0
Human Resource and Administration – 10.2.4.0
Sales and Marketing – 10.2.5.0
Customer Support – 10.2.6.0
The server farm is placed on 10.2.7.0/24 and remote users are incorporated in 10.2.8.0/24.
Users accessing the network via wireless capability are placed on a separate subnet: 10.2.9.0/24.
There is a public network segment which contains the external Web and FTP servers and has
been assigned legitimate public addresses. The firewall there ensures that traffic from the public
network subnet does not cross into the secured network, but the reverse is allowed.
A DHCP system is used to assign IP addresses to user terminals. DNS name management system
is also used. DHCP and DNS services are hosted within one server thus all the addresses and
names are centrally managed.
The strategy used in address assignment is:
• Servers use 10.2.n.1 to 10.2.n.20
• Printers use 10.2.n.21 to 10.2.n.39
41
• Users use 10.2.n.40 to 10.2.n.249
• Routers use 10.2.n.250 to 10.2.n.254
This strategy allows 210 hosts to be connected onto a single subnet. For instance, the block of
addresses for users in the Finance department is: 10.2.3.40 to 10.2.3.249. If a greater number of
hosts are required within a single subnet, a new Class C address can be assigned. This strategy
also ensures that devices such as printers and routers which require static IP addresses can be
assigned addresses without conflict with user terminals. The subnets for the printers, routers and
servers are not included in the DHCP.
Naming
A hierarchical naming system is implemented.
The domain name ‘deban.com’ is used as the root domain for this network. Sub-domains are
then defined for each department.
This is as shown:
• Technical – tech.deban.com
• Research and Development – rd.deban.com
• Finance – finance.deban.com
• Human Resource and Administration – admin.deban.com
• Sales and Marketing – sales.deban.com
• Customer Support – support.deban.com
Host machines are then named. These are named starting with pc1 for the first host, and
following an ascending order (pc2, pc3, pc4…pcn; n being an integer whose maximum value is
the number of user machines within a department). Therefore a host in the sales department can
have the name ‘pc8.sales.deban.com’. The DNS server manages this naming scheme.
Remote Access
Users can gain access of the company’s secure network from anywhere as long as they are
connected to the Internet. This is made possible by the implementation of VPNs. Such users are
placed on a separate subnet (10.2.8.0/24) to ease administration and management. Security is
paramount in such connections. The user names and passwords are encrypted and it is
42
recommended that they be changed every 30 days. The DHCP server assigns IP addresses to
these users.
A remote access server is included in the sever farm. A powerful PC running Ms Windows 2008
server suite is used. This also performs network address translation for connecting the private
network to the Internet and acts as an IP router for the VPN. VPN client software is installed on
client machines. The client software establishes the encrypted tunnel (a client-initiated remote
access model is used).
Traffic Flows
Following the analysis of traffic flows on the network, expected flows and loads were estimated,
including the new applications.
Main applications expected to run on Deban’s network are tabulated in Table 6.1
Table 6.1: Applications on the Network
Application Estimated
Transfer Size (Kb)
Departments using
application
Total number
of users
E-mail 100 All 390
Office applications (word-
processing, spreadsheets)
400 All 390
Manufacturing support 500 Technical 80
Production-line software 500 Technical 80
Customer query system 400 Customer Support 40
Web browsing 300 All 390
Development software 500 Research &
Development
40
43
The applications’ traffic was categorized as either general web access or video and voice traffic.
It was recommended that allocation of bandwidth be based on estimations of throughput for
these two traffic types as in Table 6.2.
Table 6.2: Estimated Traffic Throughput
Application Type Estimated Throughput
Web access 20Kbps
Video and Voice 64Kbps
The number of probable simultaneous users within each department was determined and thus the
bandwidth of the links computed as reflected in Table 6.3.
Table 6.3: Departmental Links
Department Traffic Type Number of users Required Bandwidth
of Link (Kbps)
Technical Web access (20Kbps)
Video and Voice
(64Kbps)
70
10
1400 + 640 = 2040
Research and
Development
Web access (20Kbps)
Video and Voice
(64Kbps)
35
10
700 + 640 = 1340
Finance Web access (20Kbps)
Video and Voice
(64Kbps)
25
10
500+ 640 = 1140
44
Department Traffic Type Number of users Required Bandwidth
of Link (Kbps)
Human Resource and
Administration
Web access (20Kbps)
Video and Voice
(64Kbps)
25
10
500+ 640 = 1140
Sales and Marketing Web access (20Kbps)
Video and Voice
(64Kbps)
40
15
800 + 960 = 1760
Customer Support Web access (20Kbps)
Video and Voice
(64Kbps)
40
20
800 + 1280 = 2080
This information was represented in the diagram of Figure 6.2.
Figure 6.2: Traffic Flows within Departmental Links
45
From the tabulated data the various links were provisioned. The conclusion was that to achieve
proper network performance, the links to the various departments be of bandwidth:
Technical – 3 Mbps
Research and Development – 2 Mbps
Finance – 1.2 Mbps
Human Resource and Administration – 1.2 Mbps
Sales and Marketing – 2 Mbps
Customer Support –2.5 Mbps
The deployment of 100 Mbps Ethernet ensures that the required throughput figures are
attainable.
Furthermore, it is estimated that the traffic flowing to and from the router that connects the
campus network to the Internet would be about 10 Mbps.
Therefore, a 12Mbps connection to the Internet was recommended via a reliable ISP.
Connection to the Internet
Internet connectivity plays an important role in the day-to-day running of Deban ltd. The router
within the Technical department’s building provides the point of connection to the Internet.
There is a dedicated firewall behind the router for security. This firewall appliance also performs
address translation. The NAT implemented here has port translation, thus all out-going traffic
from the network has one address. NAT provides for static addresses for the web and e-mail
servers.
The web services server (HTTP, FTP and e-mail), firewall and the primary DNS server obtain
public addresses from the ISP.
The domain ‘www.deban.com’ is registered with the relevant authorities.
OSPF is employed for routing and switching within the network as it provides load balancing
and it is not vendor-specific. Furthermore, TCP/IP protocol is employed throughout the network.
The logical network design is reflected in Figure 6.3.
46
Figure 6.3: Logical Network Design
6.5.3 Physical Network Design
Physical Media
• 100 Mbps Ethernet switches are used within buildings.
47
• Cat 5e UTP cables connect workstations to the switches. One building which
hosts the Finance, Sales and Administration departments has a cabling structure
as represented in Figure 6.4.
Figure 6.4: Building Network Architecture
• A centralized cabling scheme is employed whereby multimode fiber optic cables
run in underground conduits from the Networks Operation Centre in the
Technical Department (refer to figure 6.5). A pair of cables is used for every link
to provide redundancy. These multimode fiber optic cables are 62.5/125 duplex
type.
48
Figure 6.5: Cabling Design for the Campus Area
• The core router, backbone switch and server farm are all housed in the Networks
Operation Centre in the Technical Department. Redundant power supply is
provided here using battery packs.
• The backbone switch has Gigabit Ethernet, Fast Ethernet and Ethernet ports. It is
a layer 3 switch.
• An Ethernet switch is placed in the off-site office to serve the Research and
Development Department.
• A wireless point-to-point link is used to connect the off-site Research and
Development Department to the campus network. This is a 2 Mbps link running
from the main core switch to the switch in the department’s building (refer to
Figure 6.6).
49
Figure 6.6: Physical set-up showing the wireless link to the Research Department
The overall network set up is represented Figure 6.7.
Figure 6.7: Internetwork Diagram
50
6.5.4 Testing and Optimization
It is recommended that a prototype be built and deployed in the Technical Department. The
performance of the prototype can be analyzed by carrying out tests with the help of traffic
generators, protocol analyzers and QoS management tools. Industry tests such as NetPredictor’s
NetPredict can be employed.
It is important to configure RSVP on the router and core switch for of QoS analysis. Traffic
management should also be defined whereby delay-sensitive traffic flows (such as voice and
video) should be accorded higher priority. An appropriate queuing strategy, such as WFQ,
should be incorporated to optimize the network.
The network needs to be reliable and there should be no over-utilization of routers/switches and
links. Wireless access and remote access are expected to be secure and convenient. Wireless
users are able to access the company’s public network. Moreover, the company’s private
network is secured from outsiders, who can only access the public network.
The 12 Mbps Internet connection was found to be sufficient and appropriate to allow for growth.
VLANs on the network ensured security within the various subnets.
Recommendations
It is recommended that videoconferencing equipment be integrated within the network to enable
the enterprise enjoy the benefits of videoconferencing. This equipment includes Multi-point
Control Units (MCUs), gatekeepers and gateways.
51
6.6 Simulation Environment
A network was simulated using the Boson Netsim Simulation Environment. The Netsim network
simulator provides functionality for simulating network devices, protocols and switching
techniques and traffic flows. It provides a platform for simulating various LAN and WAN
topologies. Therefore, it was considered a suitable environment for the network designed.
Simulations carried out were:
(a) Overall Network Design
A network was designed in the Netsim Simulator. This network consisted of 6 departments
connected through switches to a core router. This is shown in the screenshot 6.1.
DB1 represents the router and SW1 the core switch. Departmental switches are named
Technical, Finance, Customer and RnD. Interfaces for devices were configured and IP
addresses assigned. This is reflected in the appendix.
52
For the router DB1, addresses for interfaces were Fast Ethernet: 10.2.1.251, Serial:
172.20.10.1. Different subnets were used for the different departments as follows: Technical:
10.2.1.n, Finance: 10.2.3.n, Administration: 10.2.4.n, Sales: 10.2.5.n, Customer Support:
10.2.6.n, and Research: 10.2.2.n.
The PCs in the various departments were assigned Class C addresses and the router set as the
default gateway. Several parameters were configured on the router including protocol, MTU,
bandwidth, delay and encapsulation. These configurations are reflected in the appendices.
Connectivity on the links was tested using tests such as ping and traceroute.
(b) VLANs
VLANs are configured at switch Finance and SW1. At switch Finance three VLANs are
configured for the three departments using the switch: Finance (PC3, PC4),
Administration (PC5, PC6) and Sales (PC7, PC8). These were VLANs V2, V3 and V4
respectively, and they ensured privacy of data for the three departments. Furthermore,
VLANs were also configured at SW1.
Tests were run from the PC interfaces and router interface to establish connectivity and
data flow.
A VPN was also configured to enable secure remote access. This was shown in the
simulator by configuring a tunnel through which access was established.
Results
It was established that connectivity to the router exists from each PC. For instance PC1
returned ping results:
Boson BOSS 5.0 IP Configuration
Ethernet adapter Local Area Connection:
IP Address. . . . . . . . . . . . : 10.2.1.60
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.2.1.251
C:>ping 10.2.1.60
Pinging 10.2.1.60 with 32 bytes of data:
53
Ping statistics for 10.2.1.60: Packets: Sent = 5, Received = 5, Lost = 0 (0%
loss),
Approximate round trip times in milli-seconds:
Minimum = 50ms, Maximum = 60ms, Average = 55ms
From the router interface:
Welcome to the Boson NetSim!
Deb#show ip interface brief
Interface IP-Address OK? Method Status Protocol
Serial1/0 172.20.10.1 YES unset up down
Serial1/1 unassigned YES unset administratively down down
FastEthernet0/0 10.2.1.251 YES unset up up
Deb#ping 10.2.1.60
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.1.60, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms.
Due to the VLAN configurations, workstations form the Finance department cannot access the
workstations from the Sales department. This was noted from the simulation as ping requests
returned ping negative. Each department was placed in its own VLAN so its data flows remained
private to the members of that department only.
Queuing was set on the router for optimization purposes.
Tunneling ensured that remote users were able to access the company’s network securely.
54
CHAPTER 7: CONCLUSIONS AND RECOMMENDATIONS
7.1 Conclusions
Internetwork design for a medium-level enterprise was successfully studied and a network
designed for Deban Ltd. The top-down methodology was found to be a suitable design
methodology whereby the design is tackled in a hierarchical manner.
Conformity to customer requirements was noted to be an important determinant in the process of
building appropriate network architecture.
7.2 Recommendations
Internetwork design can be further analyzed and more robust networks built to encompass more
features such as high-end videoconferencing and enterprise-wide and WAN IP telephony.
55
REFERENCES
[1] James D. McCabe, Network Analysis, Architecture, and Design, 3rd
Edition, Morgan
Kaufman Publishers, 2007.
[2] Priscilla Oppenheimer, Top-Down Network Design, 2nd Edition, Cisco Press, 2004.
[3] Martin W. Murhammer, Kok-Keong Lee, Payam Motallebi,
Paolo Borghi and Karl Wozabal, IP Network Design Guide, IBM, June 1999.
[4] Diane Teare, Catherine Paquet, Campus Network Design Fundamentals, Cisco Press, 2005.
[5] Mark A. Poplar, Inside Scoop to CCDA Certification, BeachFront Quizzer Inc.
Various web resources were also used:
[6] Shaun Hummel, Network Design Process - Effective Network Planning and Design, retrieved
from http://ezinearticles.com/?Network-Design-Process---Effective-Network-Planning-and-
Design&id=2348088.
[7] CCDA - Design Process Diagram - The Cisco Learning Network, retrieved from:
https://learningnetwork.cisco.com/message/80630.
[8] LAN Methodology: Local Area Network Design and Implementation Steps (2011), retrieved
form: http://hubpages.com/hub/Local-Area-Network-Design-and-Implementation.
[9] Routing and Remote Access (2011), retrieved from: http://technet.microsoft.com/en-
us/network/bb545655.
56
APPENDIX
Interface Configurations:
Router:
hostname Deb
ip subnet-zero
interface Serial1/0
ip address 172.20.10.1 255.255.255.0
no ip directed-broadcast
interface FastEthernet0/0
ip address 10.2.1.251 255.255.0.0
no ip directed-broadcast
ip ospf cost 1!
router ospf 100
network 10.2.0.0 0.0.0.255 area 0
network 172.20.0.0 0.0.255.255 area 0!
ip classless
no ip http server!
access-list 2 permit any!
queue-list 2 queue 1 byte-count 20000!
line con 0
transport input none
line aux 0
line vty 0 4!
no scheduler allocate …end
PCs:
PC1: interface Ethernet0
ip address 10.2.1.60 255.255.255.0
57
no ip directed-broadcast!
ip classless
no ip http server!
ip route 0.0.0.0 0.0.0.0 10.2.1.251.
PC3: interface Ethernet0
ip address 10.2.3.70 255.255.255.0
no ip directed-broadcast!
ip classless
no ip http server!
ip route 0.0.0.0 0.0.0.0 10.2.1.251
Some configuration commands entered for the router:
Deb(config)#router ospf 100 OSPF configuration
Deb(config-router)#network 10.2.0.0 0.0.0.255 area 0
Deb(config-router)#network 172.20.0.0 0.0.255.255 area 0
Deb(config-router)#exit
Deb(config)#exit
Deb#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default
U - per-user static route
Gateway of last resort is not set
10.0.0.0/16 is subnetted, 1 subnets
C 10.2.0.0 is directly connected, FastEthernet0/0 describes the connected networks and
172.20.0.0/24 is subnetted, 1 subnets nature of connection
O 172.20.10.0 [110/64] via 172.20.10.1, 00:00:24, Serial1/0
Deb(config)#queue 2 queue 1 byte-count ? queuing defined with 20 Kb byte-count
<1-16777215> size in bytes
Deb(config)#queue 2 queue 1 byte-count 20000
Deb#show running-config
.
.
!queue-list 2 queue 1 byte-count 20000
Configuration commands for Switch Finance: Finance#vlan database
Finance(vlan)#vlan 2 name V2 VLAN V2 created
VLAN 2 added:
Name:V2
58
Finance(vlan)#vlan 3 name V3 VLAN V3 created
VLAN 3 added:
Name:V3
Finance(vlan)#exit
APPLY completed.
Exiting....
Finance#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Finance(config)#int range fastethernet 0/2-3 PC3 & PC4 entered into VLAN V2
Finance(config-if-range)#switchport mode access
Finance(config-if-range)#switchport access vlan 2
Finance(config-if-range)#end
Finance#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Finance(config)#int range fastethernet 0/4-5 PC5 & PC6 entered into VLAN V3
Finance(config-if-range)#switchport mode access
Finance(config-if-range)#switchport access vlan 3
Finance(config-if-range)#end
Finance#vlan database
Finance(vlan)#vlan 4 name V4 VLAN V4 created
VLAN 4 added:
Name:V4
Finance(vlan)#exit
APPLY completed.
Exiting....
Finance#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Finance(config)#int range fastethernet 0/6-7 PC7 & PC8 entered into VLAN V4
Finance(config-if-range)#switchport mode access
Finance(config-if-range)#switchport access vlan 4
Finance(config-if-range)#end
Finance#show vlan
Finance#show vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/8, Fa0/9, Fa0/10 VLAN status: active VLANs and
Fa0/11, Fa0/12 corresponding switchports
2 V2 active Fa0/2, Fa0/3
3 V3 active Fa0/4, Fa0/5
30 pcs active
4 V4 active Fa0/6, Fa0/7
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 0 0 MTU = 1500b
2 enet 100002 1500 - - - - - 0 0
3 enet 100003 1500 - - - - - 0 0
30 enet 100030 1500 - - - - - 0 0
4 enet 100004 1500 - - - - - 0 0
1002 fddi 101002 1500 - - - - - 0 0
59
1003 tr 101003 1500 - - - - - 0 0
Finance#show vtp status
VTP Version : 2
Configuration Revision : 2
Maximum VLANs supported locally : 64
Number of existing VLANs : 9
VTP Operating Mode : Server
VTP Domain Name : bigdomain
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0xEE 0xB3 0xDC 0x9F 0xE2 0xE0 0x25 0xDF
Configuration last modified by 0.0.0.0 at 3-1-93 04:55:57
Local updater ID is 0.0.0.0 (no valid interface found)
Finance(config)#vtp domain Mike
Changing VTP domain from NULL to mike Customization of VTP domain name
Finance(config)#exit
Finance#show vtp status
VTP Version : 2
Configuration Revision : 2
Maximum VLANs supported locally : 64
Number of existing VLANs : 9
VTP Operating Mode : Server VTP in sever mode to broadcast
VTP Domain Name : mike VLAN configurations
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0xEE 0xB3 0xDC 0x9F 0xE2 0xE0 0x25 0xDF
Configuration last modified by 0.0.0.0 at 3-1-93 04:55:57
Local updater ID is 0.0.0.0 (no valid interface found)
Finance#show int fastethernet 0/2 switchport
Name: Fa0/2
Switchport: Enabled
Administrative mode: static access
Operational mode: static access
Administrative Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 2 (V2)
Trunking Native Mode VLAN: 1 (default)
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Protected: false
Voice vlan: none (Inactive)
Appliance trust: none