ITT550 - Chapter04 RY-Logical Network Design

Network Design and Management
ITT550
Chapter 4:
Logical Network Design
Overview of the Logical Design Phase
Objectives
 Describe some common design tradeoffs

 Briefly describe the three characteristics of
any technology a network design must
consider
 Discuss a practical way to deal with a
logical design that is over budget
ITT550 - Network Design &

Management 2
Establishing Design Goals
 Network design goals vary from organization to

organization
 Design goals might include:
◦ Minimize operational costs
◦ Increase overall performance
◦ Simplify user-level operation
◦ Increase security
◦ Add adaptability and flexibility

Management 3
Design Factors and Tradeoffs
 Networks are designed to fulfill a business need

 It can be the initial implementation of a network or an
upgrade in response to user demands for better service.
 Both type of designs must consider several factors as
shown on the Network Design Factors Diagram.
User Requirements
Network
Design Goals Design Constraints
Design
Current Network

Management 4
Design Factors and Tradeoffs (continue…)
 Design factors sometimes contradict each

other.
 Consider the tradeoffs for the following goals:
◦ Minimize operational costs
◦ Minimize installation costs
◦ Maximize performance
◦ Maximize adaptability
◦ Maximize security
◦ Maximize reliability
◦ Minimize downtime

Management 5
Cost vs. Performance

 As network speed increase, so does the price.
Paying Now vs. Paying Later
 When considering costs, a designer must consider
long-term operational costs as well as one-time
implementation costs.
 It may be a better choice to spend more at
installation time to reduce the ongoing cost of
maintenance.

Management 6
Initial Costs Estimates

 Project funding levels are typically set in the initial
stages of the Requirements Gathering process.
 Thresholds (starting points) are often established at
the same time for both network deployment and
operational spending.
 develop initial estimates of the cost to implement
and maintain technology choices.

Management 7
Evaluating Network Services
 Must consider the services the network should

provide before make technology choices.
 A wide variety of network services may need to be
considered during this phase, and these services
will vary from design to design
 2 key network services that most designers must
consider are:
◦ Network management
◦ Network security

Management 8
Evaluating Network Services (continue…)
Network Management
Troubleshooting
 The need for troubleshooting tools varies with the size
of the network.
Configuration and Reconfiguration
 It can be time consuming and expensive to manually
upgrade OSs or applications at each desktop.
 Network management tools and policies can be a
worthwhile investment.
Monitoring
 The need for monitoring features also varies with
network size and complexity.

Management 9
Network Security
 Network designers should take the following steps to
determine the optimum level of a network’s security
services:
Identify Systems That Need Protection

 Identify potential network weaknesses that threaten
critical systems
Conduct a Risk Analysis
 Review network access and auditing procedures, and
other established company guidelines.

Management 10
Keep it Simple
 Some sophisticated security implementations are not
worth the extra expense.
 Physical security such as locks, is nearly always
inexpensive and easy to accomplish.
 The security plan must be compatible with the political
structure and culture of the organization.

Management 11
Evaluate Technology Options
 There are characteristics that should be considered

in light of the requirements and existing network
situation.
 These characteristics fall into three main
categories:
◦ Broadcast (background) traffic
◦ Connection type
◦ Scalability

Management 12
Evaluate Technology Options (continue…)
Broadcast Traffic
 Broadcast traffic, sometimes called background traffic,
is the “administrative overhead” that does not carry
useful data.
 Some technologies generate more broadcast frames
than others.
Connection Type
 Connectionless protocols, such as IP spend no time
establishing a virtual circuit.
 Connection-oriented protocols such as Asynchronous
Transfer Mode (ATM), take longer to establish each
point-to-point connection.

Management 13
Evaluate Technology Options (continue…)
Scalability
 The design must accommodate the company’s current
and future capacity needs, by ensuring the network and
its applications can be easily expanded.

Management 14
Making Technology Choices
 Choosing specific technologies requires a detailed

consideration of the relative advantages and
disadvantages of each approach.
Alternative Design
 A good designer presents optional designs to the
customer.
 There are usually several different possibilities that can
be explored for meeting the customers needs.
 When multiple designs are presented to the client, they
must be clear and concise, otherwise the choices might
be confusing.

Management 15
Physical Layer Considerations
Objectives
 Explain why some physical media are more inherently

secure than others
 Discuss how to determine the amount of bandwidth
needed for growth
 Discuss the role of the Requirements Specification and
Traffic Specification in making Physical Layer design
decisions

Management 16
Using the Requirements and Traffic Specifications
as a Guide
• Before evaluating various Physical Layer options,

review the recommendations that summarized your
Requirements Specification and Traffic Specification
• Requirements that must be considered:
o Growth and Scalability
o Response Time, Bandwidth and Data Rate
o Reliability, Availability and Recoverability
o Security
o Remote Access
o Economy and Cost

Management 17
Mapping requirements to Physical Media
Characteristics
Physical Media
 The Physical Media Comparison Table lists some of
the most important factors to consider when choosing
the wiring for your network.

Management 18
Characteristics

Management 19
Characteristics
 The choice of a physical medium also depends on the

Medium Access Control (MAC)-layer protocol.
 Physical Layer specifications for Ethernet, Token Ring,
and Fiber Distributed Data Interface (FDDI) topologies
are compared in the Physical Layer Specifications
Tables.

Management 20
Characteristics

Management 21
Characteristics
Network Interface Cards (NICs)

 A computer's NIC is a big design consideration,
because a NIC must be compatible with a network's
physical medium, topology, and MAC-layer protocol.
 The NIC Characteristics Table lists characteristics to
consider when choosing a NIC, or deciding whether
your existing NICs meet your requirements.

Management 22
Characteristics
Ethernet, FDDI, Fast Ethernet, Gigabit Ethernet,

LANs Supported
Arcnet, ISDN, Token Ring
Computer Bus
MCA, ISA, EISA, PCI, NuBus, VME, USB
Supported
RAM Buffer Size 8, 16, and 32 Kbps
Bus Size 8, 16, and 32 bit
Data Rate 4, 10, 16, and 100 Mbps, 1 Gbps
Media Type 10Base2, 10BaseT, UTP, STP, Optical

VINEs, NetWare, Appletalk, Microsoft Windows NT,
O/S Supported
etc.
Price/Function Check current vendor specifications.

Management 23
Internetworking Device Considerations
Objectives
 Explain the difference between a router and switch

 Describe how routers and switches can work together to
segment a network
 Explain the difference between physical and logical
network
segmentation

Management 24
Designing Networks With Switches and Routers
 Routers and switches are complementary devices that

allow networks to scale to sizes far beyond those that
can be achieved using either technology alone.
 often combine the two technologies to build high-
performance, scalable networks.
Segmentation With Switches and Routers

 A switch (Layer 2) segments a network with the goal of
providing additional bandwidth.
 A router (Layer 3) segments a network with the goal of
limiting broadcast traffic and providing security, control,
and redundancy between individual broadcast domains.

Management 25
Workgroup Environments
 A workgroup is a collection of users that share
computing resources.

Management 26
Routing Solutions
 The router is configured with a dedicated high-speed
interface for the server and a large number of standard
Ethernet interfaces assigned to each hub segment and
power user.
 By installing a router, the network administrator divides
the large broadcast/collision domain into several smaller
broadcast/collision domains.
 Each small domain will notice improved traffic
performance between nodes in the same domain.

Management 27
 2 reasons why a router is not the best economical or

technological choice for this application.
1. It is more expensive than a switch.
2. Router is more complex than necessary.

Management 28
Switching Solutions
 3 reasons why a switch is a better choice than a
router.
1. First, a switch is cheaper than a router.
2. Switch is faster than a router.
3. Switch is simpler than a router.

Management 29
Departmental Workgroups
 A departmental workgroup is a large workgroup
composed of several smaller workgroups.

Management 30
Broadcast Traffic Concern

 High levels of broadcast and multicast traffic can occur in a
switched environment.
 Some switch vendors have implemented a "broadcast throttle"
feature that limits the number of broadcast frames a switch
will forward.
 As the number of users in a workgroup increases, the growing
size of the broadcast domain can eventually cause legitimate
concerns about such issues as:
◦ Network performance
◦ Problem isolation
◦ Effects of broadcast traffic on end station central processing
unit (CPU) performance
◦ Network security

Management 31
Physical Segmentation
 The Physical Segmentation Diagram illustrates how a
router physically segments a network into broadcast
domains.

Management 32
 In this example, the network administrator installs a

router as an insurance policy to guard against effects of
a broadcast storm that would bring down the entire
network.
 Physical network segmentation is also important in
managing growth. Smaller departmental workgroups are
inherently easier to manage than a large infrastructure
that has grown slowly, but steadily, over time

Management 33
Logical Segmentation
 A more flexible way to divide a network into broadcast
domains is by using a router to connect separate virtual local
area networks (VLANs) created with switches.
 A VLAN, allows the creation of virtual broadcast domains
within a switched environment, irrespective of the physical
infrastructure.
 With VLANs, the network administrator can define a
workgroup based on a logical grouping of individual
workstations rather than physical network connections.
 Traffic within a VLAN is switched at wire speed among
members of the VLAN.
 A router forwards traffic between different VLANs.

Management 34
 In the Routing and VLANs Diagram, the ports of each

switch are configured as members of either VLAN 1 or
VLAN 2.
 If an end station transmits broadcast or multicast traffic,
the traffic is forwarded only to ports in the source
station's VLAN.
 Traffic that must flow between the two VLANs is
forwarded by the router, which provides security and
traffic management.
 The illustration shows a dedicated router; however, a
combination switch/router device may also perform the
routing function

Management 35

Management 36
Backbone Implementation
 Organizations have been deploying collapsed backbone
building architectures in the data center for several
years.
 In a collapsed backbone environment, large amounts of
data are transmitted across the backplane of a central
high-performance backbone device.
 The device performing the collapsed backbone function
may be a switch or a router.
 A collapsed backbone design centralizes complexity,
increases performance, reduces costs, and supports the
server farm model.

Management 37
 However, this approach does have limitations, because

a collapsed backbone device may become a potential
bottleneck and possibly a single point of failure.
 If the primary function of the backbone device is pure
performance, select a switch.
 If the goal is performance and security, select a router.
 A router is more complex and more expensive than a
switch; however, it does provide control, security, and
(optionally) redundancy.

Management 38
Router/Switch Selection Summary
 Either a switch or a router can be deployed to segment

a LAN and provide additional bandwidth.
 If the application needs support for redundant paths,
intelligent packet forwarding, or WAN access, a router is
required.
 If the application requires only increased bandwidth to
ease a traffic bottleneck, a switch is likely the better
choice.
 The cost for a given level of performance is the major
factor in the decision between a switch or a router in a
workgroup environment.

Management 39
Optimizing LAN Performance with Switches
 In today's growing bandwidth environments, network

managers are designing their LAN infrastructures
around switching solutions.
 Enabled by high-speed, application-specific integrated
circuit (ASIC)-based forwarding engines and large
address caches
 Switches deliver far more bandwidth than routers.
 They use simple MAC addresses or VLAN ID
information to forward traffic at near wire speeds.
 Switches offer lower cost per switched segment, and
port densities ranging from tens to hundreds of switched
ports.

Management 40
Optimizing LAN Performance with Switches
 Switching requirements are different at the edge and

core of a network, as shown on the Edge and Core of a
Campus Network Diagram.

Management 41
Switching at the Edge of a LAN

 Edge switches must offer control over quality of service,
and provide simple connectivity that is economical and
flexible enough to support any-to-any traffic and handle
future growth.
 Bandwidth can be managed by deploying simple Layer
2 switches (also known as boundary switches) that
provide plug-and-play bandwidth and support high-
speed interfaces.
 With their low cost per port, edge switches provide the
economical connectivity that network managers seek.

Management 42
Intelligent Switching at a LAN Core

 The network core (typically the data center) provides
services to the entire computing community.
 At the core, intelligent switches (also known as high-
function switches) provide the following services that
are required to support a large switched environment:
◦ High Bandwidth
◦ High Port Density
◦ Bandwidth Management

Management 43
Optimizing WAN Performance
Objectives
 Briefly describe several router features that conserve

WAN bandwidth
 Explain the difference between distance-vector and link
state routing protocols

Management 44
Introduction
LANs WANs
Switching is dominant Routing is dominant
Users at the same site Geographically dispersed users
Private cable plant Public telephone company facilities
Equipment costs dominate Line costs dominate
High speed Low speed
Plentiful bandwidth Limited bandwidth
Inexpensive bandwidth Expensive bandwidth
Fast response time Slower response time

Management 45
WAN As The Network Bottleneck
 In a corporate intranet, WAN interfaces create

bottlenecks because a typical 64 Kbps WAN circuit
provides 1/160 the bandwidth of a 10 Mbps Ethernet
link, as illustrated on the WAN Bottleneck Diagram.


Management 46
WAN As The Network Bottleneck
 The internetworking device that forms the LAN/WAN

interface is responsible for managing access to scarce
WAN bandwidth.
 It must keep unnecessary traffic off the WAN, reduce
the amount of overhead network protocol traffic, provide
features that help manage the allocation and use of
WAN bandwidth, and provide cost-effective methods of
providing temporary additional bandwidth when needed
to overcome congestion.

Management 47
Conserving WAN Bandwidth With Router Software
Features
 A router provides the interface between a LAN and a

WAN,
 Routers also offer access to a wide variety of WAN
technologies
 Routers mark the edges of a network, limiting problems
from misconfigurations, chatty hosts, and equipment
failures to the area in which they occur, and preventing
them from spreading across the intranet.
 A number of key router-based software features can
also play a significant role in the efficient use of WAN
bandwidth.

Management 48
Link state Routing Protocols
 Routers automatically keep their routing tables up to

date by using dynamic routing protocols to exchange
path information with other routers.
 There are two classes of routing protocols:
◦ Distance-vector routing protocols, such as RIP,
periodically transmit a router's entire routing table to each
of its neighbors, even if the topology has not changed.
◦ Link state routing protocols, such as Open Shortest Path
First (OSPF), transmit updates only when topology
changes occur. The updates only describe the changes,
not the entire routing table.

Management 49
Link state Routing Protocols
 In addition to reduced routing protocol traffic, link state

routing protocols offer several key benefits over
distance-vector routing protocols.
Link State Protocols Converge Faster

 When a network link fails, routes are recalculated and
traffic can be forwarded much faster.
Link State Protocols Support Hierarchical Routing

 Link state protocols allow a network administrator to
divide a network into routing subdomains called areas.

Management 50
Demand Circuits
 Dial-up circuits play an important role in reducing WAN

network costs and providing resilient backup lines.
 Dial-up lines can provide a connection, or extra bandwidth,
when it is needed; these connections can be released when
they are no longer required.
 There are three main ways to use demand circuits:
◦ Dial-on-demand (DOD) - A dial-up link operating in DOD mode
will be brought up or down depending on the traffic pattern over that
link.
◦ Bandwidth-on-demand (BOD) - A router can automatically bring
up a secondary dial-up line to provide additional bandwidth when a
primary WAN connection is congested for a user-specified period of
time.

Management 51
Demand Circuits
◦ Disaster recovery - When a router detects a failure of the

primary WAN connection, and the failure persists for a user-
specified period of time, the router can automatically dial a
backup connection.
Compression
 One way to squeeze more bandwidth out of a narrow
WAN link is to use data compression.
 In an intranet environment, two fundamental types of
compression are typically used:

Management 52
Demand Circuits
◦ History-based compression looks for repetitive data patterns

across multiple packets, and replaces the patterns with shorter
codes.
◦ Per-packet compression looks for repetitive patterns within each
packet and replaces them with shorter codes.
Bandwidth Aggregation
 Data communications traffic is bursty
 Bandwidth aggregation builds on Multilink Point-to-Point
Protocol (PPP) (RFC 1717) to provide a network
administrator with tremendous flexibility in defining link
speeds.

Management 53
Demand Circuits
 The Bandwidth Aggregation Diagram illustrates this

concept.

Management 54
Demand Circuits
Data Prioritization
 Prioritization provides the flexibility to give time-sensitive
traffic higher priority in the WAN transmission queue.
Protocol Reservation
 Protocol reservation lets a network administrator
guarantee that a portion of a WAN link's bandwidth will be
available for a specific protocol or application.

Management 55
Demand Circuits
Session Fairness
 Session fairness is an enhancement to the protocol
reservation scheme; it ensures traffic is forwarded evenly
from all users, so that no single user is allowed to
monopolize WAN bandwidth.

Management 56
Network Management With SNMP and RMON
Objectives
 List the key limitations of SNMP

 Describe how RMON overcomes those limitations
 Describe the main differences between RMON and
RMON2

Management 57
Network Management With ANMP and RMON
Limitations to SNMP Manager/Agent Communication
 SNMP uses agent software embedded within each

network device to collect network traffic information and
device statistics,

Management 58
Limitations to SNMP Manager/Agent Communication
 Unfortunately, the traditional SNMP model has several

limitations when deployed in a large corporate intranet
environment:
◦ Constant NMS polling does not scale. Management traffic
alone can increase congestion and eventually cause
gridlock at known network bottlenecks, especially
bandwidth-constrained WAN links.
◦ SNMP places the entire burden of information gathering
on the NMS.
◦ Most of the MIBs defined for SNMP only provide
information about each individually monitored device.

Management 59
Remote monitoring (RMON)
 The most important enhancement to the basic set of

SNMP standards is likely the RMON specification.
 RMON was developed by the Internet Engineering Task
Force (IETF) to overcome the limitations of SNMP and
permit more efficient management of large distributed
networks.
 Similar to SNMP, RMON is based on a client/server
architecture,

Management 60
Monitoring LAN Traffic With RMON/RMON2
 Ensure that RMON/RMON2 statistics and traffic flow

information are collected and maintained at the
appropriate points in the network infrastructure.
 This collection can take place at adapter cards, in
internetworking devices, and in stand-alone probes.
 Client applications that execute on dedicated
management stations, Microsoft Windows stations, and
Web servers can interpret the collected data and
present it to the network management team.
 If probes are deployed effectively, network managers
should be able to achieve some level of monitoring on
every shared-media LAN, switch port, and VLAN,
providing the information they need to support the
emerging intranet model.
Management 61
Applications of RMON and RMON2

 Today, both RMON and RMON2 are relatively new
technologies that are being deployed at the core of a
network
Monitoring Switched Environments

 In a switched environment, a packet is forwarded only to
the specific port required to reach the destination.
 Network managers typically employ one of the following
techniques to provide RMON management in switched
environments:

Management 62
 Over utilization of WAN links can lead to increased

errors and poor performance as congested data is
dropped or delayed, while low utilization means the
organization is paying for wasted bandwidth.
RMON WAN Probes

 The RMON effort has focused on developing standards
for LAN technologies such as Ethernet and Token Ring;
there are no Data Link Layer monitoring standards for
WAN probes.
 This means RMON WAN-monitoring tools are based on
proprietary technology and do not interoperate with
probes from other vendors.
Management 63
RMON2 WAN Probes

 Although RMON2 WAN-monitoring tools are also
proprietary, RMON2 is an excellent tool for monitoring
traffic flows across WAN links.
 It allows network managers to tune their networks
based on application utilization and throughput rather
than link-level technology specifications.

Management 64
TCP/IP Addressing Considerations
Objectives
 Describe the structure of a dotted decimal IP address

 Explain how classic IP subnetting works
 Describe the inherent weakness of IP addressing, and
explain how new addressing strategies solve the
problem

Management 65
Review of Internet Addressing
 IP addressing uses a 32-bit address field divided into

two parts.
◦ The first part of the address identifies the network on
which the host resides.
◦ The second part of the address identifies the host itself.
Dotted Decimal Notation

 A 32-bit Internet address is often written in a concise
format called dotted decimal notation.
 Dotted decimal notation makes an address easier for
humans to handle, by dividing the 32-bit Internet
address into four 8-bit fields called octets.

Management 66
 The value of each octet is expressed independently as

a decimal number; the numbers are separated by dots.
 For example, the following 32-bit binary address:
11011101 01011110 01111001 00000001

is written in dotted decimal notation as:
221.94.121.1
 Each of the four integers represents one byte of the
address, thus the largest decimal value that can occur is
255.
 The theoretical range of possible Internet addresses is
0.0.0.0 to 255.255.255.255.

Management 67
Internet Address Classes

 There are five different classes of networks: classes A, B,
C, D, and E.
 We will only address classes A to C, because classes D
and E are reserved.
 To determine the class of an address, look at its first octet.
Exercise:
List all the IPv4 classes. Out of the classes, list the
private addresses (describe private address)

Management 68
 These octets are broken down to provide an addressing

scheme that can accommodate both large and small
networks.
 In a class A address, the first octet is the network portion.

The leading bit is set to "0" to indicate a class A address;
the remaining seven bits of the network address define
up to 127 class A networks. F
 or example, the class A example above has a network
address of 10.

Management 69
 Octets 2, 3, and 4 (the next 24 bits) are available for the

network manager to divide into subnets and hosts as she
sees fit. Without subnetting, the 24-bit host address can
define up to 16,777,214 hosts.

Management 70
 In a class B address, the first two octets are the network

portion.
 The leading 2 bits are set to "10" to indicate a class B
address; the remaining 14 bits of the network address
define up to 16,383 class B networks.
 For example, the class B address above has a network
address of 172.16. Octets 3 and 4 (the next 16 bits) are
available for subnets and hosts. Without subnetting, the
host portion of a class B address can define up to 65,534
hosts.

Management 71
 In a class C address, the first three octets are the network

portion.
 The leading 3 bits are set to "110" to indicate a class C
address; the remaining 21 bits of the network address
define up to 2,097,151 class C networks.
 For example, the class C address above has a network
address of 193.28.8. Octet 4 (the next 8 bits) can define up
to 254 hosts without subnetting.

Management 72
 Subnet addressing allows an organization to use a single

Internet network number for multiple physical networks.
 Subnets may be used with any class of Internet addressing
except class D.
 A subnetted Internet address incorporates a network
address, subnet address portion, and host address.
 In subnetting, the host portion of an IP address is divided
into two parts:
◦ The left part is used to identify the subnet number.
◦ The right part is used to identify a host on the subnet.

Management 73
Subnet Mask
 A 32-bit subnet mask tells a host or router how to
distinguish subnet addresses from host addresses.
 The 32 bits of the subnet mask correspond to the 32 bits of
the IP address.
 If bits in the subnet mask are set to 1, a device treats the
corresponding bits in the IP address as part of the network
number or subnet number.
 If bits in the mask are set to 0, a device treats the
corresponding IP address bits as part of the host number.

Management 74
 In other words, after the IP address class is determined,

any bit from the original host number that has a
corresponding bit set in the subnet mask is used to identify
the subnet.
 The subnet mask must be consistent throughout the
network, unless variable length subnetting (described
below) is being used. If a node's subnet mask is incorrectly
set, its software will not be able to recognize packets
addressed to it.

Management 75
 In the Subnet Mask Diagram, a class B address has been

subnetted.
 Two of the bytes are used for the network number, 1 byte is used
for the subnet number, and 1 byte is used for host numbers.
 This approach allows a network administrator to configure up to
255 subnetworks, each with up to 254 hosts.

Management 76
 To see how this works, consider a class C address of

205.169.85.XXX.
 If this network is not subnetted, its subnet mask must be
set to 255.255.255.0 to mark the first three octets as the
network number, and the last octet as the host number.
Host
Address Network Portion
Portion
IP Address: 205.169.85.21 11001101 10101001 01010101 00010101
Subnet Mask: 11111111 11111111 11111111 00000000

255.255.255.0

Management 77
 However, if this network must be subnetted to form seven

subnetworks, the bits to represent the subnet numbers
must be taken from the host portion of the address.
 Three bits are necessary to represent seven numbers (with
one left over).
 To allow for growth, it is safer to set aside 4 bits to
represent 16 subnetwork numbers.
 In that case, the last octet of the subnet mask becomes
binary 11110000, or decimal 240.

Management 78
Subnet Host
Address Network Portion
Portion Portion
IP Address: 205.169.85.21 11001101 10101001 01010101 XXXX XXXX
Subnet Mask: 11111111 11111111 11111111 1111 0000

255.255.255.240
 The Internet addressing scheme used by TCP/IP networks

was devised to address nodes anywhere on the Internet.
 If the network is currently attached or is planned to be
attached to the Internet, the network portion of the address
must be assigned by the Central Authority.

Management 79
Classless Interdomain Routing (CIDR)
 CIDR reworks the Internet addressing scheme to allocate

IP addresses more efficiently than the old class A, B, and
C address mechanism.
 For example, a class B Internet address can support more
than 65,000 unique host addresses.
 Most companies with a class B address do not need nearly
this much capacity.
 Or, consider an organization that needs only 100
addresses for current and future needs.
 If it gets a class C address (with 254 host addresses), over
150 host addresses will be unavailable for other
companies.

Management 80
 CIDR solves this problem by using a more flexible network

prefix.
 Instead of being limited to IP network identifiers of 8, 16, or
24 bits, CIDR currently uses prefixes that range from 13 to
27 bits.
 This allows blocks of addresses to be assigned for
networks as small as 32 hosts and as large as 500,000
hosts.
 A CIDR address includes the standard 4-byte (32-bit) IP
address, plus the number of bits used for the network
prefix.

Management 81
 For example, in the CIDR address 205.169.85.0/26, the

"/26" indicates that the first 26 bits are used to identify the
unique network, leaving the remaining bits for host
addresses.
 For example, this address provides 64 host addresses.
 The lower the prefix number, the more host addresses are
available to the user.
 Some sample CIDR prefix values and their corresponding
number of host addresses are listed below:

Management 82
Number of
CIDR Prefix
Host Addresses
/27 32
/26 64
/25 128
... ...
/20 4,096
/19 8,192
... ...
/14 262,144
/13 524,288

Management 83
Variable-Length Subnetting
 Classic subnetting does not allow for subnets of different

sizes; each subnet is allocated a specific number of bits
that determines the number of nodes that can be
addressed on an individual subnet.
 This results in inefficient use of the address space.
 Variable-length subnetting is a standards-based approach
that allows for multiple subnet masks within a single
network, and for variations in the size of subnets.

Management 84
Security Considerations
Objectives
 Describe the types of threats and attacks that any

security plan must prevent
 Name and briefly describe some of the key layers of an
overall security solution
 Explain the challenges inherent in user authentication

Management 85
Security Threats
 Threats to network security come in several forms.

 A great deal of attention is paid to deliberate threats
originating from viruses and criminals; however,
accidental damage can be just as devastating.
 Whether intentional or not, information losses generally
fall into three categories:
◦ Modification
◦ Destruction
◦ Disclosure

Management 86
Security Threats
 A person who wants to cause one of these types of

damage can attack a computer networking system in a
number of ways. These attacks can take several forms:
◦ Crackers
 Crackers are criminal hackers, either insiders or outsiders,
who are motivated by the thrill of breaching a secure system.
◦ Trojan Horses
 Trojan horses are covert programs hidden in system or
applications software, or within seemingly innocent utilities.
◦ Viruses
 Viruses are self-replicating, destructive programs that
damage executable programs and network data in a variety
of ways.

Management 87
Security Threats
◦ Denial of service
 This type of attack leads to disruption of system availability
by crashing or overloading a critical device such as a server,
router, or firewall.
◦ Theft of information
 The attacker, often an insider, acquires proprietary
information such as trade secrets or business plans. This can
be done by eavesdropping on network transmissions,
masquerading as an authorized entity, or a brute-force attack
such as the use of a computer program that guesses
passwords.
◦ Corruption of data
 The attacker either destroys or corrupts data stored on disk
or corrupts data as it is transmitted across a network.

Management 88
Layered Approach to A Comprehensive Security
Solution
 Threats to the availability, ownership, and integrity of

information assets can arise at any of the locations
shown on the Security Threats Diagram.

Management 89
Solution
 Potential security threats include:

◦ Careless users who reveal passwords or lose access
cards
◦ Internal network connections such as routers and switches
◦ Interconnection points such as gateways between
corporate intranets and the Internet
◦ Third-party network carriers such as long distance carriers
and Internet service providers (ISPs)
◦ Application-level imposters, eavesdroppers, and attackers

Management 90
Solution
 Depending on the security needs of an organization,

these protective layers should include some or all of the
following:
◦ Security policy
◦ User awareness training
◦ Physical security
◦ Encryption
◦ Access control
◦ User authentication
◦ Firewalls
◦ Internet Protocol Security (IPSec)
◦ Security management

Management 91
Firewall Considerations
Objectives
 Briefly describe the components of a typical firewall

 Explain how an organization's security policy influences
its firewall design
 Describe, in general, how a proxy server operates

Management 92
Stance of a Firewall
 The stance of a firewall system describes the fundamental

security philosophy of the organization.
 An Internet firewall may take one of two diametrically opposed
stances:
1. Everything Not Specifically Permitted Is Denied

◦ This stance assumes a firewall should block all traffic, and
each desired service or application should be
implemented on a case-by-case basis.
2. Everything Not Specifically Permitted Is Denied

◦ This stance assumes a firewall should forward all traffic,
and each potentially harmful service should be shut off on
a case-by-case basis.

Management 93
Security Policy of an Organization
 An Internet firewall does not stand alone, it is part of the

organization's overall security policy, which defines all
aspects of its external and internal defense.
 To be successful, organizations must know what they
are protecting. The security policy must be based on a
carefully conducted security analysis, risk assessment,
and business needs analysis.
 If an organization does not have a detailed security
policy, the most carefully crafted firewall can be
circumvented to expose the entire private network to
attack.

Management 94
Cost of a Firewall
 How much security can the organization afford?

 A simple packet-filtering firewall is available at a minimal
cost because the organization needs a router to connect
to the Internet, and packet filtering is part of the
standard router feature set.
 If an organization has the in-house expertise, a home-
brewed firewall can be constructed from public domain
software, but there are still costs in terms of the time to
develop and deploy the firewall system.
 Finally, all firewalls require continuing support for
administration, general maintenance, software updates,
security patches, and incident handling.
Exercise: List and describe types of firewall.

Management 95
Developing A Logical Design Document
Objectives
 Explain why a Logical Design should address each

design goal
 Discuss approaches to deal with budget overruns and
management changes
 Prepare a simple Logical Design document

Management 96
Preparing The Data
 The Logical Design phase creates its own deep pile of

raw data: device specifications, brochures, vendor bids,
networking standards, and other information the
designer needs to choose the technologies for the new
network.
 Logical Design document will only need to include a tiny
fraction of this information; however, like all source data,
you should keep this material organized and available
for review.
 An important potential source of data is a network
simulation application that can model the performance
of a network design.

Management 97
Components of a Logical Design
 A Logical Design describes the configuration of the

future network. It may include some or all of the
following major elements:
◦ Executive Overview, including review of design objectives
◦ Logical Design Discussion
◦ New Logical Diagram
◦ Overall Cost Estimate
◦ Approval Section

Management 98

ITT550 - Chapter04 RY-Logical Network Design

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ITT550 - Chapter04 RY-Logical Network Design

Uploaded by

Copyright:

Available Formats

Network Design and Management

 Describe some common design tradeoffs

ITT550 - Network Design &

 Network design goals vary from organization to

ITT550 - Network Design &

 Networks are designed to fulfill a business need

ITT550 - Network Design &

 Design factors sometimes contradict each

ITT550 - Network Design &

Cost vs. Performance

ITT550 - Network Design &

Initial Costs Estimates

ITT550 - Network Design &

 Must consider the services the network should

ITT550 - Network Design &

ITT550 - Network Design &

Identify Systems That Need Protection

ITT550 - Network Design &

ITT550 - Network Design &

 There are characteristics that should be considered

ITT550 - Network Design &

ITT550 - Network Design &

ITT550 - Network Design &

 Choosing specific technologies requires a detailed

ITT550 - Network Design &

 Explain why some physical media are more inherently

ITT550 - Network Design &

• Before evaluating various Physical Layer options,

ITT550 - Network Design &

ITT550 - Network Design &

ITT550 - Network Design &

 The choice of a physical medium also depends on the

ITT550 - Network Design &

ITT550 - Network Design &

Network Interface Cards (NICs)

ITT550 - Network Design &

Ethernet, FDDI, Fast Ethernet, Gigabit Ethernet,

Bus Size 8, 16, and 32 bit

Data Rate 4, 10, 16, and 100 Mbps, 1 Gbps

Media Type 10Base2, 10BaseT, UTP, STP, Optical

ITT550 - Network Design &

 Explain the difference between a router and switch

ITT550 - Network Design &

 Routers and switches are complementary devices that

Segmentation With Switches and Routers

ITT550 - Network Design &

ITT550 - Network Design &

ITT550 - Network Design &

 2 reasons why a router is not the best economical or

ITT550 - Network Design &

ITT550 - Network Design &

ITT550 - Network Design &

Broadcast Traffic Concern

ITT550 - Network Design &

ITT550 - Network Design &

 In this example, the network administrator installs a

ITT550 - Network Design &

ITT550 - Network Design &

 In the Routing and VLANs Diagram, the ports of each

ITT550 - Network Design &

ITT550 - Network Design &

ITT550 - Network Design &

 However, this approach does have limitations, because