Network Design

Foreword
 In the design phase, perform network designs based on the
Network Design project requirements and guidelines specified in the planning

phase.
 In the design phase, determine device selection, technological

roadmap, network functions, and performance specifications.
www.huawei.com
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved.

Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 1
Objectives Contents
 Upon completion of this section, you will be able to: 1. Overview
 Understand common network types 2. Physical Network Design
 Understand each layer of the network design
3. Logical Network Design
 Understand common products and technologies
4. Other Network Technologies
 Be familiar with advantages and disadvantages of common
5. Overall Technological Solution
protocols
 Be familiar with comprehensive applications of each technological

module
 Master the network design methodology
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 2 Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 3
1
Network Design Overview Network Design Content
Physical network design:
Key points of the design

 Physical topology design
In the network design phase, customer requirements  Hardware device selection
 Interconnection link selection
obtained in the network planning phase are  Basic device configurations
implemented through technological methods.
Logical network design:
 LAN design
Network design generally follows the modular  WAN design
design principle. After design, network modules  Routing structure design
 Network egress design
are integrated.  High availability design
Network subsystem design

Network design deliverables must be standard,  Network security design Selection
 VPN design
detailed, clear, and can be implemented.  WLAN design
 Data center design
 Network management design
Key Points of Network Design Contents
Function & Connectivity, throughput, delay, jitter, and bit 1. Overview

performance error rate (BER)
2. Physical Network Design
Cost-effectiveness
Human, material, and financial resources, as well
as the construction period  Typical Topology
Reliability MTBF, MTTF, and MTTR  Device Selection
Scalability Topology, network address, and protocol  Media Selection
Security Asset, risks, and countermeasures  Network ID
Manageability SNMP, NETCONF, SDN, GUI, and NMS 3. Logical Network Design

2
Typical Architecture of a Medium-Scale
Typical Architecture of a Small-Scale Network
Network
Characteristics: Characteristics:
 Small number of users

 Medium scale
 Only one location

 Most commonly used
 Not hierarchical
 Multiple functional
Server area
areas
 Simple requirements
 Preliminary hierarchical
architecture
Marketing
R&D Dept Service Dept
Dept
Typical Architecture of a Large-Scale Hierarchical Network - Three-Layer

Network Architecture
ISP1 ISP2
Characteristics: Core layer

 Wide coverage range
 Large numbers of users
Network management Egress network Remote access network
 Complex network
requirements Aggregation layer
 Comprehensive
Backbone network WAN functional modules
Data center  Rich network hierarchies
Access layer
Network access in Remote campus

Wireless access buildings & floors network
3
Hierarchical Network - Two-Layer
Common Network Topologies
Architecture
Access layer
Core layer Star Dual-star
Access layer
Square-shaped Ring Bus
Case: Campus Network Topology Contents

 A university needs to build a campus network to cover areas such 1. Overview
as teaching buildings, dormitories, and canteens, as well as
branch schools and equipment rooms.
 Typical Topology
 How to define the campus network scale
 Device Selection
 How to design the campus network architecture
 Media Selection
 How to select the campus network topology
 Network ID

4
Network Device Classification Architectures of Switches
CPU memory
Switch
CPU Fabric
I/O I/O I/O I/O I/O I/O
Layer 2 switch Layer 3 switch Router

Bus architecture Matrix architecture
Key Points for Switch Selection Huawei Fixed Switches
S2700: Layer 2 FE switch

-Type: fixed switch/modular switch
This switch series provides 8, 16, 24, or 48 10M/100M self-
adaptive access ports, as well as one to four GE uplink ports.
-Function: Layer 2/Layer 3 switch
-Port density: number of ports provided by the switch S3700: Layer 3 FE switch
This switch series provides 24 or 48 10M/100M self-adaptive
access ports, as well as two GE uplink ports.
-Port rate: 100 Mbit/s, 1 Gbit/s, and 10 Gbit/s
S5700: Layer 3 GE switch
-Switching capacity: maximum throughput of This switch series provides 24 or 48 10M/100M/1000M self-
adaptive access ports, as well as four GE/10GE uplink ports.
the switching matrix or data bus
Switch -Packet forwarding rate: actual packet S6700: Layer 3 10GE switch
This switch series provides 24 or 48 10GE SFP+ optical ports.
forwarding capability of the switch
Selection
5
Huawei Modular Switches Key Points for Router Selection
S7700:
 Three models of this series provide 3, 6, or 12 slots for 100M/1G/10G/40G
interface cards.
 MPUs, power supplies, and fans use redundancy design, and all modules are Type: fixed/modular/cluster-based
hot swappable.
 A single chassis supports a maximum of 480 10GE ports.
 Provides rich features such as MPLS VPN, traffic analysis, QoS, and multicast.
Port type: Ethernet/Serial/POS/PON

S9700:
 Three models of this series provide 3, 6, or 12 slots for interface cards.
 A single chassis provides a maximum of 576 10GE ports and 96 40GE ports,
which support line rate forwarding. Port density: Number of ports supported
 Provides modules such as the firewall, intrusion detection, and wireless
control.
by a single router
 Supports cluster switch system (CSS) technology.
Performance: switching capacity and

forwarding performance
S12700:
 Three models of this series provide 3, 6, or 12 slots for interface cards.
 A single chassis provides a maximum of 576 10GE ports and 96 40GE ports,
which support line rate forwarding.

Other functions: firewall, IPS, VPN,
 Supports data center features such as TRILL, FCoE (DCB), EVN, nCenter, EVB,
Router online behavior management, voice,
SPB, and VXLAN.
Selection PBX, and SIP
AR Series Routers NE Series Routers

AR1200:
 Multi-core CPU, non-blocking switching architecture
 Integration of services such as routing, switching, 3G/LTE, WLAN, and
security; All-in-One networking capability
 Well-designed QoS mechanism
 Hot swappable LPUs
AR2200:
 Multi-core CPU, non-blocking switching architecture
 Four SIC slots, two WSIC slots, and two XSIC slots
 Integration of services such as the routing, switching, 3G/LTE, WLAN, NE20E-S NE40E NE5000E
and security
 Well-designed QoS mechanism, hot swappable LPUs • NP architecture • NP/CLOS architecture • Non-blocking CLOS architecture
• Dual-engine • Dual-engine • Multiple cluster modes: Back-to-
• 2/4/8 service card • 3/8/16 service card slots back, 2+8, and 16+64
slots • Multi-service support • 1GE to 100GE Ethernet
AR3200:
• Multi-service support • HQoS and MPLS-TS • 155 Mbit/s to 40 Gbit/s POS
 Separated forwarding and control planes, 1:1 redundancy for MPUs • Five-level HQoS • ISSU, NSR, and • Bandwidth per slot: 480 Gbit/s
 Four SIC slots, two WSIC slots, and four XSIC slots • ISSU, NSR, and • FRR support
 Integration of services such as the routing, switching, 3G/LTE, WLAN, • FRR support
and security
 Well-designed QoS mechanism, hot swappable LPUs
6
Product Documentation Case: Campus Network Device Selection
 Huawei Enterprise Network Products  A university plans to deploy a network for dormitories. There are
 http://e.huawei.com/en/allproduct eight dormitory buildings, each of which has six floors. One floor
 Huawei Routers has four units, and each unit has five dormitory rooms with six
 http://e.huawei.com/en/products/enterprise-networking/routers students in each.
 Huawei Switches  How to select access devices for the dormitories
 http://e.huawei.com/en/products/enterprise-networking/switches  How to select aggregation devices for the dormitories
 Huawei Security Products
 http://e.huawei.com/en/products/enterprise-networking/security
 Huawei Wireless Products

 http://e.huawei.com/en/products/enterprise-networking/wlan
Contents Common Media Types

1. Overview

 Typical Topology
Twisted pair Optical fiber
 Media Selection
Wireless
 Network ID

Telephone cable Coaxial cable
7
Structural Cabling in a Building Data Center Cabling Structure
 Cabling subsystem in a building:
 Horizontal subsystem: from
information panels to
equipment rooms in the floor
(using twisted pairs)
 Vertical subsystem: from

equipment rooms in the floor to
the central equipment room
(using optical fibers)
 Top of Rack (ToR): installing switches at the top of each rack.
 Work area subsystem: from
terminals to information panels  End of Row (EoR): installing switches at the tail of each row of
(using network jumpers)
racks.
Engineering Tools and Test Telephone and Coaxial Cables
Telephone cable Telephone cable loop

Twisted pair Optical fiber connection test
Twisted pair test Optical fiber test Coaxial cable connection Coaxial cable loop test
8
Contents Device Identifier
1. Overview Device Identifier
 Unique identifier of a device on
 Typical Topology a network <Huawei>system-view
 Physical label and logical Enter system view, return user
device name view with Ctrl+Z.
 Media Selection  Unified rule and naming [Huawei]sysname HQ-CS-HW-S7706-1
 Content:
 Network ID
 Device installation position
3. Logical Network Design  Device role
 Device model
4. Other Network Technologies  Logical number

Case: Device and Link Identifier Planning

Line Identifier
on a Campus Network
Line Identifier [Huawei]interface gigabitethernet0/0/0
 A campus network has a large number of devices and lines, and
[Huawei]description To- HQ-CS-HW-S7706- requires unified naming rules for device and line diagnosis and
 Unique identifier of a line on a
1-GE1/1/1 management. Design the naming rules for devices and lines.
network
 Physical label and device
 Device naming rule
port description
 Unified rule and naming  Line naming rule
 Content:
 Local device name
 Peer device name
 Peer device ID
 Link role
 Logical number
9
Contents LAN Selection
1. Overview
LAN Ethernet switch + twisted pair + optical fiber

Important Parameter
 LAN Design
Rate 100 Mbit/s 1 Gbit/s 10 Gbit/s 40 Gbit/s
 WAN Design Port type Copper cable Optical fiber
 Route Architecture Design MTU 1500 Jumbo frame
Other functions PoE/stacking/routing
 Network Egress Design
 High Availability Design

dispaly interface.txt
Commonly Used Topologies on a LAN VLAN Design

ID Allocation
Core layer  Range: 1–4094

Assignment  Continuity
Method
Dual-star topology  Scalability
 Port-based
Assignment  MAC address-based
Principle
 IP subnet-based
Aggregation layer  Service-based  Protocol-based
 Location-based  Policy-based
Star topology  Security-based VLAN scale expansion
Access layer
Special VLAN design
Network extension
Port scalability
10
STP Protocol STP Settings
STP/RSTP/MSTP Default Configuration Key points Positions of the root bridge and blocked port
 STP: basic version.  Huawei switches use the MSTP
protocol. The core switch can serve as
 RSTP: convergence speed the root bridge.
improved.  One switch belongs to one
 MSTP: concepts of region and region.
instance introduced.  All VLANs are mapped to
instance 0.
Port blocking is
not applicable.
Compatibility MSTP Design Switches at the same position
 Downward compatible. Port blocking is cannot be blocked.
 Region definition. applicable.
 RSTP: enables STP for ports  Revision version definition.
that receive STP BPDUs.  Instance definition.
 MSTP: Switches running RSTP  VLAN mapping definition.
work in different regions.
Adjustment BID priority, cost ...
methods
Layer 2 Network Loop Loop Prevention Technologies
Working Other loop prevention

mechanism
The Ethernet floods broadcast data by default.
technologies
STP Switches have no network topology information, and
algorithm – Smart Link
work depending on the timer.
Network Redundant devices and links cause loops in – SEP
structure
physical topologies. – RRPP
Implementation STP optimization
defect
Implementation differs on devices.
– Root Guard
New technology
– Loop Guard – TRILL
– BPDU Guard Loop
– Edge-port Prevention
In theory: In practice:
STP can prevent loops. Loops may still occur.
11
Layer 2 Network Security Design Case Study
 On a campus network, access switches and aggregation switches
Layer 2 Attack Type Layer 2 Protection Mechanism
are connected at Layer 2. User gateways are deployed on
DoS attacks on devices Switch CPU defense
aggregation switches. The aggregation and core switches are
Traffic overload Traffic suppression and storm control
connected at Layer 3. To isolate broadcast domains, design a
MAC address spoofing Port security
VLAN assignment solution for the Layer 2 network.
DHCP attack DHCP snooping
Rate limit, solidification, isolation, and
ARP attack
DAI
IP address spoofing IPSG
Select corresponding security mechanisms for different attacks.
Contents Characteristics of WAN

1. Overview

Wide coverage range
 LAN Design
 WAN Design
High leasing costs
 Route Architecture Design
 High Availability Design Complex O&M

12
WAN Technology Selection Layer 2 Protocol for WAN
Link Type Structural Feature Layer 2 Protocol

DDN/E1/POS P2P HDLC/PPP
A
DDN/E1/POS/MSTP SDH-based DWDM PSTN/ISDN P2P PPP
transmission B OTN OTN P2P Ethernet
network
WAN Packet switched network
Technology P2MP X.25/FR/ATM
D
(PSN)
Circuit
switched C
network Packet switched
network
 P2P links are mainstream links used on WANs.
PSTN/ISDN ATM/FR/X.25  Point-to-Point Protocol (PPP) is the mainstream protocol used by
P2P links.
 OTNs provide Ethernet access services.

Replacement Technologies for WAN Access Network Technology

Last-mile access Enabling communication between user networks and
carriers' backbone networks
Traditional WAN VPN

DSL FTTx PON
 Telephone cables  Twisted pairs  Optical fibers
• Bandwidth guaranteed • Bandwidth uncontrollable  Asymmetric uplink  Scenarios with a high  Future trend
• Cost-effective and downlink user density
• Expensive  High bandwidth
bandwidths  10 Mbit/s, 100
 1–10 Mbit/s Mbit/s, or 1 Gbit/s
• QoS controllable • QoS uncontrollable
• High reliability • Poor reliability HFC Asynchronous dialing
Wireless
• High security • High security  Coaxial cables
 Wi-Fi or LTE  Telephone cables
 Broadcasting and TV
 Future trend  Eliminated
carrier
 1–100 Mbit/s  Rate < 64 kbit/s
 Sharing the 100
Mbit/s bandwidth
13
Case Study Contents
 A campus network needs to connect to an education network on 1. Overview
which access points are deployed in the same city. The straight- 2. Physical Network Design
line distance between the two networks is about 10 km. It is 3. Logical Network Design
estimated that the bandwidth requires about 1Gbit/s. Then, what  LAN Design
link technologies can be used?  WAN Design

IP Address Allocation Rules IP Address Configuration
1 Uniqueness: basic address allocation principle Common mask:

/32 This mode is usually used for network device configuration.
/30 Manual
High efficiency: designing a proper mask length configuration The mechanism is simple, but the configuration workload
2 VLSM is heavy.
3 Aggregation: saving device resources

DHCP This mode is usually used on clients.
Continuity: consecutive addresses of adjacent
4 network segments Address Multiple security mechanisms can be used together.
allocation by
5 Scalability: reserving expansion space area and block
6 Manageability: address denotation DHCP snooping, DAI, and IPSG
14
Routing Boundary Identification Routing Protocol Selection
Focus
- Device cost Classification Protocol Algorithm Description
- Bandwidth cost RIP DV Simple, cost of hop count, V1 and V2
- Security Hierarchical, bandwidth cost, fast, and
OSPF LS loop-free
- Maintainability IGP
IS-IS LS Similar to OSPF
Inter-domain routing, strong bearing
When client gateways are deployed at the EGP BGP DP and manipulation capabilities, and
aggregation layer, access switches work in loop-free
switching mode, and devices above the
aggregation layer work in routing mode.
 In practice, OSPF is preferred, and IS-IS is commonly used on carrier backbone

When client gateways are deployed at the networks.
access layer, switches on the entire network  BGP applies to inter-domain routes and MPLS/BGP VPN networks.
work in routing mode.  Static routes are commonly used in scenarios where there is no redundant
connections.
Case Discussion - Routing Boundary and

Problems of OSPF Design
Routing Protocol
AREA 0 AREA 0  Routing protocols need to be deployed on campus networks to
X function as route bearers. Questions:
 Which routing protocols do you want to select?
 Where is the boundary between the Layer 3 routing network and

AREA 1 Layer 2 switching network deployed?
AREA 1
 What is the routing protocol design?
Separated area
VLAN scale Sub-optimal route
15
Case Study - IP Address Allocation Contents
 IP address allocation solution 1. Overview
 The network segment 10.0.0.0/8 is recommended due to the scale of the 2. Physical Network Design
campus network. (If education network segments are specified, use the
corresponding ones.) In this case, network segments are divided based on
the principle of one room per VLAN.
 LAN Design
Building No. Floor Unit Room No. Network Segment Gateway IP Address  WAN Design
1 10.11.11.0/29 10.11.11.1/29
Unit 1  Route Architecture Design
2 10.11.12.8/29 10.11.12.9/29
1st floor
1 10.11.21.0/29 10.11.21.9/29  Network Egress Design
Building 1 Unit 2
2 10.11.22.0/29 10.11.22.9/29
1 10.12.11.0/29 10.12.11.1/29
2nd floor Unit 1
2 10.12.12.8/29 10.12.12.9/29
Building 2 1st floor Unit 1 1 10.21.11.0/29 10.21.11.1/29
Network Egress Access Technology Single-Egress Network Architecture
Enterprise
 Public IP address requirements
intranet
 Connection address
 Address pool
Various links including E1, POS, and DSL links can be used. Firewall
PON and Ethernet are commonly used.
Focus: NAT
 Traffic type
Link connection Generally, enterprises do not have sufficient public IP addresses.
Private IP addresses need to be translated into public ones
Enterprise  Internal PCs access external servers
before being used to access the Internet.
Intranet address Internal servers provide external
intranet 
services
Device connection WWW
Specific adapters are needed for different link types.
Routers or firewalls are required to translate network
addresses.
16
Single-Carrier and Multi- Egress Network Multi-Carrier and Multi-Egress Network
Architecture Architecture - Outgoing Traffic
 Providing redundancy
 Connection condition
 Two connection
 Two connection addresses
addresses, and one ISP1 ISP2
 Two address pools
address pool
Firewall Firewall  Outbound path selection
NAT  Outbound path selection NAT
 Optimal selection of path
 Route direction
Enterprise Enterprise  NAT address pool selection
intranet
 Inbound path selection
intranet  Corresponding to path
WWW
 Lack of controllability WWW
selection
Multi-Carrier and Multi-Egress Network Multi-Carrier and Multi-Egress Network

Architecture - Server Access Traffic Architecture - Peer-to-Peer Mode
 NAT mapping
 The server IP address is statically
mapped to addresses of two ISP1 ISP2  This mode is commonly used in
ISP1 ISP2
address pools ICP and DC scenarios.
Firewall
 The link through which users  Public IP addresses and AS
NAT access a server depends on the numbers are required.
address used for the connection
 NAT is not performed.
Enterprise  Outbound path selection ICP/DC
intranet  BGP route selection is required.
WWW
 Static route selection
17
Project Case Contents
 A campus network connects to an education network using a 1. Overview
single link, and internal servers provide services for the education 2. Physical Network Design
network. Design network egress architecture for the campus 3. Logical Network Design
network.  LAN Design
 WAN Design

Definition of High Availability Component and Device Redundancy
Availability MTTF/(MTTF+MTTR) * 100% Component redundancy on

MPU devices
Mean Time to Failure (MTTF)
 Power module
Mean Time to Restoration (MTTR)
Power  Fan module
module  MPU
Methods to improve availability: SFU  SFU
Improve the MTTF Device redundancy in
Shorten the MTTR network design
 Stack
Fan module
 CSS
Implementation component, device, link, and service redundancy
mode:
18
Link Redundancy Project Case
 Multilink PPP  After the assessment by both parties, the engineering personnel
 Bandwidth increase and school campus network project group reach a consensus that
Multilink PPP
 Data fragmentation and requirements for network reliability are different on different
reassembly components. For example, access in dormitories requires low
Multi-link load balancing and

reliability, while high reliability is required at the aggregation and
Eth-Trunk backup
core layers. Design a network as required.
 Eth-Trunk
 Link bundling
 Load balancing and backup

E-Trunk
 Inter-device link bundling
Protocols and Mechanisms to Improve

Contents
Availability
1. Overview
Routing Provide device redundancy and link switchover at the
protocol network layer.

VRRP Provide redundant gateways for LANs.
 Network security
STP Provide dynamic redundant paths for Ethernet
networks.  VPN
 WLAN
BFD Rapidly detect faults on forwarding paths.
Implement fast reroute (FRR) using active and
FRR standby channels.
19
Network Security Network Security System
Web vulnerabilities, buffer overflow, viruses,
Limitations of TCP/ IP Trojan horses, etc.
protocols Network boundary security: A network boundary is located at the
Internet intersection point of the controlled network and uncontrolled network,
TCP spoofing, TCP DoS attacks, port scanning, and is the position where inbound and outbound traffic are checked.
No data source etc.
Extranet
verification
Intranet
No confidentiality IP spoofing, Smurf attacks, ICMP attacks, etc.
Internal network security: Verify, check, and filter passing traffic, and
take necessary protection measures on network devices.
protection
MAC spoofing, MAC flood, ARP spoofing, etc.
No integrity check
Intranet access security: Authenticate and check devices accessing the
intranet to ensure that access is authorized and complies with security
requirements.
Terminal device security: Prevent terminal devices from being attacked

Use various technologies to ensure that hardware, Access
Network software, and data in network systems are not maliciously users
by viruses, Trojan horses, and worms.
security damaged, modified, and intercepted, and network

systems continuously provide services.
Security Technologies Network Boundary Security

Layer 3 network security technologies
ACL  Intersection point of the controlled
ARP security
Internet
uRPF network and uncontrolled network
Firewall
Firewall  Firewalls- basic security devices
Server
zone  Filtering data flows based on the
Layer 2 network security technologies
Port security
quintuple and session status
IP Source Guard (IPSG) Intrusion detection  IDS/ IPS
DHCP snooping Internet behavior
management
 Scanning and monitoring application
Storm control
layer data of connections
Enterprise
Network device security
intranet
 Other security systems
Device login security control  Antivirus system
CPU defense policy
Protocol packet authentication
 External user access (VPN)
20
Evolution of Firewalls Intranet Access Security
Packet Application Status Next-generation firewall
filtering proxy Detection UTM
NGFW
Specify Block Monitor
Isolate and repair Authorize user
enterprise unauthorized auditing and collect
unauthorized users access scope
security policies users evidences
1989 1994 1995 2004 2005 2009
Access Proxy Session Specified Multi-function DPI Management and control

control mechanism device based on users, application,
and contents Remote Sensitive information
employees resources
 Firewall technology has been developed and innovated for multiple Onsite
employees
times. Core information
resources
 Stateful inspection firewalls are mainstream ones. Guests
 Firewalls integrate multiple security functions including intrusion

External Repair
General information
detection and antivirus. unauthorized resources
users
 Huawei USG firewalls are Next-Generation Firewalls (NGFWs).
Intranet Access Security Components Introduction to Huawei Firewalls

USG6300/6500:
Is targeted for small- and medium-sized enterprises and chain organizations.
Access control mode SACG, host firewall, and 802.1x access control Provides integrated security and management.
Provides four to eight GE high-density interfaces. Two extended slots support 10GE
interfaces.
Provides integrated protection, integrates traditional firewall functions, VPN, intrusion
prevention, and antivirus.
Enterprise network Identifies more than 6,000 applications and provides high-precision access control.
Post-
authentication USG6600:
domain Is the 10GE firewall that is targeted for medium- and large-sized enterprises and next-
Branch access Service server 1 Service server 2 generation DCs.
Isolation domain
Is installed in a standard 19-inch rack with the height of 1U to 3U.
Patch Provides scalable1000M electrical interfaces, 1000M optical interfaces, or 10GE optical
server interfaces, and support bypass cards.
Internet Core Network Provide integrated protection, integrate multiple functions, and be able to identify more
than 6,000 applications.
Partner access SM Support virtualization of multiple security services.
SACG SACG2
SACG1 SC
USG9000:
802.1X Is a Tbit/s firewall that is targeted for cloud service providers and large-sized DCs.
Pre-authentication Supports a maximum of 160Gbit/s service cards, 1.44Tbit/s throughput, and 1.44
Remote office access domain billion concurrent connections.
Host Supports GE, 10GE, 40GE, and 10GE interfaces and uses distributed framework.
Internal employee security firewalls Provides integrated protection, and integrates firewall, IPS, VPN, and anti-DDoS
Remote agent (permanent)
functions.
Local access
access Guest and partner security proxy Provides superb reliability and 99.999% availability.
(dissolvable)
21
Other Huawei Boundary Security Products Project Case
NIP6000:
Is the next-generation intrusion prevention system that is targeted for  Select devices to connect the school campus and education
enterprise, campus, and carrier networks.
Eﬀec vely defends against common a acks including worms, Trojan horses,
and SQL injection. networks.
Identifies multiple applications including mainstream P2P, IM, online games,
and social networks.
Extracts files from transmission protocols and analyzes them.  On a school campus network, servers deployed in equipment
Supports flow model self-learning.
rooms of some colleges contain sensitive information, and

ASG2000:
Is the enterprise-class professional online behavior management product.
Identifies 1,200 mainstream applications and filters 85 million URLs.
require high security. How is the network designed?
Provides professional audit reports and supports over 30 types of reports.
Supports distributed deployment.
USG2000BSR: USG6000V:
Is targeted for small-sized enterprises, and Is an NFV- and cloud-based multi-service gateway.
integrates security, routing, switching, and Supports 1 to 8 CPUs.
wireless functions. Supports 1+1 or N+1 redundant deployment.
Supports FE, GE, E1/CE1, serial, ADSL2+, and 3G Supports a maximum of 500 tenants.
access modes.
Contents VPN Introduction

1. Overview Set up private data channels over shared network
VPN concept
infrastructure.

Tunneling Cost reduction

Encryption and Flexibility
 Network security decryption
 VPN Data Wide

Security
authentication
application
 WLAN
Identity No QoS
authentication
VPN components Technological
features of VPN
22
VPN Application Scenario IPSec VPN Features and Applications
Headquarters
Internet
Access VPN: Site-to-site VPN:

Clients do not require fixed IP addresses. Connect two networks. Enterprise
The mode in which mobile personnel Access points are fixed. Branch
connects to the Internet is not limited. It can replace leased lines. headquarters
IPSec is an IETF-defined network security framework
AH ESP that includes AH, ESP, and IKE components, and can be
configured with different encryption and authentication
modes as required to provide confidentiality, integrity,
Internet Key Exchange (IKE) authenticity, and anti-replay.
Internet
Remote
office It provides multiple working modes including transport and tunneling
Branch IPSec VPN modes. IPSec can be used with other tunneling technologies.
working mode Independent network devices.
IPSec client software runs on a PC.
Traveling employee Partners Engineering

It is applicable to the site-to-site VPN.
application
SSL VPN Features and Applications MPLS VPN Features and Applications
Outer labels construct an LSP.

Internet VRF VRF
P PE2 CE2
CE1 PE1 Inner labels determine the VPN where
Remote users data belongs.
Enterprise headquarters
HTTP • Use standard browsers, and do • By default, SSL VPN supports • VPNs are implemented based on MPLS, BGP, or LDP, and are classified into Layer 2
not require client software. limited applications. and Layer 3 VPNs.
SSL • Run at the application layer, • More devices at the application • VPN implementation is based on carrier networks, and VPNs are transparent to
requiring no NAT and providing and network layers can be customer networks.
TCP more fine-granular control. connected to the SSL VPN after • MPLS VPN does not provide encryption and authentication functions.
• Provide simplified O&M. plug-ins are installed.
IP • Carriers divide VPNs based on access ports.
It applies to the access VPN. MPLS VPN can be the replacement of leased lines
Engineering Currently, no applications of site-to-site VPN Engineering
and applies to the site-to-site VPN.
applications are provided. applications
Contact local carriers for corresponding services.
23
Huawei VPN Product Line Project Case
IPSec VPN:
IPSec VPN does not require dedicated devices, and is supported by  A university has the headquarters and branch networks located
common routers and firewalls. Note the number of connections, and
purchase the required license. in different cities. Design a cost-effective network solution for
You need to configure IPSec VPN client software that runs on a PC when
deploying the access VPN.
data exchange between the headquarters and the branch
networks.
SSL VPN: SVN5600 or SVN5800
The SVN5600 or SVN5800 supports a maximum of 100,000 concurrent
users, and mainstream operating systems including Android, Windows,  Some college teachers want to log in to the school campus
iOS, MacOS, Linux, Symbian, and Blackberry.
It supports SSL VPN, IPSec VPN, GRE VPN, and L2TP VPN.
It supports web proxy, network extension, file sharing, and port network when they are at home or on a business trip. What
forwarding.
solution do you adopt?
Other VPNs:
MPLS VPN: There are no special requirements for client devices, and
…… common network devices such as routers and switches can use MPLS
VPN.
L2TP and GRE VPNs: Common routers and advanced switches support the
functions.
Contents Introduction to WLAN

1. Overview WLAN Combination of computer networks and wireless communication
technologies
2013
3. Logical Network Design 2003
802.11ac
1Gbit/s
802.11g Other wireless networks
4. Other Network Technologies 1999 54Mbit/s
Bluetooth
1997 802.11a
802.11 54Mbit/s
 Network security 2Mbit/s
WiMAX
2009
802.11n LTE
 VPN 1999
600Mbit/s
…
802.11b
 WLAN 11Mbit/s

Provide flexible network deployment and improve work
Advantage
efficiency
24
Fat AP Wireless Network Fit AP+AC Wireless Network
 A Fat AP provides complete
IP protocol stack and runs Core  A Fit AP provides an incomplete
network independently. network
protocol stack, and needs to be used
 A Fat AP provides complete
CAPWAP tunnel with an AC.
and abundant functions:
 DHCP  A Fit AP can be easily deployed and
Access  FW-NAT
switches IP managed.
 Each Fat AP is separately
network
managed.  Fit APs are managed in a centralized
AP … AP  Inter-AP roaming is not AC manner.
supported.
 Inter-AP roaming is supported.
 A Fat AP applies to a small-
……
STA STA sized network.  A Fit AP applies to a large-sized
AP1 AP n network.
Huawei Wireless Network Products Contents
Indoor
1. Overview
settled APs AP5010SN
AP3010DN AP5010DN
AP6010SN
AP6010DN AP7110DN AP7110SN

Outdoor
settled APs 4. Other Network Technologies
AP6510DN AP6610DN
Indoor
distributed AP6310SN
APs
AC
AC6005 AC6605 ACU
25
Significance of Technological Solution Technological Solution Content
Project Baseline Project background
1
Survey results in the planning stage
Work Summary Objectives of 2 Project requirement
the later Topology
Milestone Summary of the implementation Detailed technological Physical network design
early planning stage 3 solution
Boundary between and design Logical network design
the early planning stage
Engineering interface
and design stage
and the later Relevant engineering
4 problems
Schedule
implementation
stage of a project Organization
5 Device purchasing list
Relevant Files of the Technological

Quiz
Solution
1. Which of the following cabling modes are popular for a DC currently?
Engineering quotation
A. TOR
Commercial paper Responsibilities and
1 obligations B. DOD
Disclaimers
C. EOR
D. NSF
2 Authorization profile Authorization from project design partners
2. Which of the following subsystems are involved in building cabling?

Enterprise qualification A. Horizontal subsystem
3 Certificate
Personnel qualification B. Vertical subsystem
C. Access subsystem
4 Other related documents
26
Thank You
www.huawei.com
27

Network Design

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Network Design

Uploaded by

Copyright:

Available Formats

Foreword

 In the design phase, perform network designs based on the

Network Design project requirements and guidelines specified in the planning

 In the design phase, determine device selection, technological

Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved.

 Be familiar with comprehensive applications of each technological

 Master the network design methodology

Key points of the design

Network subsystem design

Key Points of Network Design Contents

Function & Connectivity, throughput, delay, jitter, and bit 1. Overview

Security Asset, risks, and countermeasures  Network ID

4. Other Network Technologies

5. Overall Technological Solution

 Small number of users

 Only one location

Typical Architecture of a Large-Scale Hierarchical Network - Three-Layer

Characteristics: Core layer

Network access in Remote campus

Core layer Star Dual-star

Square-shaped Ring Bus

Case: Campus Network Topology Contents

3. Logical Network Design

4. Other Network Technologies

5. Overall Technological Solution

I/O I/O I/O I/O I/O I/O

Layer 2 switch Layer 3 switch Router

Key Points for Switch Selection Huawei Fixed Switches

S2700: Layer 2 FE switch

Port type: Ethernet/Serial/POS/PON

Performance: switching capacity and

which support line rate forwarding.

AR Series Routers NE Series Routers

 Hot swappable LPUs

 Huawei Wireless Products

Contents Common Media Types

2. Physical Network Design

3. Logical Network Design

4. Other Network Technologies

 Vertical subsystem: from

Engineering Tools and Test Telephone and Coaxial Cables

Telephone cable Telephone cable loop

5. Overall Technological Solution

Case: Device and Link Identifier Planning

3. Logical Network Design

4. Other Network Technologies

Commonly Used Topologies on a LAN VLAN Design

Core layer  Range: 1–4094

Layer 2 Network Loop Loop Prevention Technologies

Working Other loop prevention

IP address spoofing IPSG

Select corresponding security mechanisms for different attacks.

Contents Characteristics of WAN

2. Physical Network Design

5. Overall Technological Solution

Link Type Structural Feature Layer 2 Protocol

 OTNs provide Ethernet access services.

Replacement Technologies for WAN Access Network Technology

Traditional WAN VPN

4. Other Network Technologies

5. Overall Technological Solution

IP Address Allocation Rules IP Address Configuration

1 Uniqueness: basic address allocation principle Common mask:

3 Aggregation: saving device resources