E-mail this to a friend
Network Design Models
Today’s networks typically include voice, video, network management, mission-critical, and routing traffic in addition to bulk user traffic. Each type of traffic has different performance (bandwidth, delay, and jitter) and security requirements. Network design models provide a framework for integrating the many different types of traffic into the network.
Over the years, several models have been used to help describe how a complex network functions. These models are useful for designing a network and for understanding traffic flow within a more complex network. This section covers three models: the traditional Hierarchical Model, the Enterprise Composite Model, and the Cisco Enterprise Model.
Hierarchical Design Model
Network designers used the three-level Hierarchical Design Model for years. This older model provided a high-level idea of how a reliable network might be conceived, but it was largely conceptual because it didn’t provide specific guidance. Figure 1-1 shows the Hierarchical Design Model.
This is a simple drawing of how the three-layer model might be built out for a campus network. A distribution Layer-3 switch is used for each building on campus, tying together the access switches on the floors. The core switches link the various buildings together.
This same three-layer hierarchy can be used in the WAN with a central headquarters, division headquarters, and units.
Hierarchical Design Model
The layers break a network in the following way:
-
Access layer: Provides network access to workgroup end stations.
-
Distribution layer: Intermediate devices provide connectivity based on policies.
-
Core layer: Provides a high-speed switched path between distribution elements.
Redundant distribution and core devices, with connections, make the model more fault-tolerant. This early model was a good starting point, but it failed to address key issues, such as
-
Where do wireless devices fit in?
-
How should Internet access and security be provisioned?
-
How do you account for remote access, such as dial-up or VPN?
-
Where should workgroup and enterprise services be located?
Enterprise Composite Model
A newer Cisco model—the Enterprise Composite Model—is significantly more complex and attempts to address the shortcomings of the Hierarchical Design Model by expanding the older version and making specific recommendations about how and where certain network functions should be implemented. This model is a component of the Cisco Security Architecture for Enterprise (SAFE) Reference Architecture.
The Enterprise Model is broken into three large sections:
-
Enterprise Campus: Switches that make up a LAN
-
Enterprise Edge: The portion of the enterprise network connected to the larger world
-
Service Provider Edge: The different public networks that are attached
The Enterprise Campus, as shown in Figure 1-2, looks like the old Hierarchical Design Model with added details. It features six sections:
-
Campus Backbone: The core of the LAN
-
Building Distribution: Connects subnets/VLANs and applies policy
-
Building Access: Connects users to network
-
Management: An out-of-band network to access and manage the devices
-
Edge Distribution: A distribution layer out to the WAN
-
Server Farm: For Enterprise services
The Enterprise Edge, as shown in Figure 1-3, details the connections from the campus to the WAN and includes
-
E-commerce
-
Internet connectivity
-
Remote access
-
WAN
Enterprise Campus
Enterprise Edge
The Service Provider Edge is just a list of the public networks that facilitate wide-area connectivity and include
-
Internet service provider (ISP)
-
Public switched telephone network (PSTN)
-
Frame Relay, ATM, and PPP
Figure 1-4 puts together the various pieces: Campus, Enterprise Edge, and Service Provider Edge. Security implemented on this model is described in the Cisco SAFE blueprint.
Enterprise Composite Model
Cisco Enterprise Architecture
The Cisco Enterprise Architecture attempts to describe how all the network components integrate and work together. It includes Campus, Data Center, Branch, WAN, and Teleworker components.
The Campus Architecture component is basically the same as in the Composite model. It includes routing and switching integrated with technologies such as IP telephony and is designed for high availability with redundant links and devices. It integrates security features and provides QoS to ensure application performance. It is flexible enough to add advanced technologies such as VPNs, tunnels, and authentication management.
The Data Center component provides a centralized, scalable architecture that enables virtualization, server and application access, load balancing, and user services. Redundant data centers might be used to provide backup and business continuity.
The Branch Architecture extends enterprise services to remote offices. Network monitoring and management is centralized. Branch networks include access to enterprise-level services such as converged voice and video, security, and application WAN optimization. Resiliency is obtained through backup local call processing, VPNs, redundant WAN links, and application content caching.
The WAN component provides data, voice, and video content to enterprise users any time and any place. QoS, SLAs, and encryption ensure a high-quality secure delivery of resources. It uses IPsec or MPLS VPNs over Layer 2 or Layer 3 WANs, with either a hub-and-spoke or mesh topology.
Teleworker Architecture describes how voice and data are delivered securely to remote small or home office users. It leverages a standard broadband connection, combined with VPN and identity-based access. An IP phone can also be used.
SONA and IIN
Modern converged networks include different traffic types, each with unique requirements for security, QoS, transmission capacity, and delay. These include
-
Voice signaling and bearer
-
Core application traffic, such as Enterprise Resource Planning (ERP) or Customer Relationship Management (CRM)
-
Database transactions
-
Multicast multimedia
-
Network management
-
Other traffic, such as web pages, email, and file transfer
Cisco routers can implement filtering, compression, prioritization, and policing. Except for filtering, these capabilities are referred to collectively as QoS.
Although QoS is a powerful tool, it is not the only way to address bandwidth shortage. Cisco espouses an idea called the Intelligent Information Network (IIN).
IIN describes an evolutionary vision of a network that integrates network and application functionality cooperatively and enables the network to be smart about how it handles traffic to minimize the footprint of applications. IIN is built on top of the Enterprise Composite Model and describes structures overlaid on to the Composite design as needed in three phases.
Phase 1, “Integrated Transport,” describes a converged network, which is built along the lines of the Composite model and based on open standards. This is the phase that the industry has been transitioning to recently. The Cisco Integrated Services Routers (ISR) are an example of this trend.
Phase 2, “Integrated Services,” attempts to virtualize resources, such as servers, storage, and network access. It is a move to an “on-demand” model.
By “virtualize,” Cisco means that the services are not associated with a particular device or location. Instead, many services can reside in one device to ease management, or many devices can provide one service. An ISR brings together routing, switching, voice, security, and wireless. It is an example of many services existing on one device. A load balancer, which makes many servers look like one, is an example of one service residing on many devices.
VRFs are an example of taking one resource and making it look like many. Some versions of IOS are capable of having a router present itself as many virtual router (VRF) instances, allowing your company to deliver different logical topologies on the same physical infrastructure. Server virtualization is another example. The classic example of taking one resource and making it appear to be many resources is the use of a virtual LAN (VLAN) and a virtual storage area network (VSAN).
Virtualization provides flexibility in configuration and management.
Phase 3, “Integrated Applications,” uses application-oriented networking (AON) to make the network application-aware and to enables the network to actively participate in service delivery.
An example of this Phase 3 IIN systems approach to service delivery is Network Admission Control (NAC). Before NAC, authentication, VLAN assignment, and antivirus updates were separately managed. With NAC in place, the network can check the policy stance of a client and admit, deny, or remediate based on policies.
IIN enables the network to deconstruct packets, parse fields, and take actions based on the values it finds. An ISR equipped with an AON blade might be set up to route traffic from a business partner. The AON blade handles many functions, including examining traffic, recognizing an application, and rebuilding XML files in memory. Corrupted XML fields might represent an attack (called schema poisoning), and the AON blade can react by blocking that source from further communication. In this example, routing, an awareness of the application data flow, and security are all combined to enable the network to contribute to the success of the application.
Services-Oriented Network Architecture (SONA) applies the IIN ideal to Enterprise networks. SONA breaks down the IIN functions into three layers:
-
Network Infrastructure: Hierarchical converged network and attached end systems
-
Interactive Services: Resources allocated to applications
-
Applications: Includes business policy and logic
Understanding Routing Protocols
Routing protocols pass information about the structure of the network between routers. Cisco routers support multiple routing protocols, but the ROUTE exam covers only EIGRP, OSPF, and BGP. This section compares routing protocols and calls out some key differences between them.
Administrative Distance
Cisco routers are capable of supporting several IP routing protocols concurrently. When identical prefixes are learned from two or more separate sources, Administrative Distance (AD) is used to discriminate between the paths. AD is a poor choice of words; risk-factor is a more descriptive name. All other things being equal, routers choose paths advertised by the protocol with the lowest AD. AD can be manually adjusted.
Table 1-1 lists the default values for various routing protocols.
Table 1-1 Routing Protocols and Their Default Administrative Distance
|
Information Source |
AD |
|
Connected |
0 |
|
Static |
1 |
|
External BGP (Border Gateway Protocol) |
20 |
|
Internal EIGRP (Enhanced IGRP) |
90 |
|
IGRP (Internet Gateway Routing Protocol) |
100 |
|
OSPF (Open Shortest Path First) |
110 |
|
IS-IS (Intermediate System to Intermediate System) |
115 |
|
RIP (Routing Information Protocol) |
120 |
|
ODR (On Demand Routing) |
160 |
|
External EIGRP |
170 |
|
Internal BGP |
200 |
|
Unknown |
255 |
Routing Protocol Characteristics
Two things should always be considered in choosing a routing protocol: fast convergence speed and support for VLSM. EIGRP, OSPF, and BGP all meet these criteria. There are important distinctions between them, as described here:
-
EIGRP is proprietary, so it can be used only in an all-Cisco network; however, it is simple for network staff to configure and support.
-
OSPF is an open standard, but it is a bit more difficult for network staff to implement and support.
-
BGP is also an open standard but is typically used to exchange routes with routers external to your network. It can be very complex to implement, and fewer network engineers understand it well.
Table 1-2 compares routing protocols.
Table 1-2 Comparison of Routing Protocols
|
Property |
EIGRP |
OSPF |
BGP |
|
Method |
Advanced distance vector |
Link state |
Path vector |
|
Summarization |
Auto and manual |
Manual |
Auto and Manual |
|
VLSM |
Yes |
Yes |
Yes |
|
Convergence Speed |
Very fast |
Fast |
Slow |
|
Timers: Update (hello/dead) |
Triggered (LAN 5/15, WAN 60/180) |
Triggered, but LSA refreshes every 30 minutes (NBMA 30/120, LAN 10/40) |
Triggered (60/180) |
|
Network Size |
Large |
Large |
Very large |
Building the Routing Table
The router builds a routing table by ruling out invalid routes and considering the remaining advertisements. The procedure is