Advanced Course on Networking

Network Planning
4.2.2010

Karri Huhtanen <karri.huhtanen@tut.fi>

1
 Contents
1. The Network Planning Process
1.1 Prestudy
1.1.1 Network documentation examples
1.1.2 Prestudy issues
1.2 Requirements specification
1.2.1 Example: Collected requirements
1.3 Design
1.3.1 Example: Architecture design and network segmentation/separation
1.3.1 Example: Logical structure
1.3.2 Example: Physical structure
1.4 Piloting, implementation, testing
1.5 Maintenance and network evolution
1.5.1 Example: Maintenance
1.5.2 Example: Evolution

2
 1.1 Prestudy
Network planning is done only on rare occasions from the scratch.
The planning usually starts with an old network, which needs to
be upgraded, updated or changed to utilise something completely
new technology.
The network documentation is usually non-existent, outdated or
updated only partly.
The functionality of even this old network is often critical and must
not be broken (at least for a long time)
=> there is a need to figure out, why and how the existing network
works and what can be broken during the project => prestudy
Coming next: few examples of actual network documentation

3
1.1.1 Network documentation 28.8.2002

4
1.1.1 Network documentation 16.3.2004

5
1.1.1 Network documentation 11.10.2004

6
1.1.1 Better network documentation 30.11.2004

7
 1.1.2 Prestudy issues
Used, non-used/free and usable IP-networks, VLANs, equipment
and software versions and generally what each component or
VLAN is used for.
Commonly used solutions and the reasons to use them, but
especially all exotic solutions: why those are used and what do
they affect?
Security settings and limitations: access control lists, firewalls,
network management settings (SNMP communities etc.)
Critical services: What services may not be broken and which
services need to be online first or in certain sequence?
Critical contacts: Who do we need to make this happen and do
we need them and who at the same time?

8
 1.2 Requirements specification
What is the goal? What is the combination of the requirements?
The answers from technical, management ja regular staff must be
combined. The combination does not usually cover all the different
requirements, but is instead a filtered combination of the general ones.
How far can we go?
For example, is this a network that can be designed from the scratch?
Efficiency, performance, compatibility, security and usability
requirements? The priority of these various aspects?
How long and what systems and services can be down during
implementation?
Is it possible to implement the project as a total change or should be
implemented as a phased migration?
Should the used technology be first tested and piloted before
deployment?

9
1.2.1 Example: Collected Requirements

TUT Public Access

WLAN campus network
17.3.2003

10
 Architecture Design Principles
Sufficient Security
for employees strongly secured access to department network
for students basic authentication and secured limited services
for guests an access controlled by host
for guests and roaming users ability to use VPN to secure their connection to
home network
Flexibility, Upgradeability, Scalability
the architecture should enable introduction of new services, network elements
and upgrades flexibly
the architecture should not limit the scalability and growth of the network
Interoperability, Openness, Standards
the architecture must support both commercial and non-commercial network
elements via standard interfaces
open standards and interfaces are preferred
closed, proprietary standards and solutions should be avoided
Usability
the basic access should not require any specific client software, hardware or
operating system from the user terminal
 Four ways to access network 1/2
Student Access:
student enters access zone,
terminal receives public IP
address
student starts WWW browser and
tries to retrieve WWW page,
access controller diverts the
request to the SSL protected
authentication page
student enters his authentication
information (username@domain)
and password, access controller
verifies authentication from
roaming proxy or other
authentication server
student gains possibly limited
access to the network
if the terminal does not respond to
certain number of subsequent
pings, it is considered logged out
and new authentication is required
Employee Access
employee enters access zone,
terminal receives public IP
address
employee initiates VPN
connection to a known VPN
terminator and authenticates via
means available to VPN solution
used
employee now gains the secured
full access to department
intranet and possibly also virtual
IP which is from trusted network
chosen VPN solution may be
configured to decide when the
user has logged out from the
access zone or the employee may
logout by terminating VPN
connection.
 Four ways to access network 2/2
Guest Access
guest enters access zone
guest starts WWW browser, on
the authentication page theres
link and instructions for guest
access
guest enters guest information on
the registration page and receives
guest account and generated
password
the host or some other authorized
person approves guest
registration and selects the
account validity time
guest gains access to network
with the guest account
the rest is similar to student
access with the exception of the
access revocation when the
validity time ends
Roaming Access
roaming user enters access zone
roaming user starts WWW
browser, access controller
captures WWW request and
presents authentication page
roaming user enters his
authentication information
(username@domain) and
password, access controller
verifies authentication from
roaming proxy
roaming user gains access to the
network
the roaming user may now use the
network like the student or initiate
own VPN connection
if the terminal does not respond to
certain number of subsequent
pings, it is considered logged out
and new authentication is required
 1.3 Design 1(2)
Architecture design
Which equipment and elements and where in the network and premises? Which
technologies are used, how and where? Piloting supports this kind of design process.
How does the network evolve and expand in the future?
What network services are needed to support equipment (for example DNS name and
RADIUS servers)
How do all these components interoperate? How are they managed and monitored
(network management)?
Network separation / segmentation
Often in large networks different departments, workstations from servers,
management networks from data networks must be separated to each to their own
network. VLANs are a useful technology to realise this.
For using VLANs, we have to find out, if it is possible to use them? How many of them
are needed? How many do the used equipment support?
Certain VLANs may even have a special meaning (for example VLAN 1, native VLAN,
VLAN 1002-1005 (fddi, token ring etc.)

14
 1.3 Design 2(2)
Logical structure
What IP networks, where and what for? (For example. link networks, management
networks, normal networks)? Avoiding the unnecessary spending of IP address?
Public or private IP addresses? Will NAT be used?
What VLANs are connected to which IP networks?
To which logical network interfaces various IP-networks and VLANs are connected?
Physical structure
The actual wiring (switch/hub ports, wlal sockets, physical network interfaces)
In wireless networks (for example WLAN) channel use, network names.
Deployment
When and how the required changes are implemented into network?
Schedule? Timetables? Service windows? Contacts? Informing the users?

15
1.3.1 Example: Architecture design and network
segmentation/separation

TUT Public Access

WLAN Campus Network
17.3.2003

16
 Network structure
- public access networks (PAN) isolated from other
networks in the edge routers
access
controller Internet - access from PAN to Internet controlled by access
controllers

- department intranets may be protected with

access control lists / filters in the edge routers

- VLANs are used to separate access controllers to

own access controller segment
Main house
intra TUT core - public access network is considered a hostile
networks network network like the Internet

Main house
public access
network
Tietotalo Tietotalo
intra public access
networks network
 Network elements
TUT core department x
Internet
network intranet

department y
intranet
VPN Access
terminator
Controllers public
access zone e.g.
teamwork room
IPSEC/VPN
secured
access to Nonencrypted
department combined filtered access
intranet department to Internet
employee/public public
access zone access zone e.g
lecture hall
1.3.2 Example: Logical Structure
JRandom
ISP

195.197.42.17

195.197.42.16/30

195.197.42.18 (Serial0)
Free (VLAN 500) 195.197.42.21 DMZ (VLAN 80) WWW
195.197.42.28/30 195.197.42.20 /30 195.197.42.22
195.197.42.25
192.168.x.1
SMTP
DMZ (VLAN 25)
Mgmt. Net IMAPS
195.197.42.24 /30
(VLAN 104) 195.197.42.26
192.168.4.0/24
Office Net WiFi Net Server Net
(VLAN 116) (VLAN 117) (VLAN 108) Samba
192.168.16.0/24 192.168.17.0/24 192.168.8.0/24 Intra-
WWW
192.168.[4,16,17].254 192.168.8.9

DHCP
Radius

19
 1.3.3 Example: Physical structure
SWITCH PORTS WLAN APS AND OTHER
Jahuu
WWW server net (VLAN80):1-4 ISP
16: AP (R&D)
Mail server net (VLAN25): 5,6 17,18: Wired Guest Net (R&D)
19: not connected
Server net (VLAN108): 7-9 20: not connected
Office net (VLAN116): 10-15 Serial0/0 21: AP (CEO)
22: Wired Guest Net (CEO)
WiFi (VLAN117): 16-35 (trunk VLANs 104,107) 23: AP (Big Meeting Room)
Mgmt. net (VLAN104): 16-35, (trunk VLANs 104,107) 24,25: Wired Guest Net (Big
36 (trunk VLANs 104,116,117) FastEthernet0/0 Meeting Room)
802.1q trunk (VLAN 25,80,104, 108, 116, 11726-35: not connected
SERVERS/HOSTS
Port G0/0
WWW: 1 802.1q trunk
SMTP/IMAPS: 5 Port 1-4 (VLAN 80) PH1
Samba+Intra WWW server:9 WWW
DHCP-server: 36 Port 10 Port 5,6 (VLAN 25)
802.1q trunk
CEO: 10 (VLAN 104, 116, 117)
CEO assistant: 11 PH2 SMTP
IMAPS
PH19

DHCP
Radius

20
 1.4 Piloting, deployment, testing
Piloting
All the newest technologies are not necessarily the best to be deployed in large
networks (for example HomePNA, new WLAN standards) => piloting is needed
for testing and evaluation the technology and the products, before actual
deployment decision is made
Deployment/Implementation
After the piloting is done or the design is confirmed, deployment means
implementing the required changes to the existing network.
An important part of deployment is informing users and partners of the possible
downtimes and reduced connectivity.
Testing
Testing in network projects is usually done by deploying the solution as a
whole or partly into production environment.
Some testing and performance measurements can be done during piloting, but
the real behavior can be observed only when the network is in actual use.

21
1.5 Maintenance and network evolution
Maintenance
Usually even the old and existing networks are planned and designed properly.
But then gradually, new elements have been added to network, problem solving hacks
are introduced etc. and the documentation has not been upgraded.
One way to avoid this is to make creating the documentation easier. So no official
template Word documents, but instead a Wiki, where the network administrators can
easily document the network changes and reasons behind them.
Network evolution
The network lives and evolves. Technologies and products change, but they still have
to serve users and services utilising the same interfaces.
Network usage profiles and traffic amounts change the once allocated capacity may
not last until the end of the world, but on the other hand extra capacity may not always
be the solution.
The effort to plan, design and document the network pays back when new network
elements and services are being introduced to the existing network.

22
1.5.1 Example: Maintenance 1(2)

Funet

FTLR R AC TUT Public Access

FW

AAA AAA = Authentication, Authorization, Accounting Server

(old) AC = Access Controller
TUT network FW = FireWall
AAA FTLR = Finnish Top-Level Radius
(new) R = Router

TUT-ICE network
AAAX
(pilot)

23
1.5.1 Example: Maintenance 2(2)

Funet-verkko

FTLR R AC TUT Public Access

FW

AAA AAA = Authentication, Authorization, Accounting Server

(old) AC = Access Controller
TTY:n verkot FW = FireWall
AAA FTLR = Finnish Top-Level Radius
(new) R = Router

TLT:n verkko

24
 1.5.2 Example: Evolution 1(3)

Funet

TUT Public Access

R AC
ESSID: TUT

FW
VPN Network
students,
employees

TUT Networks

AC = Access Controller
FW = FireWall
R = Router

25
 1.5.2 Example: Evolution 2(3)

Funet

TUT Public Access

WPA-authentication TUT Public Access
R AC ESSID: TUT
ESSID: TUT-WPA
FW
VPN Network
students and
employees

TUT networks

AC = Access Controller
FW = FireWall
R = Router

26
 1.5.2 Example: Evolution 3(3)

Funet

TUT Public Access

WPA-authentication TUT Public Access
R AC
ESSID: TUT-WPA ESSID: TUT

FW
VPN Network eduroam(tm) network
students and ESSID: eduroam
employees

TUT networks

AC = Access Controller
FW = FireWall
R = Router

27