TRUR1105_A2_163148 May 24, 2018

Network Design
FdSc Computer Technology – Networks

WORD COUNT: 3297

163148
TRUR1105_A2_163148 May 24, 2018

CONTENTS
Designing a Network Infrastructure.............................................................................................................. 2
Introduction .............................................................................................................................................. 2
Application of Designing a Network Infrastructure .................................................................................. 2
Access Control Lists ................................................................................................................................... 7
Performance Improvement to the Network ........................................................................................... 10
Bridges to Switches ............................................................................................................................. 11
Routers – Protection and Security .......................................................................................................... 13
Network Monitoring ........................................................................................................................... 16
Monitoring Tools ................................................................................................................................. 17
Conclusion ............................................................................................................................................... 19
References .................................................................................................................................................. 20
Appendices.............................................................................................................................................. 22

163148 1
TRUR1105_A2_163148 May 24, 2018

DESIGNING A NETWORK INFRASTRUCTURE

INTRODUCTION
Network infrastructure is how data travels around. This includes physical cabling, network switches,
routers, Wi-Fi devices, and fibre or wireless links between buildings ...

When setting up an infrastructure, you are grouping components to hardware devices that give your
network several features.

• Access Control

• Routing/Switching Capabilities

• Connectivity

• Added Security

Looking at the topology of your network, when you plan for the physical design, you must also plan for
the software components.

Starting off on the right foot from the get-go is cost-effective to operate and presents consistent running
costs. A network for business needs to be up and running at all hours of the day to avoid disruptions and
distractions that affect the bottom line. It starts with the design of the network infrastructure.

APPLICATION OF DESIGNING A NETWORK INFRASTRUCTURE

Figure 1: Application – Designing a Network Infrastructure – Design Brief

163148 2
TRUR1105_A2_163148 May 24, 2018

163148 3
TRUR1105_A2_163148 May 24, 2018

163148 4
TRUR1105_A2_163148 May 24, 2018

163148 5
TRUR1105_A2_163148 May 24, 2018

163148 6
TRUR1105_A2_163148 May 24, 2018

ACCESS CONTROL LISTS

Currently on this set up network, all nodes can contact each other. However, we do not want some to
be able to do so. We need to configure the routers to do the following;

• Prevents host B accessing any devices outside the London network.

• Allows X to communicate with Y only.

Access lists filter network traffic by controlling whether routed packets are forwarded or blocked at the
router’s interfaces. Each router examines each packet to determine whether to send on or drop, based
on the criteria specified within the access list. [1]

Figure 2: Access Control Lists – Packet Interrogation

ACLs for routers are not as complex or robust as Stateful firewalls, but they do offer a significant amount
of firewall capability. Routers should also protect against well-known protocols that you absolutely do
not plan to allow access into or out of your network. In addition, ACLs here should be configured to
restrict network peer access and can be used in conjunction with the routing protocols to restrict
updates and the extent of routes received from or sent to network peers.

163148 7
TRUR1105_A2_163148 May 24, 2018

163148 8
TRUR1105_A2_163148 May 24, 2018

163148 9
TRUR1105_A2_163148 May 24, 2018

PERFORMANCE IMPROVEMENT TO THE NETWORK

As the designed and implemented network of 4 nodes is very small in comparison to a normal sized
network of 100+ nodes, it is more applicable to talk of network improvement as it applies to the latter.

Networks can become slow, When LANs had only a few users, and performance was usually very good.
Today, however, when most computers in an organization are on LANs, performance can be a problem.
Performance is usually expressed in terms of throughput (the total amount of user data transmitted in a
given time period).

• There are 2 people talking in a room with no problems.

• Then more people enter the room and start talking. More and more enter the room and there
are now too many people talking all at once.
• The original 2 people cannot talk very well now and collisions are occurring.
• Everyone is having to repeat what they have said again and again.
• This could be solved if people would go into another room…..except a computer cannot do this.

163148 10
TRUR1105_A2_163148 May 24, 2018

So, to cut down on conversation collisions and bandwidth use a switch can be added to the network.
Switches segment collision domains, moving people into a private room so to speak.

Bridges to Switches
The more network devices you had, the more collisions you had. The CSMA/CD logic where devices had
to wait before they could (re)transmit impacts performance.

That’s when the Ethernet Bridge was introduced. This predecessor of the switch was able to learn MAC
addresses and only forward Ethernet frames when it was required. It was also able to store Ethernet
frames in memory to prevent collisions from happening. These bridges were placed in between our
hubs:

Figure 3: Networks – Bridges (Pre Switch)

Switches are a bunch of bridges, on the same Virtual LAN (VLAN). Switches are intelligent devices. They
can read the Ethernet frame and forward it only to the device that needs it. When it has two forward
two frames on a port, it can queue the second one, preventing collisions.
Switches operate in full duplex which means everyone can send and transmit at the same time. Because
we don’t have any collisions, we don’t need the CSMA/CD protocol anymore and it is disabled by default
on a switch.

CS = Carrier Sense
MA = Multi Access
CD = Collision Detection

You will still encounter half duplex networking with wireless networks. A wireless access point is similar
to a hub, everyone is transmitting and receiving on the same frequency so collisions can occur. Wireless
networks use something called CSMA/CA (Collision Avoidance) as it’s hard to detect whether two radio
waves collided in the air.

163148 11
TRUR1105_A2_163148 May 24, 2018

Collision domain

A collision domain is, as the name implies, a part of a network where packet collisions can occur. A
collision occurs when two devices send a packet at the same time on the shared network segment. The
packets collide and both devices must send the packets again, which reduces network efficiency.
Collisions are often in a hub environment, because each port on a hub is in the same collision domain.
By contrast, each port on a bridge, a switch or a router is in a separate collision domain.

Figure 4: Networks – 6 Collision Domains Example

Each port on a hub is in the same collision domain. Each port on a bridge, a switch or router is in a
separate collision domain.

Broadcast domain

A broadcast domain is a domain in which a broadcast is forwarded. A broadcast domain contains all
devices that can reach each other at the data link layer (OSI layer 2) by using broadcast. All ports on a
hub or a switch are by default in the same broadcast domain. All ports on a router are in the different
broadcast domains and routers don’t forward broadcasts from one broadcast domain to another. [1]

Figure 5: Networks – Broadcast Domain Example

163148 12
TRUR1105_A2_163148 May 24, 2018

Micro segmentation refers to the process of segmenting a collision domain into various segments and
mainly used to enhance the efficiency or security of the network. Where VLANs let you do very coarse-
grained segmentation, micro segmentation lets you do more fine-grained segmentation. [2]

Another way of improving perceived performance is to ensure that the most important applications get
priority. Typically, applications are allocated to classes of service (typically platinum, gold, silver, and
bronze), and then policies are set for each class. For example, platinum traffic might be guaranteed at
least 50 percent of the available bandwidth. To look at Quality of Service (QoS) in detail as see (Quality
of Service

QoS represents the set of techniques necessary to manage network bandwidth, delay, jitter, and packet
loss. From a business perspective, it is essential to assure that the critical applications are guaranteed
the network resources they need, despite varying network traffic load. )

ROUTERS – PROTECTION AND SECURITY

A router's first job is to route, transparently and seamlessly directing packets from one network to
another. A router can look for threats or “bad behaviour” in internetwork traffic and can also be
configured to address source-routed address requests in packets. [3]

Another security feature of routers is the ability to filter. Filtering applies policy to packets, declaring
what is permitted and denied by using rules that specify...

• Network interface: Which network did this packet come from?

• Source: What IP address did it come from?
• Destination: Where does it want to go?
• Packet type
• Protocol: What language to talk--for example, HTTP for Web traffic or SMTP for e-mail.
• Port to use: matches the packet with a particular service running on a computer--for example, e-
mail is usually on port 25, Web runs over port 80. [3]

IP Spoofing - You can associate certain IP addresses with the network interfaces of a router, the router
can tell you if an outside computer is pretending to be inside your network.

Examples of threats to routers:

• Unauthorized access
• Session hijacking - may occur if an attacker can insert falsified IP packets after
session establishment via IP spoofing, sequence number prediction and alteration,
or other methods.
• Masquerading - occur when an attacker manipulates IP packets to falsify IP
addresses. Masquerades can be used to gain unauthorized access or to inject bogus
data into a network.
• Eavesdropping
• Information theft

163148 13
TRUR1105_A2_163148 May 24, 2018

Examples of attack techniques:

• Password guessing - can be used as an attempt to access the router management

port.
• Routing protocol attacks - such as Routing Information Protocol (RIP) attacks where
an attacker can forge RIP routing updates to a router to cause the router to forward
packets toward the attacker.
• IP fragmentation attacks for DDoS - Distributed denial of service (DDoS) attacks use
a number of compromised sites to flood a target site with sufficient traffic or service
requests to render it useless to legitimate users. [4]
• Ping of death attacks - involve the creation of an Internet Control Message Protocol
(ICMP) echo-request packet that is larger than the maximum packet size of 65,535
bytes. The attacker hopes that the receiving router will crash while attempting to
reassemble the packet.
• Session replay attacks - use a sequence of packets or application commands that can
be recorded, possibly manipulated, and then replayed to cause an unauthorized
action or to gain access.

Properly securing a router against these types of attacks will be required to protect the network
infrastructure.

Firewalls
The firewall is a crucial component in the defense mechanisms of every network that is connected to the
Internet. It is typically the first filtering device that sees I P packets that attempt to enter an
organization’s network from the outside, and it is typically the last device to see an existing packet. It
acts like the security guard at the entrance to a building: It is the firewall’s job, using the policy it is
configured to use, to make a filtering decision on every packet that crosses it: either to let it pass, or to
drop it. [5]

Commonly called proxy firewalls, Application Gateway Firewalls (AGFs) filter information at OSI layers 3,
4, 5 and 7. As AGFs process information at the application layer, most of the firewall control and filtering
is done in software and has many advantages over standard packet filtering and Stateful firewalls.

• They authenticate individuals, not devices

• Hackers have a harder time with spoofing and implementing DoS attacks.
• They can monitor and filter application data.
• They can provide detailed logging.

AGF enables you to authenticate the individual who is trying to access internal resources. This enables
you to detect most spoofing attacks and DoS attacks are limited to the AGF itself. The AGF can detect
these, reducing the burden on internal resources.

To make authentication and connection process more efficient, many AGF authentic a user once and
then use authorization information stored in the authentication database to determine what resources
a person can access. The authorization then is used to limit the additional resources that the user is
allowed to access, if any, instead of requiring the user to authenticate for each resource that he wants
to access. AGF can be applied to both inbound and outbound traffic. [6]

163148 14
TRUR1105_A2_163148 May 24, 2018

Figure 6: Application Gateway Firewall Authentication Process

Due to its increased intelligence over packet-filtering and Stateful firewalls, AGFs typically are used in
the flowing areas;

• Connection Gateway Firewall (CGF) – commonly used as a primary filtering function.

You can monitor all data on a connection, which allows you to detect application attacks
such as malformed URLS, buffer overflow attempts, unauthorized access and more. You can
even control what command or functions an individual is allowed to perform.
• Cut-Through Proxy Firewall (CTF) – commonly used as a perimeter defence.

Quality of Service
QoS represents the set of techniques necessary to manage network bandwidth, delay, jitter, and packet
loss. From a business perspective, it is essential to assure that the critical applications are guaranteed
the network resources they need, despite varying network traffic load. [3]

Until around 2010, in the traditional IP network, the data packets take systematically the shortest path
between two nodes through a core network. However, this system presents a major inconvenience: all
the traffic follows the shortest path to go from the source to the destination. So the clutter state in a
part of the network will be problematic. Today the technology Multiprotocol Label Switching traffic
engineering (MPLS-TE) permits to share the data according to the available resources in networks to
guarantee the quality of service.

163148 15
TRUR1105_A2_163148 May 24, 2018

Network Monitoring
Network monitoring is absolutely necessary for any business. The whole purpose of it is to monitor the
computer network’s usage and performance, and check for slow or failing systems. The system will then
notify the network administrator of any performance issues or outages. This system will save a lot of
money and reduce many problems. It is also about optimising data flow and access in a complex and
changing environment. [2]

A network monitoring system can help find solutions to a wide range of problems including slow
webpage downloads, lost e-mail, questionable user activity and file delivery caused by overloaded,
crashed servers, and issues with network connections. Network Monitoring involves a system that keeps
track of the status of the various elements within a network; this can be something as simple as using
ICMP (ping) traffic to verify that a device is responsive.

Virtually any kind of network can be monitored. It doesn't matter whether it's wireless or wired, a
corporate LAN, VPN or service provider WAN. You can monitor devices on different operating systems
with a multitude of functions, ranging from smartphones to servers, routers and switches. [4]

• Passive

o Simply record traffic flow at relevant points

o Need to process logs to provide useful information
o Identify long term issues or trends

Passive monitoring is less of an experiment and more of an observational study. Instead of injecting
artificial traffic into your network, passive monitoring entails monitoring traffic that is already on the
network. It requires a device on the network to capture network packets for analysis. This can be done
with specialized probes designed to capture network data or with built-in capabilities on switches or
other network devices. Passive network monitoring can collect large volumes of data and from that we
can derive a wide range of information. E.g. TCP headers contain information that can be used to derive
network topology, identify services and operating systems running on networked devices, and detect
potentially malicious probes. [7]

• Active

o Injects extra traffic to servers / applications

o Flexible, possible to emulate different scenarios
o Early warning of problems

Active monitoring entails injecting test traffic onto a network and monitoring the flow of that
traffic. This is helpful for a simple test; for example, timing the latency between two devices on a wide
area network, as well as more complex tasks such as collecting measurements to verify quality of service
(QoS) agreements are being met. Active monitoring is like a controlled experiment. It is useful when you
want data on particular aspects of network performance. [7]

163148 16
TRUR1105_A2_163148 May 24, 2018

Common Performance Metrics

• Latency
• Jitter
• Packet loss
• Reliability
• Throughput / Capacity

Monitoring Tools
Command line

The following are common Microsoft Windows network commands:

Ipconfig - is a Console Command which can be issued to the Command Line Interpreter (or command
prompt) to display the network settings currently assigned to any or all network adapters in the
machine. This command can be utilised to verify a network connection as well as to verify your network
settings.

Netstat - Displays active TCP connections, ports on which the computer is listening, Ethernet statistics,
the IP routing table, IPv4 statistics (for the IP, ICMP, TCP, and UDP protocols), and IPv6 statistics (for the
IPv6, ICMPv6, TCP over IPv6, and UDP over IPv6 protocols). Used without parameters, netstat displays
active TCP connections.

Tracert - The tracert command is used to visually see a network packet being sent and received and the
amount of hops required for that packet to get to its destination.

Ping - Helps in determining TCP/IP Networks IP address as well as determine issues with the network
and assists in resolving them.

Pathping - Provides information about network latency and network loss at intermediate hops between
a source and destination. Pathping sends multiple Echo Request messages to each router between a
source and destination over a period of time and then computes results based on the packets returned
from each router. [8]

Open Source

Zabbix is just one open source monitoring tool. It is popular for its easy-to-use and pleasing Web GUI
that is fully configurable. It focuses on monitoring and trending functionality. This software is frequently
used for monitoring servers and network hardware. Some of the highlights of Zabbix is that it can
predict trends in your traffic and can forecast future behaviour based on historical data.

Since it is open source, it has an active user community spread around the world and good
documentation. Zabbix gives the freedom to use the open-source solution without vendor lock-ins
(including all components).

Zabbix is powerful for SMB networks below 1,000 nodes. Over that, the software can get slower and its
performance decreased. Another disadvantage is that it doesn’t include real-time tests and reports. [9]

163148 17
TRUR1105_A2_163148 May 24, 2018

A Zabbix server can collect data from devices with SNMP agent versions v1, v2 or v3. SNMP agents are
present not only in network equipment, but also in printers, NAS, UPS. Basically, any equipment that is
present on the network can be monitored through SNMP agents.

Passive checks (polling):

• Zabbix server (or proxy) requests a value

from Zabbix agent

• Agent processes the request and returns

the value to Zabbix server (or proxy)

Active checks (trapping):

• Zabbix agent requests from Zabbix server

(or proxy) a list of active checks

• Agent sends the results in periodically

Figure 7: Zabbix Active vs Passive Example

Three clear benefits of using a network monitoring system, these benefits include:

• Cost savings

• Speed

• Flexibility

However there a few small cons when looking at this topic.

Security
The security of any solution that requires public connectivity is of the utmost importance; using a cloud
network monitoring solution requires a great amount of trust being placed in the cloud provider.

Connectivity
With network monitoring applications that are deployed in-house, the systems themselves typically sit
at the most central part of an organization's network.
With a cloud based solution, the connection to an external entity is not going to have such
straightforward connectivity, and with this the risk of losing access to managed elements is a real
possibility. However if the provider has an automatic back up device installed this solves the problem.

Performance
This interlinks with connectivity as the availability of bandwidth between an in-house system and
managed elements vs the available bandwidth between an external cloud option and the managed
elements can be significant. [10]

163148 18
TRUR1105_A2_163148 May 24, 2018

CONCLUSION
The Advantages of a Properly Designed IT Infrastructure

Without a strong network infrastructure, access to business data may be delayed or lost. If a business’s
employees are unable to access the information they need to do their jobs, they are going to become
frustrated. Employee morale will drop, and customer satisfaction will decline. The network
infrastructure is the backbone, or foundation, of a healthy business. All business activities, from
administration to employee productivity to customer satisfaction, rely on the network. Reliable network
infrastructure is the difference between a successful, profitable business…and a failing one.

Through properly and efficiently designing a network from the get go these problems can be avoided
and even mitigated.

Scalability is needed for all networks. With the proper design, we can support the growth of the network
without having to redesign. A scalable network can change without requiring you to overhaul the
infrastructure.

Changes in one small part can impact or affect the performance and/or security of the overall network.
Changing or upgrading devices such as firewalls, routers, switches, servers and cabling should be
planned well ahead of time to ensure the change is for the good of the business.

163148 19
TRUR1105_A2_163148 May 24, 2018

REFERENCES

[1] Cisco, Cisco IOS Security Configeration Guide, 2010.

[2] I. Rekik, "VLAN Versus Microsegmentation," TechNation, 30 March 2018. [Online]. Available:
https://1technation.com/vlan-versus-microsegmentation/. [Accessed 11 May 2018].

[3] W. R. Cheswick, S. M. Bellovin and A. D. Rubin, Firewalls and Internet Security: Repelling the Wily
Hacker - Second Edition, Boston, MA: Longman Publishing Co, 2003.

[4] Cisco Systems, Securing Cisco Network Devices: Volume 1, Cisco Systems International, 2006.

[5] A. Wool, "Packet Filtering and Stateful Firewalls," Handbook of Infomation Security, 2006.

[6] R. A. Deal, Cisco Router Firewall Security, Cisco Press, 2004.

[7] S. M. Al-Shehri, P. Loskot, T. Numanoglu and M. Mert, "Common Metrics for Analyzing, Developing
and Managing Telecommunications Networks," 2017.

[8] Whirlpool, "Windows Network Diagnostic Commands," [Online]. Available:

http://whirlpool.net.au/wiki/windows_nw_diag_cmds. [Accessed 21 May 2018].

[9] Zabbix, "SNMP and IPMI Agents," Zabbix, [Online]. Available:

https://www.zabbix.com/snmp_ipmi_agent. [Accessed 21 May 2018].

[10] M. Hughes, "The Advantages and Disadvantages of Network Monitoring," NMSaaS, [Online].
Available: http://blog.nmsaas.com/the-advantages-and-disadvantages-of-network-monitoring.
[Accessed 21 May 2018].

[11] "Cisco - Configure a Switch - LAN Switching and Wireless," [Online]. Available:
http://www.scit.wlv.ac.uk/~in8297/cisco/expl3/lectures3/L02.pdf. [Accessed 11 May 2018].

[12] R. Klahr, J. N. Shah, P. Sheriffs, T. Rossington, G. Pestell, M. Button and V. Wang, "Cyber Security
Breaches Survey," Department for Culture, Media & Sport, Ipsos MORI:Social Research Institute,
University of Portsmouth, 2017.

[13] Cisco, Network Infrastructure, Cisco, 2015.

163148 20
TRUR1105_A2_163148 May 24, 2018

Figure 1: Application – Designing a Network Infrastructure – Design Brief ................................................. 2

Figure 2: Access Control Lists – Packet Interrogation ................................................................................... 7
Figure 3: Networks – Bridges (Pre Switch) .................................................................................................. 11
Figure 4: Networks – 6 Collision Domains Example .................................................................................... 12
Figure 5: Networks – Broadcast Domain Example ...................................................................................... 12
Figure 6: Application Gateway Firewall Authentication Process ................................................................ 15
Figure 7: Zabbix Active vs Passive Example ................................................................................................ 18

163148 21
TRUR1105_A2_163148 May 24, 2018

APPENDICES

Appendix 1: Design a Network Infrastructure – Router 1- London – Initial Router Configuration

163148 22
TRUR1105_A2_163148 May 24, 2018

Appendix 2: Design a Network Infrastructure – Router 1- London – Host A IP Config

163148 23
TRUR1105_A2_163148 May 24, 2018

Appendix 3: Design a Network Infrastructure – Router 1- London – Host B IP Config

163148 24
TRUR1105_A2_163148 May 24, 2018

Appendix 4: Design a Network Infrastructure – Router 1- London – Host A Ping Host B

Appendix 5: Design a Network Infrastructure – Router 1- London – Host B Ping Host A

163148 25
TRUR1105_A2_163148 May 24, 2018

Appendix 6: Design a Network Infrastructure – Router 1- London – Network is Alive

163148 26
TRUR1105_A2_163148 May 24, 2018

Appendix 7: Design a Network Infrastructure – Router 2- Paris – Initial Router Configuration

163148 27
TRUR1105_A2_163148 May 24, 2018

Appendix 8: Design a Network Infrastructure – Router 2- Paris – Host X IP Configuration

Appendix 9: Design a Network Infrastructure – Router 2- Paris – Host X Ping Router

163148 28
TRUR1105_A2_163148 May 24, 2018

Appendix 10: Design a Network Infrastructure – Router 3- Moscow – Host Y IP Configuration

Appendix 11: Design a Network Infrastructure – Router 3- Moscow – Host Y Ping Router

163148 29
TRUR1105_A2_163148 May 24, 2018

Appendix 12: Design a Network Infrastructure – Router 1- London – IP Route

Appendix 13: Design a Network Infrastructure – Router 2- Paris – IP Route

163148 30
TRUR1105_A2_163148 May 24, 2018

Appendix 14: Design a Network Infrastructure – Router 3 - Moscow – IP Route

Appendix 15: Design a Network Infrastructure –– Fully Connected and Working

163148 31
TRUR1105_A2_163148 May 24, 2018

163148 32