Documente Academic
Documente Profesional
Documente Cultură
Network Design
FdSc Computer Technology – Networks
163148
TRUR1105_A2_163148 May 24, 2018
CONTENTS
Designing a Network Infrastructure.............................................................................................................. 2
Introduction .............................................................................................................................................. 2
Application of Designing a Network Infrastructure .................................................................................. 2
Access Control Lists ................................................................................................................................... 7
Performance Improvement to the Network ........................................................................................... 10
Bridges to Switches ............................................................................................................................. 11
Routers – Protection and Security .......................................................................................................... 13
Network Monitoring ........................................................................................................................... 16
Monitoring Tools ................................................................................................................................. 17
Conclusion ............................................................................................................................................... 19
References .................................................................................................................................................. 20
Appendices.............................................................................................................................................. 22
163148 1
TRUR1105_A2_163148 May 24, 2018
INTRODUCTION
Network infrastructure is how data travels around. This includes physical cabling, network switches,
routers, Wi-Fi devices, and fibre or wireless links between buildings ...
When setting up an infrastructure, you are grouping components to hardware devices that give your
network several features.
• Access Control
• Routing/Switching Capabilities
• Connectivity
• Added Security
Looking at the topology of your network, when you plan for the physical design, you must also plan for
the software components.
Starting off on the right foot from the get-go is cost-effective to operate and presents consistent running
costs. A network for business needs to be up and running at all hours of the day to avoid disruptions and
distractions that affect the bottom line. It starts with the design of the network infrastructure.
163148 2
TRUR1105_A2_163148 May 24, 2018
163148 3
TRUR1105_A2_163148 May 24, 2018
163148 4
TRUR1105_A2_163148 May 24, 2018
163148 5
TRUR1105_A2_163148 May 24, 2018
163148 6
TRUR1105_A2_163148 May 24, 2018
Access lists filter network traffic by controlling whether routed packets are forwarded or blocked at the
router’s interfaces. Each router examines each packet to determine whether to send on or drop, based
on the criteria specified within the access list. [1]
ACLs for routers are not as complex or robust as Stateful firewalls, but they do offer a significant amount
of firewall capability. Routers should also protect against well-known protocols that you absolutely do
not plan to allow access into or out of your network. In addition, ACLs here should be configured to
restrict network peer access and can be used in conjunction with the routing protocols to restrict
updates and the extent of routes received from or sent to network peers.
163148 7
TRUR1105_A2_163148 May 24, 2018
163148 8
TRUR1105_A2_163148 May 24, 2018
163148 9
TRUR1105_A2_163148 May 24, 2018
Networks can become slow, When LANs had only a few users, and performance was usually very good.
Today, however, when most computers in an organization are on LANs, performance can be a problem.
Performance is usually expressed in terms of throughput (the total amount of user data transmitted in a
given time period).
163148 10
TRUR1105_A2_163148 May 24, 2018
So, to cut down on conversation collisions and bandwidth use a switch can be added to the network.
Switches segment collision domains, moving people into a private room so to speak.
Bridges to Switches
The more network devices you had, the more collisions you had. The CSMA/CD logic where devices had
to wait before they could (re)transmit impacts performance.
That’s when the Ethernet Bridge was introduced. This predecessor of the switch was able to learn MAC
addresses and only forward Ethernet frames when it was required. It was also able to store Ethernet
frames in memory to prevent collisions from happening. These bridges were placed in between our
hubs:
Switches are a bunch of bridges, on the same Virtual LAN (VLAN). Switches are intelligent devices. They
can read the Ethernet frame and forward it only to the device that needs it. When it has two forward
two frames on a port, it can queue the second one, preventing collisions.
Switches operate in full duplex which means everyone can send and transmit at the same time. Because
we don’t have any collisions, we don’t need the CSMA/CD protocol anymore and it is disabled by default
on a switch.
CS = Carrier Sense
MA = Multi Access
CD = Collision Detection
You will still encounter half duplex networking with wireless networks. A wireless access point is similar
to a hub, everyone is transmitting and receiving on the same frequency so collisions can occur. Wireless
networks use something called CSMA/CA (Collision Avoidance) as it’s hard to detect whether two radio
waves collided in the air.
163148 11
TRUR1105_A2_163148 May 24, 2018
Collision domain
A collision domain is, as the name implies, a part of a network where packet collisions can occur. A
collision occurs when two devices send a packet at the same time on the shared network segment. The
packets collide and both devices must send the packets again, which reduces network efficiency.
Collisions are often in a hub environment, because each port on a hub is in the same collision domain.
By contrast, each port on a bridge, a switch or a router is in a separate collision domain.
Each port on a hub is in the same collision domain. Each port on a bridge, a switch or router is in a
separate collision domain.
Broadcast domain
A broadcast domain is a domain in which a broadcast is forwarded. A broadcast domain contains all
devices that can reach each other at the data link layer (OSI layer 2) by using broadcast. All ports on a
hub or a switch are by default in the same broadcast domain. All ports on a router are in the different
broadcast domains and routers don’t forward broadcasts from one broadcast domain to another. [1]
163148 12
TRUR1105_A2_163148 May 24, 2018
Micro segmentation refers to the process of segmenting a collision domain into various segments and
mainly used to enhance the efficiency or security of the network. Where VLANs let you do very coarse-
grained segmentation, micro segmentation lets you do more fine-grained segmentation. [2]
Another way of improving perceived performance is to ensure that the most important applications get
priority. Typically, applications are allocated to classes of service (typically platinum, gold, silver, and
bronze), and then policies are set for each class. For example, platinum traffic might be guaranteed at
least 50 percent of the available bandwidth. To look at Quality of Service (QoS) in detail as see (Quality
of Service
QoS represents the set of techniques necessary to manage network bandwidth, delay, jitter, and packet
loss. From a business perspective, it is essential to assure that the critical applications are guaranteed
the network resources they need, despite varying network traffic load. )
Another security feature of routers is the ability to filter. Filtering applies policy to packets, declaring
what is permitted and denied by using rules that specify...
IP Spoofing - You can associate certain IP addresses with the network interfaces of a router, the router
can tell you if an outside computer is pretending to be inside your network.
• Unauthorized access
• Session hijacking - may occur if an attacker can insert falsified IP packets after
session establishment via IP spoofing, sequence number prediction and alteration,
or other methods.
• Masquerading - occur when an attacker manipulates IP packets to falsify IP
addresses. Masquerades can be used to gain unauthorized access or to inject bogus
data into a network.
• Eavesdropping
• Information theft
163148 13
TRUR1105_A2_163148 May 24, 2018
Properly securing a router against these types of attacks will be required to protect the network
infrastructure.
Firewalls
The firewall is a crucial component in the defense mechanisms of every network that is connected to the
Internet. It is typically the first filtering device that sees I P packets that attempt to enter an
organization’s network from the outside, and it is typically the last device to see an existing packet. It
acts like the security guard at the entrance to a building: It is the firewall’s job, using the policy it is
configured to use, to make a filtering decision on every packet that crosses it: either to let it pass, or to
drop it. [5]
Commonly called proxy firewalls, Application Gateway Firewalls (AGFs) filter information at OSI layers 3,
4, 5 and 7. As AGFs process information at the application layer, most of the firewall control and filtering
is done in software and has many advantages over standard packet filtering and Stateful firewalls.
AGF enables you to authenticate the individual who is trying to access internal resources. This enables
you to detect most spoofing attacks and DoS attacks are limited to the AGF itself. The AGF can detect
these, reducing the burden on internal resources.
To make authentication and connection process more efficient, many AGF authentic a user once and
then use authorization information stored in the authentication database to determine what resources
a person can access. The authorization then is used to limit the additional resources that the user is
allowed to access, if any, instead of requiring the user to authenticate for each resource that he wants
to access. AGF can be applied to both inbound and outbound traffic. [6]
163148 14
TRUR1105_A2_163148 May 24, 2018
Due to its increased intelligence over packet-filtering and Stateful firewalls, AGFs typically are used in
the flowing areas;
Quality of Service
QoS represents the set of techniques necessary to manage network bandwidth, delay, jitter, and packet
loss. From a business perspective, it is essential to assure that the critical applications are guaranteed
the network resources they need, despite varying network traffic load. [3]
Until around 2010, in the traditional IP network, the data packets take systematically the shortest path
between two nodes through a core network. However, this system presents a major inconvenience: all
the traffic follows the shortest path to go from the source to the destination. So the clutter state in a
part of the network will be problematic. Today the technology Multiprotocol Label Switching traffic
engineering (MPLS-TE) permits to share the data according to the available resources in networks to
guarantee the quality of service.
163148 15
TRUR1105_A2_163148 May 24, 2018
Network Monitoring
Network monitoring is absolutely necessary for any business. The whole purpose of it is to monitor the
computer network’s usage and performance, and check for slow or failing systems. The system will then
notify the network administrator of any performance issues or outages. This system will save a lot of
money and reduce many problems. It is also about optimising data flow and access in a complex and
changing environment. [2]
A network monitoring system can help find solutions to a wide range of problems including slow
webpage downloads, lost e-mail, questionable user activity and file delivery caused by overloaded,
crashed servers, and issues with network connections. Network Monitoring involves a system that keeps
track of the status of the various elements within a network; this can be something as simple as using
ICMP (ping) traffic to verify that a device is responsive.
Virtually any kind of network can be monitored. It doesn't matter whether it's wireless or wired, a
corporate LAN, VPN or service provider WAN. You can monitor devices on different operating systems
with a multitude of functions, ranging from smartphones to servers, routers and switches. [4]
• Passive
Passive monitoring is less of an experiment and more of an observational study. Instead of injecting
artificial traffic into your network, passive monitoring entails monitoring traffic that is already on the
network. It requires a device on the network to capture network packets for analysis. This can be done
with specialized probes designed to capture network data or with built-in capabilities on switches or
other network devices. Passive network monitoring can collect large volumes of data and from that we
can derive a wide range of information. E.g. TCP headers contain information that can be used to derive
network topology, identify services and operating systems running on networked devices, and detect
potentially malicious probes. [7]
• Active
Active monitoring entails injecting test traffic onto a network and monitoring the flow of that
traffic. This is helpful for a simple test; for example, timing the latency between two devices on a wide
area network, as well as more complex tasks such as collecting measurements to verify quality of service
(QoS) agreements are being met. Active monitoring is like a controlled experiment. It is useful when you
want data on particular aspects of network performance. [7]
163148 16
TRUR1105_A2_163148 May 24, 2018
• Latency
• Jitter
• Packet loss
• Reliability
• Throughput / Capacity
Monitoring Tools
Command line
Ipconfig - is a Console Command which can be issued to the Command Line Interpreter (or command
prompt) to display the network settings currently assigned to any or all network adapters in the
machine. This command can be utilised to verify a network connection as well as to verify your network
settings.
Netstat - Displays active TCP connections, ports on which the computer is listening, Ethernet statistics,
the IP routing table, IPv4 statistics (for the IP, ICMP, TCP, and UDP protocols), and IPv6 statistics (for the
IPv6, ICMPv6, TCP over IPv6, and UDP over IPv6 protocols). Used without parameters, netstat displays
active TCP connections.
Tracert - The tracert command is used to visually see a network packet being sent and received and the
amount of hops required for that packet to get to its destination.
Ping - Helps in determining TCP/IP Networks IP address as well as determine issues with the network
and assists in resolving them.
Pathping - Provides information about network latency and network loss at intermediate hops between
a source and destination. Pathping sends multiple Echo Request messages to each router between a
source and destination over a period of time and then computes results based on the packets returned
from each router. [8]
Open Source
Zabbix is just one open source monitoring tool. It is popular for its easy-to-use and pleasing Web GUI
that is fully configurable. It focuses on monitoring and trending functionality. This software is frequently
used for monitoring servers and network hardware. Some of the highlights of Zabbix is that it can
predict trends in your traffic and can forecast future behaviour based on historical data.
Since it is open source, it has an active user community spread around the world and good
documentation. Zabbix gives the freedom to use the open-source solution without vendor lock-ins
(including all components).
Zabbix is powerful for SMB networks below 1,000 nodes. Over that, the software can get slower and its
performance decreased. Another disadvantage is that it doesn’t include real-time tests and reports. [9]
163148 17
TRUR1105_A2_163148 May 24, 2018
A Zabbix server can collect data from devices with SNMP agent versions v1, v2 or v3. SNMP agents are
present not only in network equipment, but also in printers, NAS, UPS. Basically, any equipment that is
present on the network can be monitored through SNMP agents.
Three clear benefits of using a network monitoring system, these benefits include:
• Cost savings
• Speed
• Flexibility
Security
The security of any solution that requires public connectivity is of the utmost importance; using a cloud
network monitoring solution requires a great amount of trust being placed in the cloud provider.
Connectivity
With network monitoring applications that are deployed in-house, the systems themselves typically sit
at the most central part of an organization's network.
With a cloud based solution, the connection to an external entity is not going to have such
straightforward connectivity, and with this the risk of losing access to managed elements is a real
possibility. However if the provider has an automatic back up device installed this solves the problem.
Performance
This interlinks with connectivity as the availability of bandwidth between an in-house system and
managed elements vs the available bandwidth between an external cloud option and the managed
elements can be significant. [10]
163148 18
TRUR1105_A2_163148 May 24, 2018
CONCLUSION
The Advantages of a Properly Designed IT Infrastructure
Without a strong network infrastructure, access to business data may be delayed or lost. If a business’s
employees are unable to access the information they need to do their jobs, they are going to become
frustrated. Employee morale will drop, and customer satisfaction will decline. The network
infrastructure is the backbone, or foundation, of a healthy business. All business activities, from
administration to employee productivity to customer satisfaction, rely on the network. Reliable network
infrastructure is the difference between a successful, profitable business…and a failing one.
Through properly and efficiently designing a network from the get go these problems can be avoided
and even mitigated.
Scalability is needed for all networks. With the proper design, we can support the growth of the network
without having to redesign. A scalable network can change without requiring you to overhaul the
infrastructure.
Changes in one small part can impact or affect the performance and/or security of the overall network.
Changing or upgrading devices such as firewalls, routers, switches, servers and cabling should be
planned well ahead of time to ensure the change is for the good of the business.
163148 19
TRUR1105_A2_163148 May 24, 2018
REFERENCES
[2] I. Rekik, "VLAN Versus Microsegmentation," TechNation, 30 March 2018. [Online]. Available:
https://1technation.com/vlan-versus-microsegmentation/. [Accessed 11 May 2018].
[3] W. R. Cheswick, S. M. Bellovin and A. D. Rubin, Firewalls and Internet Security: Repelling the Wily
Hacker - Second Edition, Boston, MA: Longman Publishing Co, 2003.
[4] Cisco Systems, Securing Cisco Network Devices: Volume 1, Cisco Systems International, 2006.
[5] A. Wool, "Packet Filtering and Stateful Firewalls," Handbook of Infomation Security, 2006.
[7] S. M. Al-Shehri, P. Loskot, T. Numanoglu and M. Mert, "Common Metrics for Analyzing, Developing
and Managing Telecommunications Networks," 2017.
[10] M. Hughes, "The Advantages and Disadvantages of Network Monitoring," NMSaaS, [Online].
Available: http://blog.nmsaas.com/the-advantages-and-disadvantages-of-network-monitoring.
[Accessed 21 May 2018].
[11] "Cisco - Configure a Switch - LAN Switching and Wireless," [Online]. Available:
http://www.scit.wlv.ac.uk/~in8297/cisco/expl3/lectures3/L02.pdf. [Accessed 11 May 2018].
[12] R. Klahr, J. N. Shah, P. Sheriffs, T. Rossington, G. Pestell, M. Button and V. Wang, "Cyber Security
Breaches Survey," Department for Culture, Media & Sport, Ipsos MORI:Social Research Institute,
University of Portsmouth, 2017.
163148 20
TRUR1105_A2_163148 May 24, 2018
163148 21
TRUR1105_A2_163148 May 24, 2018
APPENDICES
163148 22
TRUR1105_A2_163148 May 24, 2018
163148 23
TRUR1105_A2_163148 May 24, 2018
163148 24
TRUR1105_A2_163148 May 24, 2018
163148 25
TRUR1105_A2_163148 May 24, 2018
163148 26
TRUR1105_A2_163148 May 24, 2018
163148 27
TRUR1105_A2_163148 May 24, 2018
163148 28
TRUR1105_A2_163148 May 24, 2018
Appendix 11: Design a Network Infrastructure – Router 3- Moscow – Host Y Ping Router
163148 29
TRUR1105_A2_163148 May 24, 2018
163148 30
TRUR1105_A2_163148 May 24, 2018
163148 31
TRUR1105_A2_163148 May 24, 2018
163148 32