In this section we briefly explore some of the key hardware devices you will encounter when designing networks. In order to place these devices in context, it is useful to position them using the ISO OSI seven-layer model, as shown in Figure 1.10.
Figure 1.10: Network devices in context.
Since the mid-1980s, we have seen a gradual shift in the presentation of networked devices from largely discrete units (such as standalone bridges, standalone repeaters, etc.) to highly integrated devices with many hybrid functions (such as multimedia hubs with repeater, bridge, and multiprotocol router interface cards). This is largely the result of functionality becoming a commodity, a general trend toward increased miniaturization, and the need to improve functionality to remain competitive. As these tools have matured and improved in performance there has also been a shift in network design from the use of simple bridged and repeated networks to more sophisticated router-switch networks capable of optimizing traffic flows with much greater accuracy and granularity. Scalability, convergence, and traffic optimization are now key driving forces behind today's large-scale network designs. We will now examine some of these devices in more detail.
Figure 1.11 is a somewhat simplified network design illustrating where you would typically expect to find these devices in a real network today. It shows discrete devices, although it is common to see much of the functionality integrated into a single device. The Head Office site uses a firewall to prevent unauthorized internal access and offers a Demilitarized Zone (DMZ) for shared hosts at lower security levels. A gateway is used to convert IBM SNA into TCP/IP protocol for wide area transport. Campus 1 has a number of LANs, segregated either via repeaters (LAN extension) or bridges and routers. Line drivers (LD) are used to extend the campus to a remote office in Building 9. Building 5 is a multistory building with Layer 2 and Layer 3 switches to provide Virtual LAN (VLAN) traffic domains. Note that the Layer 3 switch includes wide area support for access to the meshed WAN.
Figure 1.11: Simplified network design illustrating the typical locations for key hardware devices.
MAUs, or transceivers, provide the means of encoding data (framed bits) into purely electrical or light signals ready for transmission onto the physical media, typically a piece of cable. An MAU is also responsible for decoding electrical or light signals and converting them back into data for receiving stations. Note that MAU should not be confused with the Token Ring concentrator Multiple Access Unit. All devices attached to a network will typically have either a built-in transceiver interface (such as an onboard 10 Base T interface provided on a PC network adapter) or will provide a standard AUI interface, which can be mated to a discrete transceiver via a drop cable. MAUs come in various guises, depending on the media technology to be used to carry data and the media access control (MAC) technology used to frame the data (e.g., Token Ring, Ethernet, FDDI, etc.). MAUs may be small, single-port discrete units or multiport LAN-in-a-box units. MAUs provide a physical connection to LAN. They may also include features that protect against misuse of the LAN (e.g., Ethernet Jabber Protect) and diagnostic tests (SQE on Ethernet).
Repeaters are used to extend LAN segments, either due to the standard distance limitations on the length of a segment or to expand a network because the number of devices attached to a segment is at the recommended limit (e.g., four repeater hops for CSMA/CD). There are various types of repeater, ranging from single-port unmanaged units to multiport devices with full network management support. Repeaters may present a range of interfaces and physical connectors; typical examples are as follows:
AUI via D type connectors
10 Base 2, via BNC connectors
10/100 Base T, via multiple RJ45, or bulk RS266 connectors
10/100 Base F, via SC, ST (bayonet), SMA (screw), or RJ45 fiber connectors
Token Ring STP, via IBM connectors
A repeater must regenerate incoming frames to its other port(s) as a frame is received. A typical dumb repeater copies any incoming frames on any port to all other ports, so there is no traffic management capability. The standards documentation also specifies maximum acceptable delays (called bit-budget delays) between the receipt and retransmission of bits in a frame. If these delay thresholds are exceeded, then the device is considered non-compliant and may cause problems in networks where repeaters are chained off in sequence. One special type of repeater, a buffered repeater, not often seen nowadays, is really a hybrid between a bridge and a repeater. This device stores incoming frames temporarily in a memory buffer, prior to regeneration on its other port(s). In this scenario the bit-budget delays do not apply. Furthermore, buffered repeaters can be used in the same way as bridges to segment two or more networks where multiple nonbuffered repeaters are used in series. Buffered repeaters also inhibit the regeneration of error frames and collision frames between segments. Repeaters are a commodity item and are widely available from electrical retailers. They are simple, reliable, and easy to install but are otherwise of little interest from the network designer's perspective.
Line drivers (sometimes referred to as limited distance modems—LDMs) are used to extend physical circuits over longer distances. Line drivers are typically used in designs where point-to-point links between two devices would exceed the maximum distance supported by the underlying media and protocols. They are a form of signal amplifier.
Modulator/Demodulators (modems) are typically used between a CPU and a telephone line. This device modulates an outgoing binary bit stream onto the analog carrier, and demodulates an incoming binary bit stream from an analog carrier. Modem standards are defined by the International Telecommunications Union (ITU) and include the following:
V.32—Up to 9,600 bps for use over dial-up or leased lines
V.32 bis—Up to 14,400 bps for use over dial-up or leased lines
V.42—Error control procedures
V.42 bis—A data compression technique for use with V.42
V.34—28,800 bps for use over dial-up line V.42. When used with V.42 bis compression, it can theoretically reach 115,200 bps.
V.34-1996—Provides two additional data transmission rates of 31.2 and 33.6 Kbps
The terms Channel Service Unit (CSU) and Data Service Unit (DSU) are often used synonymously, although they perform different functions. CSU and DSU functionality is often combined in a single device called a Digital Data Set (DDS). A DSU is a low-speed device used to terminate digital circuits, providing protocol translation and signal formatting. There are several categories of DSU, as follows:
Fixed-rate DSUs at 19.2 Kbps and below (subrate) or at fixed rates of 56 Kbps
Multirate DSUs operating at variable speeds up to 56 Kbps
Switched 56-Kbps DSUs, operating with switched 56-Kbps digital services
T1/E1 DSUs and switched T1/E1 DSUs
A CSU terminates digital circuits at higher speeds but provides additional features such as filtering, line equalization and conditioning, signal regeneration, circuit testing, and error control protocol conversion (e.g., B8ZS). Some combined CSU/DSUs can also support Extended Super Frame (ESF) monitoring and testing, together with the ability to multiplex traffic from multiple interfaces into a single point-to-point or multidrop circuit. Standard CSUs offer a T1/E1 circuit interface. Many combined CSU/DSUs can now offer T3/E3 support via the High-Speed Serial Interface (HSSI). Some combined CSU/DSUs support SMDS via the Data Exchange Interface (DXI) and include many functions beyond the scope of a traditional DDS (including segmentation, protocol conversion, etc.).
Bridges provide Layer 2 Data Link Layer functionality and are protocol independent of Layer 3 protocols and higher. They can, therefore, transparently connect multiple 802.x-compliant networks (either locally or remotely). The Data Link Layer uses physical addressing schemes and is responsible for line discipline, topology reporting, error notification, flow control, and ordered delivery of data frames. Since bridges operate at the Data Link Layer, they do not examine protocol information that occurs at the upper layers. This means that there is minimal processing overhead relative to devices such as routers or gateways, and bridges may forward different types of protocol traffic (e.g., DECnet, IP, or Novell IPX) between two or more networks. The IEEE committee defines four key standards for bridges, as follows:
Transparent Bridging (TB)
Spanning Tree Algorithm (STA)
Source Routing Bridging (SRB)
Source Routing Transparent Bridging (SRT)
Transparent Bridging is synonymous with the Ethernet world, and Source Routing is synonymous with Token Ring. There is a de facto standard called Adaptive Source Routing, or Translation Bridging. This allows mixed Translation and Source Routing environments to coexist effectively via an internal kludge using address-mapping tables. Note that Source Routing bridges are not considered completely transparent .
Bridges offer filtering and forwarding capabilities based on Layer 2 fields, which are used to create discrete traffic domains to optimize backbone efficiency. Bridges may have filters configured to accept and forward only frames of a certain type or frames that originate from a particular subnet. This filtering capability is extremely useful for controlling traffic flows. Filters may be static (configured by the system or user) or dynamic (learned). In general, bridges offer at least some traffic management capability by associating node MAC addresses with particular interfaces and forwarding (at the Data Link level) semi-intelligently. Bridges are also typically responsible for preserving topology integrity by stopping the formation of network loops using protocols such as Spanning Tree, or proprietary variations .
The increasing power of desktop PCs and the growth of client/server and multimedia applications have driven the need for higher-bandwidth, shared-access LANs. Consequently, network designers are replacing older repeaters and bridges in their wiring closets with intelligent LAN switches to increase network performance and protect their existing wiring investments. Switches are basically high-speed bridges, usually with significant hardware assist to ensure low latency and high throughput. Switches can be functionally divided into two main categories: LAN switches (Layer 2/multilayer devices that provide Layer 2 and Layer 3 switching capabilities) and ATM switches. LAN switches can reduce congestion in existing shared-media hubs while using new backbone technologies, such as Fast Ethernet and ATM. Gigabit Ethernet and ATM switches and routers offer greater backbone bandwidth required by high-throughput data services.
WAN operations were historically performed by hosts. However, in the early 1980s these tasks started to migrate into dedicated Layer 3 devices called routers. The first routers were single protocol only, and did not offer any concurrent bridge operations. As both memory and CPU power increased and became much less expensive, more functionality was added until we arrive at the situation today, with routers being the ubiquitous general-purpose, multiprotocol network tool. Routers form discrete broadcast domains and are used to connect different networks. Routers forward traffic based on the destination Network Layer address rather than the MAC address. Routers can provide transparent connectivity over mixed technology subnetworks and are commonly used to extend LANs (both locally and remotely). Routers typically communicate with one another, learning neighbors, routes, costs and addresses, and selecting the best path routes for individual packets.
Multiprotocol bridge routers have become the preferred tool used to create large scalable internetworks. They offer all the benefits of protocol transparency traditionally provided by bridges, together with effective bandwidth utilization and the security advantages of routers. Router networks are functionally more robust than those provided by bridges; they do not suffer issues such as LLC timeouts, susceptibility to broadcast storms, and poor congestion control. Routers are much more scalable and can support very large internetworks in terms of both load and addressing; they do, however, require more skilled support and maintenance staff. The basic operation of a multiprotocol bridge router is as follows:
Incoming packets are examined and then passed to the appropriate protocol handlers or discarded.
If the packet is not routable, and bridging is enabled, then a bridge handler deals with the packet just like a typical MAC bridge.
If the packet is routable and a suitable routing protocol is configured, then the packet is passed to the correct handler. Note that if the handler is not enabled, the packet will typically be dealt with as a bridged packet.
Filtering may occur at the point of receipt or transmission.
The conceptual architecture of hybrid multiprotocol bridge routers is illustrated in Figure 1.12. It is important to understand that this hybrid integrated product provides more functionality than a discrete bridge and router pair, either in parallel or in series. In fact, it performs a unique function that cannot be emulated with discrete devices. In Figure 1.13 we can see that the closest we can get to emulate the operation of the integrated device is via two bridges and a router. However, the configuration shown on the right still fails to provide the same functionality and will drop bridged packets at the router interface if they are nonroutable, so protocols such as DEC LAT will be passed through both bridges but are blocked at the router. The single-protocol router will always discard nontransparent protocols.
Figure 1.12: Architecture of a multiprotocol bridge router.
Figure 1.13: Integrated bridge router and discrete bridge routers in parallel.
In Figure 1.14 we see an alternate way to emulate this functionality. On the surface this also looks promising; however, now we immediately run the risk of having duplicate packets circulating around the network. The bridge on the far right will blindly copy all nonlocal traffic regardless of whether or not the single protocol router (running in parallel) is already dealing with some of the traffic. As a result, the top and bottom networks are in effect joined, as if we were running multiple IP addresses on the same physical LAN. This will potentially confuse the router, since it will see packets of identical network source addresses on both interfaces. Strictly speaking, this configuration is not legal. Of course, one could consider setting up some fancy filtering scheme on the bridge to discard all routable packets, but frankly this would be a management nightmare and is strongly discouraged.
Figure 1.14: Integrated bridge router and discrete bridge and routers in parallel.
Hybrid integrated devices exhibit behavior that is often quite unique. Here, all of the routing and bridging decisions are handled internally, and the device always handles forwarding or routing decisions consistently, which greatly simplifies the design rules. We discuss the use of routers in network design in Chapter 3. In Chapter 5 we discuss the emergence of a new breed of hybrid device called the router firewall.
The term gateway is used as a generic term in networking; the only thing that defines it is that there is some functional or protocol conversion or translation implied. In this broad sense we will also include devices such as transport relays, since, as far as we are concerned, these are all gateways. Examples of gateways include the following:
DEC LAT to TCP/IP translation
IBM cluster controller to TCP/IP transport gateways
OSI TP Class 4 to TP Class 0 translation
OSI TP4 to TCP translation
Telnet to OSI virtual terminal protocol translation
ICL OSLAN to TCP/IP translation
OSI X.400 EMAIL gateways
You should be aware that many of the older IP standards documents (RFCs) use the term gateway to mean a router, which can lead to further confusion. In this book router means router, and gateway means some form of protocol translator.
Firewalls are hybrid security devices that are built using packet-filter routers, application proxies, or stateful packet forwarding systems. Their primary purpose is to intercept traffic flows and police the content of these flows, allowing only sessions that comply with policy rules through the firewall. Firewalls are widely deployed at perimeter interfaces to enable organizations to interface with untrusted wide area networks (such as the Internet). They are increasingly being deployed within internal networks to police traffic between groups of users.
The terms end system and intermediate system are frequently used in networking texts. We define these terms as follows:
An End System (ES) is most often characterized as a personal computer sitting on a user's desk. This is not a useful definition, since the PC may have no network connection, in which case it is a standalone system. End systems are, therefore, required to a have network connectivity as a basic requirement. This also requires that they also have a network address, so that they can be made reachable from other end systems and intermediate systems. In practice, end systems comprise a range of devices, including servers, personal computers, laptops, PDAs, WAP phones, terminal servers, print servers, intelligent disk arrays, and so forth. The key difference between an end system and an intermediate system is that the end system does not relay or forward packets (e.g., it does not run a full routing protocol). An end system merely terminates or originates packet flows.
Intermediate System (IS) is a general term, defined in standards documentation as any device capable of acting as a packet relay (e.g., a router). In earlier IETF standards the term gateway is frequently used in the context of intermediate system. Those new to reading RFCs may be forgiven for the confusion this inevitably causes between the term router and real gateways. Note also that intermediate systems frequently operate as end systems in practice. For example, a router could initiate a Telnet connection to log in to another router for diagnostic purposes. In this event both routers could be said to be operating in end system mode for that session context. As another example, an IPSec VPN gateway can operate in transport or tunnel mode. In transport mode the gateway is acting as an end system; in tunnel mode the gateway is acting as an intermediate system.
In an internetwork environment end systems communicate over a backbone of intermediate systems. Although they do not actively participate in routing, end systems require basic reachability information in order to talk to a router. This is achieved by running a router discovery protocol (such as a limited form of RIP) or via static hard-coded entries. Note that it is important not to confuse the physical appearance of a device with its logical function; it is not unusual, for example, to equip a high-performance workstation with full routing capability.
It is useful to briefly summarize the various issues and benefits of using these three complementary technologies in a network design.
The key advantages of using bridges in designs are as follows (note that most of these features also apply to switches):
Bridges are largely plug-and-play devices that require relatively little expertise to install and maintain.
Bridges enable you to automatically isolate traffic domains, which can bring instant benefits to overall network performance. Local network traffic is contained within learned interfaces.
Bridges extend LANs and eliminate local node limitations on cable segments.
Bridges are in the main transparent to higher-layer protocols and therefore are truly multiprotocol. This allows them to forward packets of protocols that are not routable.
Bridges are generally transparent to end systems. Routers require end systems to be aware of the router's addresses, either by static configuration or by running a limited routing protocol.
Bridges typically have better price/performance than routers. Since bridges have much less work to do on a packet basis, they can operate at higher speed, with much lower latency, and can be constructed using cheaper components. Router performance has, however, improved significantly in recent years.
Bridge issues include the following:
Layer 2 incompatibilities make some MAC-to-MAC implementations quite complicated.
Interworking issues across end-to-end WAN links may require both bridges to be from the same vendor.
Manageability becomes an issue in large networks.
Learning table sizes can get large and overflow on very large networks, making traffic management ineffective.
Bridges can reconfigure to get around topology changes, but the process is typically much slower than for routers.
Different implementations of STA do not interwork and can cause stability problems. Underpowered Spanning Tree bridges in particular (i.e., those capable of dropping packets under load) can cause serious stability problems if STP packets are being lost. Spanning Tree configurations can also be expensive for resilient WAN configurations, and there are no standards for load sharing over multiple paths with separate bridges.
Transparent bridges use only a subset of network topology at any one time, since only a single path can exist at any time between two points in a bridged internetwork. Routers, however, can use the best path that exists between source and destination and can readily switch paths as better ones become available.
Bridges offer little protection against broadcast storms. In forwarding broadcast packets, bridges are only carrying out their normal function, but in doing so they can impact internetwork performance and function. This is a particular problem with remote bridges, where broadcasts have to traverse interbridge serial links.
Bridges must drop packets that are too large for their attached networks. Routers, because they support the Network Layer, have the capability of fragmenting packets to accommodate networks with a smaller MTU.
Bridges have no capability to provide congestion feedback to other bridges or to end nodes. This can lead to the need to discard packets, with consequent impact on end-system performance. Routers provide congestion feedback using the capabilities of the Network Layer protocol.
Bridges cannot distinguish applications or higher-layer protocols. They cannot, therefore, prioritize application traffic or offer QoS guarantees.
Because routers use Layer 3 addresses, which are typically hierarchical, routers can use techniques such as address summarization to build networks that maintain performance and efficiency as they grow in size. Routers can use redundant paths and determine optimal routes even in a dynamically changing network. Routers are necessary to ensure scalability as the network grows and expands. They provide the following capabilities, which are vital in network designs:
Broadcast and multicast control
Quality of Service (QOS)
Since routers operate at Layer 3, they can enforce a hierarchical addressing structure. Therefore, a routed network can tie a logical addressing structure to a physical infrastructure—for example, through IP subnets for each segment. Traffic flow in a bridged or switched (flat) network is, therefore, inherently different from traffic flow in a routed (hierarchical) network. Hierarchical networks offer more efficient traffic flows than flat networks because they can use the network hierarchy to determine optimal paths and contain broadcast domains. Routers offer several advantages over bridges and switches, as follows:
Scalability—routed networks can be much larger than bridged networks, and the traffic engineering capabilities are much more efficient.
The Data Link Layer packet header has very little useful information to determine optimal routing; routers offer real least-cost routing. Routers are much more sensitive to protocols and traffic conditions.
Topological reconfiguration is much faster in routers during failure conditions. For example, OSPF can reconverge around a link failure in several seconds.
Routers contain broadcasts and so prevent the possibility of broadcast storms.
Routing is much better suited for uniting dissimilar networks.
Router issues include the following:
IP network multicasting may introduce broadcast storm—like problems.
Network headers are more complex to parse than a Data Link Layer header (checksums, variable-length fields, and options); hence, more CPU and latency are required. Packet latency is generally an order of magnitude higher for routers than for bridges.
Single-protocol routers lack flexibility in multivendor environments. Routers must encapsulate if bridging is not supported.
Routers are generally not quite so plug-and-play as bridges.
In campus environments high-speed switches are generally preferred to routers for better performance, lower cost per port, and ease of use.