Modular Network Design

The following sections explore modular network design and then introduce two models that can be used for modular network design.

What Is Modular Design?

Key Point

A module is a component of a composite structure. Modular network design involves creating modules that can then be put together to meet the requirements of the entire network.

Modules are analogous to building blocks of different shapes and sizes; when creating a building, each block has different functions. Designing one of these blocks is a much easier task than designing the entire building. Each block might be used in multiple places, saving time and effort in the overall design and building process. The blocks have standard interfaces to each other so that they fit together easily. If the requirements for a block change, only that block needs to changeother blocks are not affected. Similarly, a specific block can be removed or added without affecting other blocks.

As when used for a building, a modular design for a network has many benefits, including the following:

• It is easier to understand and design smaller, simpler modules rather than an entire network.

• It is easier to troubleshoot smaller elements compared to the entire network.

• The reuse of blocks saves design time and effort, as well as implementation time and effort.

• The reuse of blocks allows the network to grow more easily, providing network scalability.

• It is easier to change modules rather than the entire network, providing flexibility of design.

Note

The Open Systems Interconnection (OSI) model, described in Appendix B, is an example of a modular framework for the communication protocols used between computers.

The following sections introduce two models that can be used for network design: the hierarchical model and the Cisco Enterprise Composite Network Model. You will see that both of these models involve creating modules, and that hierarchical design can in fact be part of the modules of the Enterprise Composite Network Model.

Hierarchical Network Design

The hierarchical network design model is illustrated in Figure 1-4.

Key Point

The three functions that comprise the hierarchical network design model are as follows:

• Access layer Provides user and workgroup access to the resources of the network

• Distribution layer Implements the organization's policies, and provides connections between workgroups and between the workgroups and the core

• Core layer Provides high-speed transport between distribution-layer devices and to core resources

These three layers can also be thought of as modules; each module has specific functions and can therefore be designed using the optimal devices and features to meet the specific requirements of the module.

Figure 1-5 illustrates a simple network and shows how it maps to the hierarchical model. (Later chapters in this book detail the functions of the devices shown in this figure.)

Do you always need to have separate devices for each layer? No. Consider how the Transmission Control Protocol/Internet Protocol (TCP/IP) suite is an implementation of the OSI model. The TCP/IP model combines some of the OSI layers; for example, the TCP/IP application layer represents the OSI model application, presentation, and session layers. Similarly, your implementation of the hierarchical model can combine some of the functions into one physical device, especially if you have a smaller network.

Some factors to consider when designing each of the hierarchical layers are described in the following sections.

Access Layer

The access layer is where users access the network. Users can be local or remote.

Local users typically access the network through connections to a hub or a switch. Recall that hubs operate at OSI Layer 1, and all devices connected to a hub are in the same collision (or bandwidth) domain. Switches operate at Layer 2, and each port on a switch is its own collision domain, meaning that multiple conversations between devices connected through the switch can be happening simultaneously. Using a LAN switch rather than a hub has a performance advantage: A LAN switch forwards unicast traffic only out of the port through which the traffic's destination is considered reachable. However, a hub forwards all traffic out of all its ports. For this reason, most of today's networks have LAN switches rather than hubs. (Switching, including Layer 3 switching, is discussed in Chapter 2, "Switching Design.")

Remote users might access the network through the Internet, using VPN connections, for example. Connections to the Internet can be through dial-up, digital subscriber line (DSL), cable, and so forth. Other access possibilities include WANs such as Frame Relay, leased lines, and Integrated Services Digital Network (ISDN).

The access layer must also ensure that only users who are authorized to access the network are admitted.

Distribution Layer

The distribution layer interfaces between the core and access layers, and between access layer workgroups.

The distribution layer functions and characteristics include the following:

• Implementing policies by filtering, and prioritizing and queuing traffic.

• Routing between the access and core layers. If different routing protocols are implemented at these other two layers, the distribution layer is responsible for redistributing (sharing) among the routing protocols, and filtering if necessary (as discussed in Chapter 3, "IPv4 Routing Design").

• Performing route summarization (as also discussed in Chapter 3). When routes are summarized, routers have only summary routes in their routing tables, instead of unnecessary detailed routes. This results in smaller routing tables, which reduces the router memory required. Routing updates are also smaller and therefore use less bandwidth on the network. As discussed in Chapter 3, route summarization is only possible if the IP addressing scheme is designed properly.

• Providing redundant connections, both to access devices and to core devices.

• Aggregating multiple lower-speed access connections into higher-speed core connections and converting between different media types (for example, between Ethernet and Frame Relay connections), if necessary.

Core Layer

The core layer provides a high-speed backbone. Functions and attributes of the core layer include the following:

• Providing high-speed, low-latency links and devices for quick transport of data across the backbone.

• Providing a highly reliable and available backbone. This is accomplished by implementing redundancy in both devices and links so that no single points of failure exist.

• Adapting to network changes quickly by implementing a quick-converging routing protocol. The routing protocol can also be configured to load-balance over redundant links so that the extra capacity can be used when no failures exist.

Filtering is not performed at this layer, because it would slow processing. Filtering is done at the distribution layer.

Limitations of the Hierarchical Model

The hierarchical model is useful for smaller networks, but it does not scale well to larger, more complex networks. With only three layers, the model does not allow the modularity required to efficiently design networks with many devices and features. The Enterprise Composite Network Model, introduced in the following section, provides additional modularity and functions.

The Cisco Enterprise Composite Network Model

Cisco has developed a SAFE blueprint, the principle goal of which is to provide best practices information on designing and implementing secure networks. The SAFE architecture uses a modular approach, providing the advantages previously discussed. (The SAFE model is discussed further in Chapter 4.)

The Cisco Enterprise Composite Network Model is the name given to the architecture used by the SAFE blueprint. This model supports larger networks than those designed with only the hierarchical model and clarifies the functional boundaries within the network.

The Enterprise Composite Network Model first divides a network into three functional areas, as illustrated in Figure 1-6.

Key Point

The three functional areas are as follows:

• Enterprise Campus This area contains all the functions required for independent operation within one campus location; it does not provide remote connections. You can have multiple campuses.

• Enterprise Edge This area contains all the functions required for communication between the Enterprise Campus and remote locations, including the Internet, remote employees, other campuses, partners, and so forth.

• Service Provider Edge This functional area is not implemented by the organization; rather, it is included to represent WANs and Internet connections provided by service providers.

Each of these functional areas contains network modules, which in turn can include the hierarchical core, distribution, and access layer functionality.

Figure 1-7 displays the modules within each of these functional areas. The following sections provide details on each of these modules.

Figure 1-7. Each Functional Area Contains Modules^[3]

Enterprise Campus Functional Area

The modules within the Enterprise Campus functional area are as follows:

• Campus Infrastructure module

• Management module

• Server module

• Edge Distribution module

Note

These module names are consistent with those in the SAFE blueprint. However, slight variations exist between these names and those in the following Cisco Press books: CCDA Self-Study: Designing for Cisco Internetwork Solutions (DESGN) and CCDP Self-Study: Designing Cisco Network Architectures (ARCH).

Campus Infrastructure Module

The Campus Infrastructure module represents one or more buildings connected to a backbone. This module is comprised of three submodules: Building, Building Distribution, and Core. These submodules map directly onto the hierarchical model's access, distribution, and core layers.

The combination of a Building and a Building Distribution submodule represents each building within a campus. Each of these buildings is connected to the Core, to provide connectivity between buildings and to the Server and Edge Distribution modules.

The Building submodule contains all the devices to allow users in the building to access the network. This includes end-user devices, such as IP phones and PCs, as well as devices to interconnect the end users to the services they require. This latter functionality is typically provided by Layer 2 switches, but it can also include Layer 3 switches if more advanced features are required. This submodule is responsible for ensuring that only users who are authorized to access the network are admitted. The Building submodule also performs functions such as marking the QoS level of the traffic (for example, to distinguish voice traffic from file transfer traffic so that it can be handled appropriately throughout the network).

The Building Distribution submodule provides access between workgroups and to the Core. This functionality is typically provided by Layer 3 switches or routers. Routing is implemented in this submodule; route filtering might also be required. Summarizing of routes should also be implemented here so that the routing overhead is minimal. This submodule controls access to services by implementing filters or access lists. Redundant switches and redundant links to both the access and backbone should also be implemented in this submodule.

The Core submodule typically uses Layer 3 switching to provide a high-speed connection between the campus buildings and the Server and Edge Distribution modules. Redundancy is implemented to ensure a highly available and reliable backbone.

Management Module

The Management module houses monitoring, logging, security, and other management features within an enterprise.

A network-monitoring server monitors devices in the network and reports any events that occur (such as an interface error on a router). This can be combined with a system administration server to configure network devices.

Some of the management security features that can be implemented in this module are as follows:

• An authentication, authorization, and accounting (AAA) server to provide security checks of users. Authentication determines who the user is and whether he is allowed on the network. Authorization determines what the user can do on the network. Accounting records the time of day and time spent, for example, so that the user can be billed for the network services used. The AAA server can also record a user's location.

• Intrusion detection system (IDS) and intrusion prevention system (IPS) management. IDSs scan network traffic for malicious activity, while IPSs can protect the network if an attack is detected. An IDS and IPS management server logs suspicious activities that are detected by IDS and IPS sensors deployed throughout the network.

• System logging, for example, using a syslog server to log events and traps.

Network management traffic can traverse through an out-of-band or an in-band connection. Out-of-band management provides access to devices on a connection dedicated to management data (different from the connections on which network data flows), for example, through the console port of a Cisco router. In-band management provides access to devices through the same path as data traffic; for example, you can use Telnet to access a router over an IP network.

Note

Chapter 9, "Network Management Design," describes the Management module in detail.

Server Module

The centralized Server module contains internal campus servers. These servers can include e-mail, file, and print servers, or any other servers that are necessary for the network solutions (for example, a Cisco CallManager server if IP telephony is implemented in the network). Redundancy is typically implemented within this module and to the Core so that users always have access to the servers they need. Layer 3 switches are typically used in this module to provide both the high performance of Layer 2 switching and the Layer 3 routing and filtering capabilities.

Edge Distribution Module

The Edge Distribution module is the interface between the Enterprise Campus (through the Core submodule) and the Enterprise Edge functional areas.

This module typically uses Layer 3 switching to provide high-performance routing, similar to the Server module. Redundancy is again implemented in this module to ensure that the campus users always have access to the Enterprise Edge.

Enterprise Edge Functional Area

The Enterprise Edge functional area is the interface between the Enterprise Campus functional area (through the Edge Distribution module) and the Service Provider Edge functional area. It is comprised of the following four modules:

• E-commerce module

• Corporate Internet module

• VPN/Remote Access module

• WAN module

The E-commerce module includes the devices and services necessary for an organization to support e-commerce applications, such as online ordering. The devices in this module usually include web servers, application servers, and security devices such as firewalls and IDS appliances.

The Corporate Internet module provides Internet access for the users and passes VPN traffic from remote users to the VPN/Remote Access module. Typical servers in this module include e-mail, File Transfer Protocol (FTP), and Domain Name System (DNS) servers. Security systems, such as firewalls and IDSs/IPSs, are also present here to ensure that only legitimate Internet traffic is allowed into the enterprise.

The VPN/Remote Access module terminates VPN traffic and dial-in connections from external users. Typical devices in this module include dial-in access and VPN concentrators to terminate the remote user connections, and firewalls and IDS appliances to provide security.

The WAN module provides connectivity between remote sites and the main site over various WAN technologies. This module does not include the WAN connections; rather, it provides the interfaces to the WANs. The WAN connections themselves are supplied by the service providers, which are represented in the Service Provider Edge modules. Example WAN interfaces provided by this module are Frame Relay, Asynchronous Transfer Mode (ATM), cable, and leased lines.

Service Provider Edge Functional Area

The three modules within the Service Provider Edge functional area are as follows:

• Internet Service Provider (ISP) module

• Public Switched Telephone Network (PSTN) module

• Frame Relay/ATM module

Recall that these modules are not implemented within the Enterprise itself but are provided by the service providers.

The ISP module represents connections to the Internet. Redundant connections to multiple ISPs can be made to ensure service availability. The actual connection type is dictated by the ISPs.

The PSTN module represents all dial-up connectivity, including analog phone, cellular phone, and ISDN connections.

The Frame Relay/ATM module represents all permanent connections to remote locations, including Frame Relay and ATM, but also leased lines and cable, DSL, and wireless connections.