The following sections explore modular network design and then introduce two models that can be used for modular network design. What Is Modular Design?Key Point A module is a component of a composite structure. Modular network design involves creating modules that can then be put together to meet the requirements of the entire network. Modules are analogous to building blocks of different shapes and sizes; when creating a building, each block has different functions. Designing one of these blocks is a much easier task than designing the entire building. Each block might be used in multiple places, saving time and effort in the overall design and building process. The blocks have standard interfaces to each other so that they fit together easily. If the requirements for a block change, only that block needs to changeother blocks are not affected. Similarly, a specific block can be removed or added without affecting other blocks. As when used for a building, a modular design for a network has many benefits, including the following:
Note The Open Systems Interconnection (OSI) model, described in Appendix B, is an example of a modular framework for the communication protocols used between computers. The following sections introduce two models that can be used for network design: the hierarchical model and the Cisco Enterprise Composite Network Model. You will see that both of these models involve creating modules, and that hierarchical design can in fact be part of the modules of the Enterprise Composite Network Model. Hierarchical Network DesignThe hierarchical network design model is illustrated in Figure 1-4. Figure 1-4. The Hierarchical Network Design Model Separates the Network into Three Functions
Key Point The three functions that comprise the hierarchical network design model are as follows:
These three layers can also be thought of as modules; each module has specific functions and can therefore be designed using the optimal devices and features to meet the specific requirements of the module. Figure 1-5 illustrates a simple network and shows how it maps to the hierarchical model. (Later chapters in this book detail the functions of the devices shown in this figure.) Figure 1-5. The Hierarchical Network Design Model as Mapped to a Simple Network
Do you always need to have separate devices for each layer? No. Consider how the Transmission Control Protocol/Internet Protocol (TCP/IP) suite is an implementation of the OSI model. The TCP/IP model combines some of the OSI layers; for example, the TCP/IP application layer represents the OSI model application, presentation, and session layers. Similarly, your implementation of the hierarchical model can combine some of the functions into one physical device, especially if you have a smaller network. Some factors to consider when designing each of the hierarchical layers are described in the following sections. Access LayerThe access layer is where users access the network. Users can be local or remote. Local users typically access the network through connections to a hub or a switch. Recall that hubs operate at OSI Layer 1, and all devices connected to a hub are in the same collision (or bandwidth) domain. Switches operate at Layer 2, and each port on a switch is its own collision domain, meaning that multiple conversations between devices connected through the switch can be happening simultaneously. Using a LAN switch rather than a hub has a performance advantage: A LAN switch forwards unicast traffic only out of the port through which the traffic's destination is considered reachable. However, a hub forwards all traffic out of all its ports. For this reason, most of today's networks have LAN switches rather than hubs. (Switching, including Layer 3 switching, is discussed in Chapter 2, "Switching Design.") Remote users might access the network through the Internet, using VPN connections, for example. Connections to the Internet can be through dial-up, digital subscriber line (DSL), cable, and so forth. Other access possibilities include WANs such as Frame Relay, leased lines, and Integrated Services Digital Network (ISDN). The access layer must also ensure that only users who are authorized to access the network are admitted. Distribution LayerThe distribution layer interfaces between the core and access layers, and between access layer workgroups. The distribution layer functions and characteristics include the following:
Core LayerThe core layer provides a high-speed backbone. Functions and attributes of the core layer include the following:
Filtering is not performed at this layer, because it would slow processing. Filtering is done at the distribution layer. Limitations of the Hierarchical ModelThe hierarchical model is useful for smaller networks, but it does not scale well to larger, more complex networks. With only three layers, the model does not allow the modularity required to efficiently design networks with many devices and features. The Enterprise Composite Network Model, introduced in the following section, provides additional modularity and functions. The Cisco Enterprise Composite Network ModelCisco has developed a SAFE blueprint, the principle goal of which is to provide best practices information on designing and implementing secure networks. The SAFE architecture uses a modular approach, providing the advantages previously discussed. (The SAFE model is discussed further in Chapter 4.) The Cisco Enterprise Composite Network Model is the name given to the architecture used by the SAFE blueprint. This model supports larger networks than those designed with only the hierarchical model and clarifies the functional boundaries within the network. The Enterprise Composite Network Model first divides a network into three functional areas, as illustrated in Figure 1-6. Figure 1-6. Functional Areas of the Enterprise Composite Network Model[2]
Key Point The three functional areas are as follows:
Each of these functional areas contains network modules, which in turn can include the hierarchical core, distribution, and access layer functionality. Figure 1-7 displays the modules within each of these functional areas. The following sections provide details on each of these modules. Figure 1-7. Each Functional Area Contains Modules[3]Enterprise Campus Functional AreaThe modules within the Enterprise Campus functional area are as follows:
Note These module names are consistent with those in the SAFE blueprint. However, slight variations exist between these names and those in the following Cisco Press books: CCDA Self-Study: Designing for Cisco Internetwork Solutions (DESGN) and CCDP Self-Study: Designing Cisco Network Architectures (ARCH). Campus Infrastructure ModuleThe Campus Infrastructure module represents one or more buildings connected to a backbone. This module is comprised of three submodules: Building, Building Distribution, and Core. These submodules map directly onto the hierarchical model's access, distribution, and core layers. The combination of a Building and a Building Distribution submodule represents each building within a campus. Each of these buildings is connected to the Core, to provide connectivity between buildings and to the Server and Edge Distribution modules. The Building submodule contains all the devices to allow users in the building to access the network. This includes end-user devices, such as IP phones and PCs, as well as devices to interconnect the end users to the services they require. This latter functionality is typically provided by Layer 2 switches, but it can also include Layer 3 switches if more advanced features are required. This submodule is responsible for ensuring that only users who are authorized to access the network are admitted. The Building submodule also performs functions such as marking the QoS level of the traffic (for example, to distinguish voice traffic from file transfer traffic so that it can be handled appropriately throughout the network). The Building Distribution submodule provides access between workgroups and to the Core. This functionality is typically provided by Layer 3 switches or routers. Routing is implemented in this submodule; route filtering might also be required. Summarizing of routes should also be implemented here so that the routing overhead is minimal. This submodule controls access to services by implementing filters or access lists. Redundant switches and redundant links to both the access and backbone should also be implemented in this submodule. The Core submodule typically uses Layer 3 switching to provide a high-speed connection between the campus buildings and the Server and Edge Distribution modules. Redundancy is implemented to ensure a highly available and reliable backbone. Management ModuleThe Management module houses monitoring, logging, security, and other management features within an enterprise. A network-monitoring server monitors devices in the network and reports any events that occur (such as an interface error on a router). This can be combined with a system administration server to configure network devices. Some of the management security features that can be implemented in this module are as follows:
Network management traffic can traverse through an out-of-band or an in-band connection. Out-of-band management provides access to devices on a connection dedicated to management data (different from the connections on which network data flows), for example, through the console port of a Cisco router. In-band management provides access to devices through the same path as data traffic; for example, you can use Telnet to access a router over an IP network. Note Chapter 9, "Network Management Design," describes the Management module in detail. Server ModuleThe centralized Server module contains internal campus servers. These servers can include e-mail, file, and print servers, or any other servers that are necessary for the network solutions (for example, a Cisco CallManager server if IP telephony is implemented in the network). Redundancy is typically implemented within this module and to the Core so that users always have access to the servers they need. Layer 3 switches are typically used in this module to provide both the high performance of Layer 2 switching and the Layer 3 routing and filtering capabilities. Edge Distribution ModuleThe Edge Distribution module is the interface between the Enterprise Campus (through the Core submodule) and the Enterprise Edge functional areas. This module typically uses Layer 3 switching to provide high-performance routing, similar to the Server module. Redundancy is again implemented in this module to ensure that the campus users always have access to the Enterprise Edge. Enterprise Edge Functional AreaThe Enterprise Edge functional area is the interface between the Enterprise Campus functional area (through the Edge Distribution module) and the Service Provider Edge functional area. It is comprised of the following four modules:
The E-commerce module includes the devices and services necessary for an organization to support e-commerce applications, such as online ordering. The devices in this module usually include web servers, application servers, and security devices such as firewalls and IDS appliances. The Corporate Internet module provides Internet access for the users and passes VPN traffic from remote users to the VPN/Remote Access module. Typical servers in this module include e-mail, File Transfer Protocol (FTP), and Domain Name System (DNS) servers. Security systems, such as firewalls and IDSs/IPSs, are also present here to ensure that only legitimate Internet traffic is allowed into the enterprise. The VPN/Remote Access module terminates VPN traffic and dial-in connections from external users. Typical devices in this module include dial-in access and VPN concentrators to terminate the remote user connections, and firewalls and IDS appliances to provide security. The WAN module provides connectivity between remote sites and the main site over various WAN technologies. This module does not include the WAN connections; rather, it provides the interfaces to the WANs. The WAN connections themselves are supplied by the service providers, which are represented in the Service Provider Edge modules. Example WAN interfaces provided by this module are Frame Relay, Asynchronous Transfer Mode (ATM), cable, and leased lines. Service Provider Edge Functional AreaThe three modules within the Service Provider Edge functional area are as follows:
Recall that these modules are not implemented within the Enterprise itself but are provided by the service providers. The ISP module represents connections to the Internet. Redundant connections to multiple ISPs can be made to ensure service availability. The actual connection type is dictated by the ISPs. The PSTN module represents all dial-up connectivity, including analog phone, cellular phone, and ISDN connections. The Frame Relay/ATM module represents all permanent connections to remote locations, including Frame Relay and ATM, but also leased lines and cable, DSL, and wireless connections. |