CNT 125 Chapter 7

Podcast PPT

Network Architecture
Objectives
By the end of this module, you should be able to:
1. Explain types of abstraction in the design of physical
network architecture
2. Describe and explain virtualization technologies on a
network
3. Summarize cloud characteristics, models, and
connectivity options
4. Identify methods to increase network availability
Switch Review
● Quick review of switches …
Switches
● Connectivity devices that subdivide a network
● Segments

● Traditional switches
● Operate at Data Link OSI model layer - Layer 2

● Switches interpret MAC address information

● Switch maintains a table of MAC addresses – what MAC

address is connected to what switch Port
Switches
● Switch Operation
● Data comes in 1 port
● Switch reads destination MAC Address – locates that MAC
address in table
● Switch will send data out only port with destination MAC
Address
Switches
● Switches
Switches
● Switch Uplink Port

● If Copper Ports for users are 100 Mbps

● Uplink will be 1000 Mbps (1 Gbps)

● If Copper Ports for users are 1000 Mbps (1 Gbps)

● Uplink will be 10 Gbps

● Typically will be SFP Port – can be copper or fiber as

needed
Switches
● Common switch components
● Internal processor, operating system, memory, ports
Unmanaged Switches

Unmanaged switch
● provides plug-and-play simplicity with minimal
configuration options
● has no IP address assigned to it
● not very expensive
● capabilities are limited
● cannot support VLANs
Managed Switches

Managed switches
● can be configured via a command-line interface or a
web-based management GUI
● sometimes can be configured in groups
● Usually assigned IP addresses for the purpose of
continued management
Switches are layer 2 devices, however the following
higher-layer switches also exist:
● Layer 3 switch is capable of interpreting layer 3 data
and works like a router
● Layer 4 switch is capable of interpreting layer 4 data
Managed Switches

● Managed switch - Configuration via GUI

Switch Path Management

● Redundancy allows data the option of traveling through

more than one switch toward its destination and makes
your network less vulnerable to hardware malfunctions
● A potential problem with having multiple paths through
a network has to do with traffic loops
● Broadcast Storm - can be created by redundant loops
Switch Path Management
Switch Path Management

● STP (Spanning Tree Protocol) prevents traffic loops,

also called switching loops, by calculating paths that
avoid potential loops and by artificially blocking the
links that would complete a loop
● IEEE 802.1D
● STP can also adapt to changes in the network
● STP chooses the most efficient paths and calls these the
least cost path
 Switch Path Management

1. STP selects Root Bridge

● based on BID (Bridge ID) - combo of 2-byte priority field, can
be set by network admin, and bridge’s MAC address
● bridge with lowest MAC becomes root bridge by default
2. STP examines possible paths between all other bridges &
root & chooses most efficient paths, called least cost path,
for each of the bridges
3. STP disables links that are not part of a shortest path.
Switch Path Management
Switch Path Management

● STP information is transmitted between switches via BPDUs

(Bridge Protocol Data Units)
● Newer technologies to improve or replace STP include the
following:
● RSTP (Rapid Spanning Tree Protocol)
● TRILL (Transparent Interconnection of Lots and Links)
● SPB (Shortest Path Bridging)
● Some switch manufacturers have designed proprietary
versions of STP optimized to work most efficiently on their
equipment
Switch Port Security

● Unused switch, router, or server ports can be accessed

and exploited by hackers if they are not disabled
● Unused ports should be disabled if not needed
● shutdown command to disable port
● no shutdown command to enable port
● Port Security on switch
● can be used to protect against MAC flooding
● This type of switch port security is only one layer of
defense
Switch Port Security
1. interface range fa0/1 – 5
a. selects first 5 switch ports to be configured
2. switchport mode access
a. sets port mode to access as opposed to “trunk”
3. switchport port-security
a. enables port security on these ports
4. switchport port-security maximum 1
a. sets port to have a MAX of 1 MAC address associated
5. switchport port-security mac-address sticky
a. holds first MAC learned on port in the MAC table
6. switchport port-security violation shutdown
a. will shutdown down port & send alert if more than 1 MAC
Address is connected to port
Hierarchical Design

● A load balancer helps to evenly distribute traffic to each device

in a cluster so every device carries a portion of the load
● Cisco and other manufacturers have developed a hierarchical
design for switches on a network called a three-tiered
architecture
● The access layer, or edge layer, consists of workgroup
switches connected directly to hosts
● The distribution layer, or aggregation layer, is a highly
redundant mesh of connections between multilayer switches
or routers
● The core layer consists of highly efficient multilayer
switches or routers that support the network’s backbone
traffic
Hierarchical Design

● The flow of traffic between peers within a network segment is

called east-west traffic
● Traffic that must leave the local segment to reach its destination is
called north-south traffic
Hierarchical Design
 Hierarchical Design
● As newer technologies such as virtualization, SDN, and cloud
computing became more popular, east-west traffic began
experiencing latency
● A new hierarchical design was needed to better optimize
east-west traffic
● Newer networks collapse the core and distribution layers into one
layer called the spine
● Spine switches on the backbone connect in a mesh topology
with all leaf switches but not with each other
● This design is called a spine-and leaf architecture and offers the
following advantages:
● Improved redundancy and scalability
● Decreased latency
● Increased performance and security
● Reduced expense
Hierarchical Design
Software-Designed Networking

● SDN (software-defined network) is a centralized

approach to networking
● An SDN controller integrates all of the network’s virtual
and physical devices into one cohesive system
● SDN relies on a form of abstraction called
disaggregation
Software-Designed Networking
Software-Designed Networking

● SDN abstracts the functions of network devices into

different layers, or planes:
● Infrastructure plane (also called data plane) – this
plane is made up of the physical or virtual devices
that receive and send network messages
● Control plane – this plane handles the
decision-making processes
● Application plane – the SDN controller
communications with network applications using
APIs
● Management plane – this plane could be considered
a part of the control plane
Software-Designed Networking
Software-Designed Networking
SAN

● Large enterprises that require faster access to data &

larger amounts of storage - SAN (storage area network)
● SAN - distinct network of storage devices that
communicate with each other & with other networks.
● multiple storage devices are connected to multiple,
identical servers
● architecture is similar to a mesh topology - most
fault-tolerant type of topology possible
SAN
SAN
SAN

● SANs are not only extremely fault tolerant, they are

also extremely fast. To do this, SANs use one of these
technologies:
● FC (Fibre Channel)
● FCoE (Fibre Channel over Ethernet)
● iSCSI (Internet SCSI)
● IB (InfiniBand)
SAN

● FC (Fibre Channel)
● storage networking architecture that runs separately
from Ethernet networks
● can run over copper cables, fiber-optic cable is much
more commonly used
● requires special hardware, which makes it expensive
● Specifications are approved for speeds up to 256GFC
SAN

● FC (Fibre Channel)
SAN

● FCoE (Fibre Channel over Ethernet)

● newer technology
● allows FC to travel over Ethernet hardware and
connections
● FC frame is encapsulated inside an FCoE frame, which is
then encapsulated inside an Ethernet frame
SAN

● FCoE (Fibre Channel over Ethernet)

SAN

● iSCSI (Internet SCSI)

● pronounced “i-scuzzy,”
● Transport layer protocol - runs on top of TCP to allow
fast transmissions over LANs, WANs & Internet
● can work on TP Eth network with ordinary Eth NICs
● evolution of SCSI (Small Computer System Interface) -
fast transmission standard used by internal hard drives
and OS in file servers
● ADV of iSCSI - not as expensive, can run on already
established Eth LAN by installing iSCSI software (called
an iSCSI initiator) on network clients & servers - does
not require as much training for IT personnel
SAN

● iSCSI (Internet SCSI)

SAN

● iSCSI (Internet SCSI)

SAN

● IB (InfiniBand)
● requires specialized network hardware
● it’s very fast
● tends to serve a few niche markets rather than being
widely available
● on the difficult end of the installation & configuration
spectrum
● on the expensive side as well.
SAN

● IB (InfiniBand)
Virtual Architecture

● Virtualization is a virtual, or logical, version of

something rather than the actual, or physical, version
● A host is a physical computer “hosting” a virtual
machine
● A guest is each virtual machine
● A hypervisor creates and manages a VM
● It also manages resource allocation and sharing
between a host and any of its guest VMs
Virtualization
Virtual Architecture

There are two types of hypervisors:

● Type 1 – installs on a computer before any OS and is
called a bare-metal hypervisor
● XenServer by Citrix, ESXi by VMware, Hyper-V by
Microsoft, Linux KVM
● Type 2 – installs in a host OS as an application and is
called a hosted hypervisor
● Client Hyper-V, VirtualBox, VMware Player and Linux
KVM
Virtualization

Ex: VMware ESXi Ex: VMware Player

Virtualization
Virtualization
Virtualization Market Share - November 2022

VMware ESX
VMware Microsoft Server
vSphere Hyper-V
 Virtualization
● VM’s software and
hardware
characteristics are
assigned when it is
created in the
hypervisor.

● Can customize
memory, disk
space, etc…
Virtualization – Network
Connection Types
● Every VM has its own virtual network adapter, or vNIC
(virtual NIC), that can connect the VM to other machines,
both virtual and physical.

● vNIC operates at the Data Link layer and provides the

computer with network access.

● Each VM can have several vNICs

● maximum number of vNICs on a VM depends on the limits

imposed by the hypervisor. (Ex: VirtualBox allows up to eight
vNICs per VM.)

● each vNIC is automatically assigned a MAC address.

Virtualization – Network
Connection Types
Virtualization – Network
Connection Types
● When first VM’s vNIC is selected
● Hypervisor creates a connection between that VM and the host
● This connection might be called a bridge or switch

● vSwitch … or …. Virtual switch

● Logically defined device
● Operates at Data Link layer
● Passes frames between nodes
● Allows VMs to communicate with VMs or nodes on LAN

● The hypervisor controls the virtual switches

● VMs can go through a virtual switch to reach network

Virtualization – Network
Connection Types
Virtualization – Network
Connection Types
Virtualization – Network
Connection Types
● Must identify networking mode the vNIC will use
● Frequently-used network connection types
● Bridged
● NAT
● Host-only
Virtualization – Network
Connection Types
● Bridged Mode
● vNIC accesses physical network using host
machine’s NIC
● Obtains own IP address, default gateway, and
netmask from DHCP server on physical LAN
● When connected using bridged mode, a VM
appears to other nodes as just another client or
server on the network.
● Other nodes communicate directly with the
computer without realizing it is virtual.
Virtualization – Network NOTE:
Connection Types Take note of VM IP
Address and Host
Machine IP Address
Virtualization – Network
Connection Types Selecting Bridged
Mode
Virtualization – Network
Connection Types
● NAT Mode
● vNIC relies on the host machine to act as a NAT
device.
● VM obtains IP addressing information from its
host
● hypervisor acts as a DHCP server
● vNIC can still communicate with other nodes on
the network and vice versa. However, other
nodes communicate with the host machine’s IP
address to reach the VM
● VM itself is invisible to nodes on the physical
network.
Virtualization – Network
Connection Types NOTE:
Take note of VM IP
Address and Host
Machine IP Address
Virtualization – Network
Connection Types
Selecting NAT Mode
Virtualization – Network
Connection Types
● Host-only Mode
● VMs on one host can exchange data with each
other and with their host
● they cannot communicate with any nodes beyond
the host
● vNICs never receive or transmit data via the host
machine’s physical NIC
● VMs use the DHCP service in the host’s
virtualization software to obtain IP address
assignments.
Virtualization – Network NOTE:
Take note of VM IP
Connection Types Address and note No
Connection to Host
Machine NIC
Virtualization – Network
Connection Types Selecting Host-Only
Mode
Virtualization Pros and Cons

● Advantages of virtualization include the following:

● Efficient use of resources
● Cost and energy savings
● Fault and threat isolation
● Simple backups, recovery, and replication
● Disadvantages of virtualization include the following:
● Compromised performance
● Increased complexity
● Increased licensing costs
● Single point of failure
NFV (Network Functions
Virtualization)

● NFV (Network Functions Virtualization) is the

process of merging physical and virtual network
architecture
● Provides flexible, cost-saving options for many types
of network devices
● Options for virtualizing network devices include the
following:
● Virtual firewall – install a firewall’s OS in a VM on
an inexpensive server
● Virtual router – install a router VM on a server
instead of purchasing an expensive hardware router
NFV (Network Functions
Virtualization)
● Software firewall
● merely an application, like Windows Firewall
● very limited in scope and features, and only services a
single client

● Dedicated firewall device

● Fortinet, Cisco, or Palo Alto Networks
● services an entire network (or portion of a network)
● has many more features and runs on its own OS.
NFV (Network Functions
Virtualization)
● Virtual Firewall
● emulates a hardware firewall
● hosted in a virtualized environment
● Ex: pfSense VMware Ready Virtual Firewall Appliance by
Netgate
● Ex: Barracuda’s NextGen Firewall F-Series
● must be a hypervisor present (usually Type 1) for a virtual
firewall to exist.

● This applys to other devices as well, such as routers,

switches, and load balancers.
NFV (Network Functions
Virtualization)

● Advantages of virtualizing network functions:

● Virtual devices can be quickly and sometimes
automatically migrated (moved) from one server to
another in the event of hardware failure of
maintenance
● Resources are utilized more efficiently
● Services can be easily scaled to meet the changing
needs of a network
NFV (Network Functions
Virtualization)
● Disadvantages include the following:
● You’ll need licenses for each of the virtualized devices as
well as for the Type 1 hypervisor that will host them.
● interaction between physical and virtual devices introduces
a small degree of latency
● Some virtualization fans are uncomfortable using a virtual
firewall to protect the entire network - many network
admins believe that virtual firewalls are only appropriate
for securing virtual-only portions of the network, or serving
as a backup to physical firewall devices.
Cloud Computing

● Cloud computing refers to the flexible provision of data

storage, applications, and services to multiple clients
over a network
Cloud Computing

● Cloud Storage
● Dropbox, OneDrive, and Google Drive

● Cloud Hosting
● Web-based email system (Gmail)
Cloud Computing

Cloud
Providers
Market Share
Q3 of 2022
Cloud Computing
Cloud Computing

● Cloud computing features include the following:

● On-demand service
● Broad network access
● Resource pooling
● Metered service
● Rapid elasticity
● Storage capacity can quickly or automatically be
scaled up or down
Cloud Computing
● Most cloud service providers use virtualization software
to supply multiple platforms to multiple users.

● Example: Rackspace and Amazon use Xen virtualization

software by Citrix to create virtual environments for
their customers
Cloud Computing
Cloud Computing
● Can provide virtual desktops
● Operating environments hosted virtually

● Developers can load any kind of software on the servers

and test it from afar
● Cloud services provider can make sure the development
servers are secure and regularly backed up
 Cloud Service Models
● Cloud computing service models are categorized by the
types of services provided:
● On-premises
● IaaS (Infrastructure as a Service)
● PaaS (Platform as a Service)
● SaaS (Software as a Service)
● XaaS (Anything as a Service)
Cloud Service Models
 Cloud Service Models
● Cloud computing service models are categorized by the
types of services provided:
● On-premises – All hardware, software, and everything else is
located and managed at the organization’s location
Cloud Service Models
 Cloud Service Models
● Cloud computing service models are categorized by the
types of services provided:
● IaaS (Infrastructure as a Service) – Hardware services and
network infrastructure devices are provided virtually
● Including end user interfaces such as HVDs (hosted virtual
desktops)
● Example: customers might use the vendor’s servers to store
data, host websites, and provide email, DNS, or DHCP
services, but must provide their own NOS licenses and
productivity software, such as customer tracking, sales
management, and an office suite.
Cloud Service Models
 Cloud Service Models
● Cloud computing service models are categorized by the
types of services provided:
● PaaS (Platform as a Service) – Includes the OS, runtime libraries
or modules the OS provides to applications, and the hardware on
which the OS runs
Cloud Service Models
 Cloud Service Models
● Cloud computing service models are categorized by the
types of services provided:
● SaaS (Software as a Service) – Applications are provided
● Online email services such as Gmail and Yahoo! are good
examples of SaaS, and online office productivity tools such as
Microsoft’s Office 365 and Google Docs.
 Cloud Service Models
● Cloud computing service models are categorized by the
types of services provided:
● XaaS (Anything as a Service) – The cloud can provide any
combination of functions depending on the client’s exact needs
 Cloud Deployment Models
● Public cloud
● Service provided over public transmission lines
● Most examples discussed occur in public cloud (Gmail, etc..)

● Private cloud
● Service established on an organization’s own servers in its own data
center
● Customer maintains own virtual servers

● Community cloud
● Service shared between multiple organizations
● Medical Database between hospitals and doctors in area

● Hybrid cloud
● Combination of the other service models into a single deployment
● Public cloud for email … but private cloud for storing data
Orchestra and Automation

● IaC (infrastructure as code) is the process of using

text-based commands in a computer-readable
configuration file to create and manage cloud resources
● IaC allows you to log changes made to your cloud
resources
● A programmed, computer-generated response to a
specific event is referred to as automation
● As you convert more of your cloud maintenance and
security tasks into code that can be run from scripts, you
can automate many tasks to work together in a complex
workflow, which is called orchestration
 Connectivity & Security
● Potential risks and limitations include the following:
● ISP outages
● ISP-imposed bandwidth limitations
● Cloud provider’s outages
● Cloud provider’s backup and security systems
● Misconfiguration that exposes one client’s data to another client
● Unauthorized access to data by cloud provider employees or
illegitimate users
● Breaches of confidentiality
● Failure to comply with data security regulations
● Questions over ownership of intellectual property stored in the cloud
● Questions over data maintenance
● Risk to the network, proprietary data, or customer information
caused by BYOC
 Connectivity & Security
● Way to reduce risks of cloud computing include the
following:
● Use encryption
● Carefully choose the method by which your network
connects to your cloud resources
● Consider the following methods:
● Internet
● VPN (virtual private network)
● Remote access connections
● Leased line
● Dedicated direct connection
Network Availability

● Availability - How consistently & reliably a connection,

system, or other network resource can be accessed

● expressed as a percentage, such as 98% or 99.5%

● number of 9s in a system’s availability rating is

sometimes referred to as “four 9s” (99.99 percent) or
“three 9s” (99.9 percent) availability

● sometimes availability is measured as network’s uptime

- duration or % of time it functions normally between
failures
Network Availability
Network Availability

● Uptime
● Microsoft utility
Network Availability

● Uptime
● Linux or UNIX command
Fault Tolerance
● Fault Tolerance
● Capacity for system to continue performing despite
unexpected hardware, software malfunction
● Key -> providing multiple paths that data can travel

● Failure - Deviation from specified system performance

level for a Given time period
● Ex: car breaks down on highway = failure

● Fault - Malfunction of one system component (Can

result in failure)
● Ex: fault (water pump broke) -> car breaks down on
highway
Fault Tolerance

● Fault-tolerant system goal …. Prevent faults from

progressing to failures

● highest level of fault tolerance - system remains

unaffected by even most drastic problem (regional
power outage) - backup power source of generator, is
necessary to ensure fault tolerance
● less dramatic faults - malfunctioning NIC on router - can
cause network outages
Redundancy

● MTBF (mean time between failures) - average amount

of time that will pass for devices exactly like this one
before the next failure is expected to occur
Redundancy

● MTTR (mean time to repair) - Once a device fails -

average amount of time required to repair the device

● Every device fails … just a matter of when

Redundancy

● redundancy - implementation in which more than one

component is installed & ready to use for storing,
processing, or transporting data
● intended to eliminate single points of failure
● high availability - critical network elements are
redundant - connection to Internet or file server’s hard
disk
● Con …. Cost $$$
Redundancy
A network design with many single points of failure

Solution: create a network design that ensures redundancy

for ISP
Redundancy
● utmost fault tolerance … critical device requires
redundant NICs, SFPs, power supplies, cooling fans,
and processors - able to immediately assume the
duties of an identical component - automatic failover
● Ex: Router NIC fails …. router’s other NIC can
automatically handle the first NIC’s responsibilities
● failover-capable components impractical - some level
of fault tolerance by using hot-swappable parts
● hot spare - duplicate component already installed
in device can assume function of failed part
● cold spare - duplicate component not installed, but
can be installed in case of a failure
Redundant Links

● Link aggregation - seamless combo of multiple network

interfaces or ports to act as one logical interface
● port aggregation on Cisco devices
● NIC teaming on Windows devices
● Also goes by .. bonding, bundling, or Cisco’s
EtherChannel
● Three major advantages:
● Increased total throughput
● Automatic failover between the aggregated NICs
● Load balancing - distribution of traffic over multiple
components/links to optimize performance & fault
tolerance
Redundant Links

Two switches treat these three physical links as one logical

link

Link aggregation isn’t about speed of network traffic so

much as bandwidth, or total potential to handle more
network traffic at one time.
Redundant Links

Link aggregation allows two workstations to communicate

with a server at the same time
Redundant Links

● link aggregation - must be properly configured in each

device’s operating system
● Ex: involved interfaces must be configured for full
duplex & have same speed, VLAN & MTU settings
● Many manufacturers use LACP (Link Aggregation
Control Protocol)
● initially defined by IEEE 802.3ad standard
● currently defined by the IEEE 802.1AX standard
● LACP dynamically coordinates communications
between hosts on aggregated connections, kind of like
what DHCP does for IP addressing
Redundant Links

● Most devices offer similar configuration options:

● static configuration—Both hosts are manually configured
to handle division of labor between the redundant links
● passive mode—port passively listens for LACP-defined
link aggregation requests - will not initiate the request
● active mode—port is set to automatically & actively
negotiate for link aggregation using LACP - allows for
fault tolerance should one or more links fail - most
common configuration
Redundant Links
● link aggregation
● This example shows how to configure an EtherChannel on a
switch. It assigns two ports as static-access ports in VLAN 1
to channel 5 with the LACP mode active :

Switch# configure terminal

Switch(config)# interface range gigabitethernet0/1 -2
Switch(config-if-range)# switchport mode access
Switch(config-if-range)# switchport access vlan 1
Switch(config-if-range)# channel-group 5 mode active
Switch(config-if-range)# end
Redundant Links

● load balancer - device dedicated to task of distributing

traffic intelligently among multiple computers
● can determine which among a pool of servers is
experiencing most traffic before forwarding request to a
server with lower utilization
● Clustering - grouping multiple devices so they appear as
a single device to the rest of the network
● Can be configured with groups of servers, routers, or
applications
Redundant Links

● Two web servers work together in a cluster to host a

single website

popular website can respond more quickly to the high

number of visitors
Redundant Links

● Set of IP addresses to share among multiple hosts

● Ex: multiple routers that support multiple interfaces -
routers as a fault-tolerant cluster - list of several IP
addresses pointing to the cluster as a group
● CARP (Common Address Redundancy Protocol) - allows
pool computers/interfaces to share one/more IP
addresses
● pool = group of redundancy or redundancy group
● one device - acting as group master - receives requests for
IP address - parcels out requests to one of several devices
in group
Redundant Links

● CARP is a free alternative to …

● VRRP (Virtual Router Redundancy Protocol)
● Cisco’s propriety version called HSRP (Hot Standby Routing
Protocol)
● VRRP & HSRP function somewhat differently than CARP
& used solely for routers - general idea is the same
Redundant Links
● HSRP & VRRP used to provide redundant routed paths out of a
subnet, presented as a single address - useful to provide
redundant default gateway connectivity for end hosts
● Active router will answer for all traffic sent to 192.168.0.1,
& standby router will take over should active router fail
Redundant Links

● Clustering servers used in many ways to pool resources

on network & provide redundancy for fault tolerance
● pooling servers that host VMs - VMs are configured with
varying amounts of redundancy to provide fault
tolerance
● VMs connect to a network via a vSwitch (virtual switch)
in the host’s hypervisor
● vSwitch can service VMs across multiple hosts
● called distributed switching
Redundant Links

● vSwitch can service VMs across multiple hosts

● called distributed switching