Network Design Chapter 2

CHAPTER 2
Structuring and Modularizing the Network

Hierarchical Network Model

The hierarchical network model provides a framework that network designers can use to help ensure that the
network is flexible and easy to implement and troubleshoot .To meet the four fundamental design goals,a
network must be built on an architecture that allows for both flexibility and growth.
In networking,a hierarchical design is used to group devices into multiple networks. The networks are
organized in a layered approach. This model has three basic layers:
 Core layer: Connects distribution layer devices
 Distribution layer: Interconnects the smaller local networks
 Access layer: Provides connectivity for network hosts and end devices
Figure: Hierarchical Network

Core Layer Design Considerations

The core layer is responsible for transporting large amounts of data quickly and reliably. The designer
must ensure that the core layer is designed with fault tolerance,especially because all users in the
network can be affected by a failure. The ability to avoid unnecessary delays in network traffic quickly
becomes a top priority for the network designer.
The core layer is sometimes called the network backbone. Routers and switches at the core layer provide
high-speed connectivity. In an enterprise LAN,the core layer,shown in the figure below, may connect
multiple buildings or multiple sites,and may provide connectivity to the server farm. The core layer includes
one or more links to the devices at the enterprise edge to support Internet, virtual private networks(VPN),
extranet,and WAN access.

Compiled By Chalachew A. 1|Page

 Network Design Chapter 2

Implementing a core layer reduces the complexity of the network,making it easier to manage and
troubleshoot.
The core layer design enables the efficient,high-speed transfer of data between one section of the
network and another. The primary design goals at the core layer are as follows:
 Provide 100% uptime, Maximize throughput, and Facilitate network growth.
Technologies used at the core layer include the following:
 Routers or multilayer switchesthat combine routing and switching in the same device
 Routing protocols that scale well and converge quickly,such as Enhanced Interior GatewayRouting
Protocol (EIGRP)and Open Shortest Path First (OSPF) Protocol
 Redundant Links
Implementing redundant links at the core layer ensures that network devices can find alternate paths to
send data in the event of a failure. When Layer 3 devices are placed at the core layer,these redundant
links can be used for load balancing in addition to providing backup. In a flat,Layer 2 network
design,Spanning Tree Protocol (STP) disables redundant links unless a primary link fails. This STP
behavior prevents load balancing over the redundant links. To perform this redundancy most core layers
in a network are wired in either a full-meshor partial-mesh topology.

Compiled By Chalachew A. 2|Page

 Network Design Chapter 2

Figure: Redundancy in mesh Topology

Preventing Failures
Failures at the core layer can potentially affect all users of the network. Therefore, preventing
failures becomes a daunting task. The network designer has to incorporate features or additions to
the design to minimize or eliminate the effects of a core layer failure. The users on a network do not
want to wait to complete their daily tasks because of a lack of care in the design.The network
designer must strive to provide a network that is resistant to failures and that can recover quickly in
the event of a failure. Core routers and switches can contain the following:
 Dual power supplies and fans
 A modular chassis-based design
 Additional management modules
Redundant components increase the cost,but they are usually well worth the investment. Core layer devices
should havehot-swappable components whenever possible. Larger enterprises often install generators and
large uninterruptible power supply (UPS) devices. These devices prevent minor power outages from causing
large-scale network failures.

Reducing Human Error

Human errors contribute to network failures. Unfortunately, the addition of redundant links and
equipment cannot eliminate these factors. Many network failures are the result of poorly planned,
untested updates or additions of new equipment. Never make a configuration change on a production
network without first testing it in a lab environment.Failures at the core layer cause widespread outages.
It is critical to have written policies and procedures in place to govern how changes are approved, tested,

Compiled By Chalachew A. 3|Page

 Network Design Chapter 2

installed, and documented. Plan a back-out strategy to return the network to its previous state in case
changes are not successful.

DistributionLayer Design Considerations

This layer is associated with routing,filtering,and is the communication point between the core layer
and the access layer. A network designer must create a distribution layer design that complements
the needs of the other two layers.The distribution layer represents a routing boundary between the
access layer and the core layer. It also serves as a connection point between remote sites and the core
layer.

Distribution Layer Routing

The access layer is commonly built using Layer 2 switching technology. The distribution layeris
built using Layer 3 devices. Routers or multilayer switches,located at the distribution layer,provide
many functions critical for meeting the goals of the network design,including the following:
 Filtering and managing traffic flows
 Enforcing access control policies
 Summarizing routes before advertising the routes to the Core
 Isolating the core from access layer failures or disruptions
 Routing between access layer VLANs
Distribution layer devices are also used to manage queues and prioritize traffic before transmission
through the campus core.

Compiled By Chalachew A. 4|Page

 Network Design Chapter 2

Trunks
Trunk links areoften configured between access and distribution layer networking devices. Trunks are
used to carry traffic that belongs to multiple VLANs between devices over the same link. The network
designer considers the overall VLAN strategy and network traffic patterns when designing the
trunklinks.
Distribution Layer Topology
Distribution layer networks are usually wired in a partial-mesh topology. This topology provides
enough redundant paths to ensure that the network can survive a link or device failure. When the
distribution layer devices are located in the same wiring closet or data center,they are
interconnected using gigabit links. When the devices are separated by longer distances,fiber cable is
used. Switches that support multiple high-speed fiber connections can be expensive,so careful
planning is necessary to ensure that enough fiber ports are available to provide the desired
bandwidth and redundancy.

Traffic Filtering at the Distribution Layer

Access control lists (ACL) are a tool that can be used at the distribution layer to limit access and to prevent
unwanted traffic from entering the core network. An ACL is a list of conditions used to test network traffic
that attempts to travel through a router interface. ACL statements identify which packets to accept or which
to deny.
To filter network traffic,therouter examines each packet and then either forwards or discards it,based on
the conditions specified in the ACL. There are different types of ACLs for different purposes. Standard
ACLs filter traffic based on the source address. Extended ACLs can filter based on multiple criteria,
such as Source address, Destination address, Protocols, Port numbers or applications and whether the
packet is part of an established TCP stream.
Access Layer Design Considerations
The access layer is used to control user access to the internetwork resources. The network designer
has to facilitate the traffic generated from the access layer as it is bound for other segments or
other layers within the network. Without an appropriate design, the access layer could quickly
become inundated with traffic, resulting in less-than-acceptable performance for the end users.
The access layerrepresents the edge of the network where end devices connect. Access layer
services and devices reside inside each building of a campus, each remote site and server farm, and
at the enterprise edge.
The access layer of the campus infrastructure uses Layer 2 switching technology to provide access into
the network. The access can be either through a permanent wired infrastructure or through wire- less

Compiled By Chalachew A. 5|Page

 Network Design Chapter 2

access points. Ethernet over copper wiring poses distance limitations. Therefore, one of the primary
concerns when designing the access layer of a campus infrastructure is the physical location of the
equipment.

Wiring Closets
Wiring closets can be actual closets or small telecommunication rooms that act as the termination
point for infrastructure cabling within buildings or within floors of a building. The placement and
physical size of the wiring closets depends on network size and expansion plans.
The wiring closet equipment provides power to end devices such as IP phones and wireless access points.
Many access layer switches have Power-over-Ethernet (PoE) functionality.

The Need for Availability at the Access Layer

In early networks, high availability was usually present only at the network core, enterprise edge,
and data center networks. With IP telephony, there is now an expectation that every individual
telephone should be available 100 percent of the time.Redundant components and failover strategies
can be implemented at the access layer to improve reliability and increase availability for the end
devices.
Network Topologies at the Access Layer
Most recent Ethernet networks use a star topology, which is sometimes called a hub-and-spoke
topology. In a star topology, each end device has a direct connection to a single networking device.
This single networking device is usually a Layer 2 or multilayer switch. A wired star topology in the
access layer typically has no redundancy from individual end devices to the switch. For many
businesses, the cost of additional wiring to create redundancy is usually too high. However, if costs
are not a factor, the network can be configured as a full-mesh topology to ensure redundancy.

Using a Modular Approach to Network Design

This section expands on the Cisco Service-Oriented Network Architecture (SONA) framework and explores
the six modules of the Cisco Enterprise Architecture, with an emphasis on the network infrastructure design
considerations.

The access, distribution, and core layers can appear within each module of the Cisco Enterprise
Architecture. The modularity built into the architecture allows flexibility in network design and facilitates
implementation and troubleshooting. Before the details of the architecture itself are introduced, an overview
of the evolution of enterprise networks is provided.

Evolution of Enterprise Networks

As introduced the hierarchical model divides the enterprise network design (separately for both campus and
WAN networks) into the access, distribution, and core layers. This solution has several weaknesses,
especially for large networks, which are difficult to implement, manage, and, particularly, troubleshoot.
Networks became complex, and it was difficult to evaluate a network solution end-to-end through the
network. The hierarchical model does not scale well to these large networks.

An efficient method of solving and scaling a complex task is to break it into smaller, more specialized tasks.
Networks can easily be broken down smaller because they have natural physical, logical, and functional

Compiled By Chalachew A. 6|Page

 Network Design Chapter 2

boundaries. The Cisco Enterprise Architecture reduces the enterprise network into further physical, logical,
and functional boundaries, to scale the hierarchical model. Now, rather than designing networks using only
the hierarchical model, networks can be designed using this Cisco Enterprise Architecture, with hierarchy
(access, distribution, and core) included in the various modules, as required.

Functional Areas of the Cisco Enterprise Architecture

At the first layer of modularity in the Cisco Enterprise Architecture, the entire network is divided into
functional components. The access, distribution, and core layers can appear in any functional area or module
of the Cisco Enterprise Architecture. The Cisco Enterprise Architecture comprises the following major
functional areas (also called modules): Enterprise Campus, Enterprise Edge, Service Provider, and Remote.

Figure: Cisco Enterprise Architecture

Enterprise Campus Modules

An enterprise campus site is a large site that is often the corporate headquarters or a major office. Regional
offices, SOHOs, and mobile workers might have to connect to the central campus for data and information.
As it is illustrated in the following Figure Enterprise Campus functional area includes the Campus
Infrastructure module and a Server Farm module.

Compiled By Chalachew A. 7|Page

 Network Design Chapter 2

Figure: Enterprise Campus Functional Area

Campus Infrastructure Module
Itconsists of several buildings connected across a Campus Core. The Campus Infrastructure module
connects devices within a campus to the Server Farm and Enterprise Edge modules. A single building in a
Campus Infrastructure design contains a Building Access layer and a Building Distribution layer. When
more buildings are added to the Campus Infrastructure, a backbone or Campus Core layer is added between
buildings. The Campus Infrastructure module includes three layers:Building Access layer, Building
Distribution layerand Campus Core layer
Server Farm Module
A high-capacity, centralized server farm module provides users with internal server resources. In addition, it
typically supports network management services for the enterprise, including monitoring, logging, and
troubleshooting, and other common management features from end to end.
The Server Farm module typically contains internal e-mail and other corporate servers that provide internal
users with application, file, print, e-mail, and Domain Name System (DNS) services. Because access to
these servers is vital, as a best practice, they are typically connected to two different switches to enable full
redundancy or load sharing. Moreover, the Server Farm module switches are cross-connected with the
Campus Core layer switches, thereby enabling high reliability and availability of all servers in the Server
Farm module.

Enterprise Edge Modules

This modules aggregate the connectivity from the various elements outside the campus using various
services and WAN technologies as needed, typically provisioned from service providers and route the traffic
into the Campus Core layer. This modules perform security functions when enterprise resources connect
across public networks and the Internet.This area is composed of four main modules: E-commerce, Internet

Compiled By Chalachew A. 8|Page

 Network Design Chapter 2

Connectivity, Remote Access and VPN and,WAN and MAN and Site-to-Site VPN module.

Figure: Enterprise Edge Functional Area

E-commerce Module
The E-commerce module enables enterprises to successfully deploy e-commerce applications and take
advantage of the opportunities the Internet provides. All e-commerce transactions pass through a series of
intelligent services that provide scalability, security, and high availability within the overall e-commerce
network design.
Internet Connectivity Module
The Internet Connectivity module provides internal users with connectivity to Internet services, such as
HTTP, FTP, Simple Mail Transfer Protocol (SMTP), and DNS. This module also provides Internet users
with access to information published on an enterprise's public servers, such as HTTP and FTP servers.
Remote Access and VPN Module
The Remote Access and VPN module terminates remote access traffic and VPN traffic that the Internet
Connectivity Module forwards from remote users and remote sites. It also uses the Internet Connectivity
module to initiate VPN connections to remote sites. Furthermore, the module terminates dial-in connections
received through the public switched telephone network (PSTN) and, after successful authentication, grants
dial-in users access to the network.

WAN and MAN and Site-to-Site VPN Module

This module uses various WAN technologies, including site-to-site VPNs, to route traffic between remote
sites and the central site. In addition to traditional media (such as leased lines) and circuit-switched data-link
technologies (such as Frame Relay and ATM), this module can use more recent WAN physical layer
technologies, including Synchronous Optical Network/Synchronous Digital Hierarchy (SDH), cable, DSL,
MPLS, Metro Ethernet, wireless, and service provider VPNs. This module incorporates all Cisco devices
that support these WAN technologies, and routing, access control, and QoS mechanisms.
Service Provider Modules
The enterprise itself does not implement these modules; however, they are necessary to enable
communication with other networks, using a variety of WAN technologies, and with Internet service

Compiled By Chalachew A. 9|Page

 Network Design Chapter 2

providers (ISP). The modules within the Service Provider functional area are: Internet Service Provider,
PSTN and Frame Relay/ATM module
Internet Service Provider Module
This module represents enterprise IP connectivity to an ISP network for basic access to the Internet or for
enabling Enterprise Edge services, such as those in the E-commerce, Remote Access and VPN, and Internet
Connectivity modules. Enterprises can connect to two or more ISPs to provide redundant connections to the
Internet. The physical connection between the ISP and the enterprise can use any of the WAN technologies.
Public Switched Telephone Network Module
The PSTN module represents all nonpermanent WAN connections.The PSTN module represents the dialup
infrastructure for accessing the enterprise network using ISDN, analog, and wireless telephony (cellular)
technologies. Enterprises can also use this infrastructure to back up existing WAN links; WAN backup
connections are generally established on demand and torn down after an idle timeout.
Frame Relay/ATM Module
This module covers all WAN technologies for permanent connectivity with remote locations.
Traditional Frame Relay and ATM are still used; however, despite the module's name, it also represents
many modern technologies. The technologies in this module include the following:
 Frame Relay is a connection-oriented, packet-switching technology designed to efficiently transmit data
traffic at data rates of up to those used by E3 and T3 connections. Its capability to connect multiple
remote sites across a single physical connection reduces the number of point-to-point physical
connections required to link sites.E3 is a European standard with a bandwidth of 34.368 megabits per second
(Mbps). T3 is a North American standard with a bandwidth of 44.736 Mbps.
 ATM is a higher-speed alternative to Frame Relay. It is a high-performance, cell-oriented, switching and
multiplexing technology for carrying different types of traffic.
Remote Enterprise Modules
The three modules supporting remote enterprise locations are the Enterprise Branch, the Enterprise Data
Center, and the Enterprise Teleworker.
Enterprise Branch Module
This module extends the enterprise by providing each location with a resilient network architecture with
integrated security, Cisco Unified Communications, and wireless mobility.A branch office is sometimes
called a remote site, remote office, or sales office. Branch office users must be able to connect to the central
site to access company information. The Enterprise Branch module typically uses a simplified version of the
Campus Infrastructure module design.
Enterprise Data Center Module
This module has an architecture that is similar to the campus Server Farm module discussed earlier. The
Enterprise Data Center network architecture allows the network to evolve into a platform that enhances the
application, server, and storage solutions and equips organizations to manage increased security, cost, and
regulatory requirements while providing the ability to respond quickly to changing business environments.

Enterprise Teleworker Module

This module provides people in geographically dispersed locations, such as home offices or hotels, with
highly secure access to central-site applications and network services. It supports a small office with one to
several employees or the home office of a telecommuter. Telecommuters might also be mobile user people
who need access while traveling or who do not work at a fixed company site.
Mobile users tend to access the company network using a broadband Internet service and the VPN client
software on their laptops or via an asynchronous dialup connection through the telephone company. These

Compiled By Chalachew A. 10 | P a g e
 Network Design Chapter 2

solutions provide simple and safe access for teleworkers to the corporate network site, according to the
needs of the users at the sites.

Infrastructure Services within Modular Networks

Businesses that operate large enterprise networks strive to create an enterprise-wide networked
infrastructure and interactive services to serve as a solid foundation for business and collaborative
applications. This section explores some of the interactive services with respect to the modules that form the
Cisco Enterprise Architecture.
A network service is a supporting and necessary service, but not an ultimate solution. For example, security
and QoS are not ultimate goals for a network; they are necessary toenable other services and applications
and are therefore classified as network services.However, IP telephony might be an ultimate goal of a
network and is therefore a networkapplication (or solution), rather than a service.
Interactive Services
Since the inception of packet-based communications, networks have always offered a forwarding
service. Forwarding is the fundamental activity within an internetwork. In IP, this forwarding
service was built on the assumption that end nodes in the network were intelligent, and that the
network core did not have intelligence. With advances in networking software and hardware, the
network can offer an increasingly rich, intelligent set of mechanisms for forwarding information.Interactive
services add intelligence to the network infrastructure, beyond simply moving a datagram between two
points. For example, through intelligent network classification, the network distinguishes and identifies
traffic based on application content and context. Advanced network services use the traffic classification to
regulate performance, ensure security, facilitate delivery, and improve manageability.

For example, through intelligent network classification, the network distinguishes and identifies traffic
based on application content and context. Advanced network services use the traffic classification to
regulate performance, ensure security, facilitate delivery, and improve manageability.

Network applications such as IP telephony support the entire enterprise network environment from the
teleworker to the campus to the data center. These applications are enabled by critical network services and
provide a common set of capabilities to support the application’s networkwide requirements, including
security, high availability, reliability, flexibility, responsiveness, and compliancy.
Recall the layers of the SONA interactive services layer includes both application networking services
and infrastructure services.
 For example, the following infrastructure services enhance classic network functions to support
today's applications environments by mapping the application's requirements to the resources that they
require from the network:
 Security services: Ensure that all aspects of the network are secure, from devices connecting to the
network to secured transport to data theft prevention
 Mobility services: Allow users to access network resources regardless of their physical location
 Storage services: Provide distributed and virtual storage across the infrastructure
 Voice and collaboration services: Deliver the foundation by which voice can be carried across the
network, such as security and high availability
 Compute services: Connect and virtualize compute resources based on the application
 Identity services: Map resources and policies to the user and device
The following sections explore some of the infrastructure services and application networking services.
Security Services in a Modular Network Design

Compiled By Chalachew A. 11 | P a g e
 Network Design Chapter 2

Security is an infrastructure service that increases the network's integrity by protecting network resources
and users from internal and external threats. Security both in the Enterprise Campus (internal security) and
at the Enterprise Edge (from external threats) is important. An enterprise should include several layers of
protection so that a breach at one layer or in one network module does not mean that other layers or modules
are also compromised; Cisco calls deploying layered security defense-in-depth.
Internal Security
Strongly protecting the internal Enterprise Campus by including security functions in each individual
element is important for the following reasons:
 If the security established at the Enterprise Edge fails, an unprotected Enterprise Campus is
vulnerable. Deploying several layers of security increases the protection of the Enterprise Campus,
where the most strategic assets usually reside.
 Relying on physical security is not enough. For example, as a visitor to the organization, a potential
attacker could gain physical access to devices in the Enterprise Campus.
 Often external access does not stop at the Enterprise Edge; some applications require at least indirect
access to the Enterprise Campus resources. Strong security must protect access to these resources.
The following are some recommended security practices in each module:
 At the Building Access layer, access is controlled at the port level using the data link layer
information. Some examples are filtering based on media access control addresses and IEEE 802.1X
port authentication.
 The Building Distribution layer performs filtering to keep unnecessary traffic from the Campus
Core. This packet filtering can be considered a security function because it does prevent some
undesired access to other modules. Given that switches in the Building Distribution layer are
typically multilayer switches (and are therefore Layer 3–aware), this is the first place on the data
path in which filtering based on network layer information can be performed.
 The Campus Core layer is a high-speed switching backbone and should be designed to switch
packets as quickly as possible; it should not perform any security functions, because doing so would
slow down the switching of packets.
 The Server Farm module's primary goal is to provide application services to end users and devices.
The Server Farm module typically includes network management systems to securely manage all
devices and hosts within the enterprise architecture. For example, syslog provides important
information on security violations and configuration changes by logging security-related events
(authentication and so on). An authentication, authorization, and accounting (AAA) security server
also works with a one-time password (OTP) server to provide a high level of security to all local and
remote users. AAA and OTP authentication reduces the likelihood of a successful password attack.
IPS and IDS
IDSs act like an alarm system in the physical world. When an IDS detects something it considers an attack,
it either takes corrective action or notifies a management system so that an administrator can take action.
Intrusion prevention solutions form a core element of a successful security solution because they detect and
block attacks, including worms, network viruses, and other malware through inline intrusion prevention,
innovative technology, and identification of malicious network activity.
Authentication, Authorization, and Accounting (AAA)
AAA is a crucial aspect of network security that should be considered during the network design. An AAA
server handles the following:
 Authentication—Who? Authentication checks the user's identity, typically through a username and
password combination.

Compiled By Chalachew A. 12 | P a g e
 Network Design Chapter 2

 Authorization—What? After the user is authenticated, the AAA server dictates what activity the
user is allowed to perform on the network.
 Accounting—When? The AAA server can record the length of the session, the services accessed
during the session, and so forth.
External Threats
When designing security in an enterprise network, the Enterprise Edge is the first line of defense at which
potential outside attacks can be stopped. The Enterprise Edge is like a wall with small doors and strong
guards that efficiently control any access. The following four attack methods are commonly used in attempts
to compromise the integrity of the enterprise network from the outside:
 IP spoofing: An IP spoofing attack occurs when a hacker uses a trusted computer to launch an attack
from inside or outside the network. The hacker uses either an IP address that is in the range of a
network's trusted IP addresses or a trusted external IP address that provides access to specified
resources on the network.
 Password attacks: Using a packet sniffer to determine usernames and passwords is a simple password
attack; however, the term password attack usually refers to repeated brute-force attempts to identify
username and password information. Trojan horse programs are another method that can be used to
determine this information. A hacker might also use IP spoofing as a first step in a system attack by
violating a trust relationship based on source IP addresses. First, however, the system would have to be
configured to bypass password authentication so that only a username is required.
 DoS attacks: DoS attacks are different from most other attacks because they are not generally targeted
at gaining access to a network or its information. Rather, these attacks focus on making a service
unavailable for normal use. They are typically accomplished by exhausting some resource limitation on
the network or within an operating system or application. When involving specific network server
applications, such as a web server or an FTP server, these attacks focus on acquiring and keeping open
all the available connections supported by that server, thereby effectively locking out valid users of the
server or service. DoS attacks are also implemented using common Internet protocols, such as TCP and
Internet Control Message Protocol (ICMP).
 Application layer attacks: Application layer attacks typically exploit well-known weaknesses in
common software programs to gain access to a computer.Hackers perform application layer attacks
using several different methods. One of the most common methods is exploiting well-known
weaknesses in software commonly found on servers, such as SMTP, HTTP, and FTP. By exploiting
these weaknesses, hackers gain access to a computer with the permissions of the account that runs the
application.

High-Availability Services in a Modular Network Design

Designing High Availability into a Network
Redundant network designs duplicate network links and devices, eliminating single points of failure on the
network. The goal is to duplicate components whose failure could disable critical applications. Because
redundancy is expensive to deploy and maintain, redundant topologies should be implemented with care.
Redundancy adds complexity to the network topology and to network addressing and routing. The level of
redundancy should meet the organization's availability and affordability requirements.Before selecting
redundant design solutions, analyze the business and technical goals and constraints to establish the required
availability and affordability. Critical applications, systems, internetworking devices, and links must be
identified. Analyze the risk tolerance and the consequences of not implementing redundancy, and ensure
that you consider the trade-offs of redundancy versus cost and simplicity versus complexity. Redundancy is
not provided by simply duplicating all links. Unless all devices are completely fault-tolerant, redundant
links should terminate at different devices; otherwise, devices that are not fault-tolerant become single

Compiled By Chalachew A. 13 | P a g e
 Network Design Chapter 2

points of failure.The key requirement in redundancy is to provide alternative paths for mission-critical
applications. Simply making the backbone fault-tolerant does not ensure high availability.

Voice Services in a Modular Network Design

To ensure successful implementation of voice applications, network designers must consider the enterprise
services and infrastructure, and its configuration. For example, to support VoIP, the underlying IP
infrastructure must be functioning and robust.
Two Voice Implementations
Voice transport is a general term that can be divided into the following two implementations:
 VoIP: VoIP uses voice-enabled routers to convert analog voice into IP packets or packetized digital
voice channels and route those packets between corresponding locations. Users do not often notice that
VoIP is implemented in the network. Voice-enabled routers can also terminate IP phones using Session
Initiation Protocol for call control and signaling.
 IP telephony: For IP telephony, traditional phones are replaced with IP phones. A server for call control
and signaling, such as a Cisco Unified Communications Manager, is also used. The IP phone itself
performs voice-to-IP conversion, and no voice-enabled routers are required within the enterprise
network. However, if a connection to the PSTN is required, a voice-enabled router or other gateway in
the Enterprise Edge is added where calls are forwarded to the PSTN.
Wireless Services in a Modular Network
A wireless LAN (WLAN) supports mobile clients connecting to the enterprise network. The mobile clients
do not have a physical connection to the network because WLANs replace the Layer 1 traditional wired
network (usually Category 5 cable) with radio frequency (RF) transmissions through the air. WLANs are for
local networks, either in-building, line-of-sight outdoor bridging applications, or a combination of both.

In a wireless network, many issues can arise to prevent the RF signal from reaching all parts of the facility,
including multipath distortion, hidden node problems, interference from other wireless sources, and near/far
issues. Privacy and security issues must also be considered in a wireless network. Because WLANs are
typically connected to the wired network, all the modules within the enterprise infrastructure must be
considered to ensure the success of a wireless deployment.

Application Networking Services in a Modular Network Design

Traditional networks handled static web pages, e-mail, and routine client/server traffic. Today, enterprise
networks must handle more sophisticated types of network applications that include voice and video.
Examples include voice transport, videoconferencing, online training, and audio and video broadcasts.
Applications place increasing demands on IT infrastructures as they evolve into highly visible services that
represent the face of the business to internal and external audiences.

Network Management Protocols and Features

Proper network management is a critical component of an efficient network. Network administrators need
tools to monitor the functionality of the network devices, the connections between them, and the services
they provide. SNMP has become the de facto standard for use in network management solutions and is
tightly connected with remote monitoring (RMON) and Management Information Bases (MIB). Each
managed device in the network has several variables that quantify the state of the device. You can monitor
managed devices by reading the values of these variables, and you can control managed devices by writing
values into these variables.
Compiled By Chalachew A. 14 | P a g e
 Network Design Chapter 2

Network Management Architecture

The network management architecture consists of the following:
 Network management system (NMS): A system that executes applications that monitor and control
managed devices. NMSs provide the bulk of the processing and memory resources that are required for
network management.
 Network management protocol: A protocol that facilitates the exchange of management information
between the NMS and managed devices, including SNMP, MIB, and RMON.
 Managed devices: A device (such as a router) managed by an NMS.
 Management agents: Software, on managed devices, that collects and stores management information,
including SNMP agents and RMON agents.
 Management information: Data that is of interest to a device's management, usually stored in MIBs.
A variety of network management applications can be used on a network management system; the choice
depends on the network platform (such as the hardware or operating system). The management information
resides on network devices; management agents that reside on the device collect and store data in a
standardized data definition structure known as the MIB.
The network management application uses SNMP or other network management protocols to retrieve the
data that the management agents collect.

Figure 3-24 Network management Architecture

Protocols
Several protocols are used within the network management architecture. Some of them are discussed below.
SNMP
SNMP has become the de facto standard for network management. SNMP is a simple solution that requires
little code to implement, which enables vendors to easily build SNMP agents for their products. In addition,
SNMP is often the foundation of the network management architecture. SNMP defines how management
information is exchanged between network management applications and management agents. The terms
used in SNMP are described as follows:
 Manager: The manager, a network management application in an NMS, periodically polls the SNMP
agents that reside on managed devices for the data, thereby enabling information to be displayed using a
GUI on the NMS. A disadvantage of periodic SNMP polling is the possible delay between when an

Compiled By Chalachew A. 15 | P a g e
 Network Design Chapter 2

event occurs and when it is collected by the NMS; there is a trade-off between polling frequency and
bandwidth usage.
 Protocol: SNMP is a protocol for message exchange. It uses the User Datagram Protocol (UDP)
transport mechanism to send and retrieve management information, such as MIB variables.
 Managed device: A device (such as a router) managed by the manager.
 Management agents: SNMP management agents reside on managed devices to collect and store a range
of information about the device and its operation, respond to the manager's requests, and generate traps
to inform the manager about certain events. SNMP traps are sent by management agents to the NMS
when certain events occur.
 MIB: The management agent collects data and stores it locally in the MIB, a database of objects about
the device. Community strings, which are similar to passwords, control access to the MIB. To access or
set MIB variables, the user must specify the appropriate read or write community string; otherwise,
access is denied.

Figure: SNMP is a Protocol for Management Information Exchange

MIB
A MIB is a collection of managed objects. A MIB stores information, which is collected by the local
management agent, on a managed device for later retrieval by a network management protocol.
Each object in a MIB has a unique identifier that network management applications use to identify and
retrieve the value of the specific object. The MIB has a tree-like structure in which similar objects are
grouped under the same branch of the MIB tree. For example, different interface counters are grouped under
the MIB tree's interfaces branch.
RMON
RMON is a MIB that provides support for proactive management of LAN traffic.
The RMON standard allows packet and traffic patterns on LAN segments to be monitored. RMON tracks
itemslike :Number of packets, Packet sizes, Broadcasts, Network utilization, Errors and conditions, such as
Ethernet collisions, and statistics for hosts, including errors generated by hosts, busiest hosts, and which
hosts communicate with each other
Without RMON, a MIB could be used to check the device's network performance. However, doing so
would lead to a large amount of bandwidth required for management traffic. By using RMON, the managed
device itself (via its RMON agent) collects and stores the data that would otherwise be retrieved from the
MIB frequently.
RMON agents can reside in routers, switches, hubs, servers, hosts, or dedicated RMON probes. Because
RMON can collect a lot of data, dedicated RMON probes are often used on routers and switches instead of
enabling RMON agents on these devices. Performance thresholds can be set and reported on if the threshold

Compiled By Chalachew A. 16 | P a g e
 Network Design Chapter 2

is breached; this helps reduce management traffic. RMON provides effective network fault diagnosis,
performance tuning, and planning for network upgrades.
NetFlow
Cisco NetFlow is a measurement technology that measures flows that pass through Cisco devices. NetFlow
was originally implemented only on larger devices; it is now available on other devices, including
ISRs.NetFlow answers the questions of what, when, where, and how traffic is flowing in the network.
NetFlow data can be exported to network management applications to further process the information,
providing tables and graphs for accounting and billing or as an aid for network planning. The key
components of NetFlow are the NetFlow cache or data source that stores IP flow information and the
NetFlow export or transport mechanism that sends NetFlow data to a network management collector, such
as the NetFlow Collection Engine.
NetFlow-collected data serves as the basis for a set of applications, including network traffic accounting,
usage-based network billing, network planning, and network monitoring.
CDP
CDP is a Cisco-proprietary protocol that operates between Cisco devices at the data link layer. CDP
information is sent only between directly connected Cisco devices; a Cisco device never forwards a CDP
frame.CDP enables systems that support different network layer protocols to communicate and enables
other Cisco devices on the network to be discovered. CDP provides a summary of directly connected
switches, routers, and other Cisco devices.
CDP is a media- and protocol-independent protocol that is enabled by default on each supported interface of
Cisco devices (such as routers, access servers, and switches). The physical media must support Subnetwork
Access Protocol encapsulation. Information in CDP frames includes the following:
 Device ID: The name of the neighbor device and either the MAC address or the serial number of the
device.
 Local Interface: The local (on this device) interface connected to the discovered neighbor.
 Holdtime: The remaining amount of time (in seconds) that the local device holds the CDP
advertisement from a sending device before discarding it.
 Capability List: The type of device discovered (R—Router, T—Trans Bridge, B—Source Route
Bridge, S—Switch, H—Host, I—IGMP, r—Repeater).
 Platform: The device's product type.
 Port Identifier (ID): The port (interface) number on the discovered neighbor on which the
advertisement is sent. This is the interface on the neighbor device to which the local device is
connected.
 Address List: All network layer protocol addresses configured on the interface (or, in the case of
protocols configured globally, on the device). Examples include IP, Internetwork Packet Exchange,
and DECnet.

Compiled By Chalachew A. 17 | P a g e