In this section we're going to discuss campus network design concepts. This is typically part of the campus network design and operations workshop taught by the Network Startup Research Center. As we've traveled around the world and helped people with their campus networks we've uncovered and discovered that there are a number of common challenges that that we've seen all throughout Africa and Asia and even in the u.s. these challenges are that many campus networks are not structured properly and can't effectively utilize high bandwidth connections many networks make heavy use of NAT and firewalls that limit performance and many are built with unmanaged Network equipment that provide no ability for monitoring or tuning the network campus networks support research and education and your campus network needs to support research and education activities these networks need to be flexible and open and things you should consider one is NAT makes it hard to do some things for example h.323 videoconferencing heavy use of filtering make it hard for researchers teachers and students to do interesting things I will guarantee that if Stanford made heavy use of filtering that innovative products such as Google would not exist today as you think about your campus Network you never want your campus network to be the bottleneck typically in emerging regions the bottleneck is your internet connection and your internet connection night today be one megabit or 10 megabits or 20 megabits and your campus network will typically not be the bottleneck but what happens when you get a gigabit connection you must make sure that your campus network isn't the bottleneck so right now today you can absolutely make a plan to improve your network and remove all bottlenecks so when you get that gigabit connection it performs much better and the Chancellor when he goes back to his office after doing the ribbon-cutting for the gig connection you will find that he has great performance what you don't want to have happen as you make the big splash and announcement the you have a gigabit connection now and the Vice Chancellor goes back to his office and he gets the same very poor performance because your campus network was the bottleneck so as we've looked at many many campus networks around the world we've developed several rules that we would like you to consider as you're rethinking your design the first rule is minimizing the number of network devices in any path the second design consideration is to use a hub-and-spoke or star configuration as your design pattern we want you to segment your network with routers at the core and this will break apart your network into multiple independent segments we want you to provide services that all users use near the core of your network and we want you to think carefully about where to firewall and where to nap now we'll look at each one of these in greater detail the first rule minimize the number of network devices in the path so we want you to build these hub-and-spoke network sometimes called a star network and you see that here as the top diagram where you have a aggregation device and every other device and the network is connected directly to that and we do not want you to build these daisy chain networks sometimes called cascaded networks where you have a device then you connect another device and then it's simpler to connect a third device simply to their original device this we see several different places in campus networks where one building on campus has that internet connection and the building adjacent to it says hey I hear you have some internet can I get some and pretty soon there's a cat5 running through the bushes to the adjacent building and then the building next to that says hey I hear you have some internet can I get some and pretty soon there's a cat5 running through the bushes and it goes building to building to building we also see this inside of a building where we maybe have internet on one floor and we want to put the internet on the floor above that and so we just simply drop some cat5 cable down to the switch below and we're going and then put somebody on the floor above that says hey I hear you have some internet can I get some and they'll simply run some cat 5 or cat 6 cable down to the switch on the adjacent floor and you you end up getting these cascaded network elements where if one of them in the path fails then everybody passed that is out of service so this is a hub-and-spoke design we're going to use this design pattern in two separate places one is on your campus between buildings we are going to run fiber-optic cabling from your central location out to each remote building in a hub-and-spoke fashion we are not gonna run fiber from one building to the next to the next to the next even though that might be easier inside of each building we're going to run unshielded twisted-pair cabling either cat5 cat5e cat6 and we'll talk about that later and maybe even fiber from a main rack to all other racks we also will do the same from an individual rack out to station outlets in people's offices so hub and spoke at the campus level the hub of the campus at the campus level is going to be called the core that will be your central location where you have a small server room and our best practice will be to route at the core we will talk about that in a little bit routing at the core segments the network into multiple independent segments and it limits the amount of broadcasts hub-and-spoke inside of buildings we're going to run where fibre enters the building that is going to be the service entrance from that service entrance we will run up each individual Network rack each building will be at least one IP subnet and we want to plan for no more than 250 computers inside of each building if their building is larger and has more than 250 computers we would recommend you segment even multiple different subnets for example if you have some large computer labs maybe the computer labs should be on a separate IP subnet than the rest of the building inside of a building the network should only be switched the VLANs and the separate subnets will be routed at the core at your central location and those VLANs will be carried to the building inside of each building is simply going to be a switched layer to network and often this in-building portion in the network is called the edge of your network and we must note take careful note always by switches there to manage you cannot do this with unmanaged switches you cannot provide multiple VLANs with the unmanaged switches so for example if you had that computer lab that you wanted on a separate network then your faculty and you wanted the faculty on a separate network than your voice over IP telephones you cannot do that with unmanaged network switches so inside of each building where we have these edge networks we want every one of these networks to look like this where there's fiber to your core location you have an aggregation switch you have edge switches that then provide service to individual computers or access points or whatever you're serving inside of that building now we recognize that it might not be possible to afford to build out your network in that fashion so we can take an incremental approach we can run fiber to the core and place one switch inside of a building and serve all the computers we can serve off of that one switch and as we get additional funding we can a second switch maybe that second switch is on a different wing of the building or that switch is on a separate floor and then from that switch we will serve all the computers that can be served from there and then we just simply repeat that by adding additional network racks and switches in this hub-and-spoke final configuration that we originally showed we want to encourage you to resist the urge to save money by breaking this model and daisy chaining networks or buildings together so you see in this diagram it was easiest from a network rack and the far wing of the building to serve an adjacent building by simply running a cat 6 cable out the window and to a switch in an adjacent building we don't want you to do that if you're gonna do that at times and and we have I have certainly done this kind of activity where I have a bunch of very small buildings all clustered together I will choose one building where we I will run five or two and each building will simply be a separate network rack that served off the central aggregation switch in the one building with fiber moving on to the core network the core network is the center of the campus and it's your top level hub-and-spoke let's talk for a minute about routing versus switching which is layer two versus layer three routers provide more isolation between devices because they stop broadcasts routing is more complicated but also more sophisticated and make much more efficient use of the network particularly if there are redundancy elements such as loops as we think about layer 2 versus layer 3 and we will look at this in a separate section of where we do a networking refresher but if you're in layer 2 network and I don't know if you've ever thought about this but when you're on a Windows machine and you click on add a printer and you say oh well it's a network printer and pretty soon a list of printers will show up how does that happen how does that work well that works by your computer sends out a broadcast that says hey are there any printers out there and the printers will respond now in small networks that works fine but if your network has 20,000 devices and there's a thousand printers believe me the level of broadcasts in that network is going to be crazy because not only do you have broadcasts when you're looking for a printer or looking for a server but both Macs and PCs and Linux boxes broadcast on a regular basis for example a PC will broadcast on a regular basis it says hey I'm a PC and my NetBIOS name is whatever the NetBIOS name is and as you get more and more and more computers that level a broadcast in large networks is a huge problem so moving to layer 3 segmented network - where you only have 250 or so computers in a broadcast domain on an individual subnet that will make things work much much better additionally a segmenting your network has some security implications for example if you have servers that are on the same subnet as your users the users can take over that server and the way that happens if you remember how do we translate an IP address into an Ethernet address so we can send a packet well that's called ARP and so if for example somebody on a large broadcast sub-domain Arps for a server will the server will spawn to say hey that's me and the the client machine will put that ARP entry into its ARP cache and happily then send the traffic to the server there's nothing to prevent as an interloper to come in to your network plug-in and if this is what if we're all on the same IP subnet I can send an ARP reply to the client machine the PC that's talking to the server and say hey the server's IP address our Ethernet address is my address not the server's and the client machine will happily just overwrite the server's Ethernet address with mine so that all traffic that's sent to the server is actually sent to me I can on the same hand I can send to the server an unsolicited ARP reply that says hey the this client machine its Ethernet address is me not the client machines I internet address and now all traffic between a client and the server and from the server to the client comes to me and I can simply forward that I can record that traffic and forward it on and now I have a man on the middle attack and nobody knows that I'm in the middle so let's talk about layer 3 switches for just a minute many vendors use the term layer 3 switch notice these are contradictory terms layer 3 is routing switching is layer 2 so you're - when you say layer 3 switch you're saying layer 3 layer 2 quits really is contradictory term what most vendors mean is that this is a device that can be configured as a router or as a switch or possibly both at the same time we want to caution you that wall it's possible to make very complex and very difficult or very difficult to understand configurations we would encourage you to use a layer 3 switch as a router that's fine turn it into a router use a layer 3 switch as a switch that's fine using them as both in intermix a.m. where these two ports are routed and those 2 ports are switched all of a sudden becomes very difficult because as you're standing in front of the switch trying to plug something in you have to know the internal configuration of that switch to successfully plug things into the right place moving back to this core network concept at your core network this is going to be the center of your networked where a fiber optic cable runs from all buildings and if the core network is unreliable then your entire network is unreliable so reliability is the key in your core network so your core network ought to be the place where you invest in battery backup possibly a generator and you must have good air handling as well one of the things I've noticed in many emerging regions is that grounding and bonding is sometimes an issue and you would notice this if you ever touch a rack or a piece of network gear and you get a shock that means grounding and bonding has not been done properly and you should call an electrician to have that done if you don't have good grounding and bonding this can cause all kinds of problems not only can hurt you with the electricity but it can cause all kinds of reliability problems here's a diagram of what we typically you will want at your core network you're going to have a core router and again that might be a layer 3 switch configured as a router but you're going to route on this again the routers give isolation between subnets from that core route location you're gonna run fiber-optic cable to every remote building so this is a very typical design and we will use this typical design throughout the rest of this course as we think about where to put servers in large institutions you will have some department maybe it's your bursar's office or it's your admissions office they have a server that has financial aid financial software or student information software and they want to put it underneath their desk because well it's their server and they want to see it every morning and greet it every morning and say hello server I'm happy to see you this is not a proper design because that means the server is out in some random building and what do you do about good power to it what do you about to do about good air conditioning and how do you provide reliable service to that so the right place to put your servers are in your core location service should never be on the same subnet as any user and so it needs to be a separate subnet off the core router and again they need to be in that same room as your core router where you have good power and good air conditioning a typical design is simply to have an interface off your core router that goes to a switch that has your service the next topic is where to put firewalls this design is a very typical design many many campuses use this including campuses at the u.s. all over the world we will talk about an alternative design a little bit but the firewall in this position will protect all of campus from that nasty mean outside world and that probably works in a corporate environment too where every computer and every device on the campus network is controlled managed and you know people don't have administrator rights they can't install things there's all kinds of fancy antivirus software but campuses are not like that people bring the computers from home students are on wireless people have phones so the challenge with the this border firewall placement as you saw in the previous diagram is that you're not protecting users from each other and the reality is firewalls don't protect users from getting viruses it used to be back in the Windows XP days that if you turn to Windows XP machine on on the internet and started to install patches on it you would almost immediately get a virus that's not the way virus has happened because every since Windows XP service pack 2 windows automatically comes default with its own firewall so firewalls aren't preventing you from getting viruses how do you get viruses on PCs well people are web browsing and they get a little pop-up that says hey we noticed you have a virus click here to clean it well if you click there then you definitely have a virus people also get viruses by you know they get some emails said hey you've won $10,000 open this attachment for details and how you collect that well you open that attachment and guess what now you have a virus both of these activities are encrypted you know if that was a gmail attachment that is running over SSL a firewalls not going to protect you and thus you know through your firewall that you think is protecting you you're getting no protection at all so you know viruses again come with clicked links while web browsing and email attachments firewall isn't going to help as your bandwidth increases as you go from the 10 Meg's to 100 to 1000 and heaven's sake maybe even as many as 10 gigabit external connections firewalls have trouble scaling up to those kinds of speeds so we want to have you think about an alternative strategy since the firewalls don't protect users from viruses and if you have the border firewall placement it can't protect users from each other so if somebody brings a virus infected computer in the border firewall case and plugs that computer into your network you're in the soft inside middle of your network where there is no firewall between you and other users there is no firewall between you and your servers where your you know your bursar's office your payroll office all the student records are and guess what if somebody breaks into your payroll office server that's a bad thing and so we want you to think about this alternative firewall placement of placing the firewall between your campus network which now is somewhat hostile it's almost as hostile as the Internet and the servers that you want to protect so another thing you want to consider is that not all servers are created equal so for example some servers are dedicated to primarily student use for example Moodle if you were running your own local Moodle instance every student has an account there well I personally would not put a Moodle server on the same IP subnet as my payroll in financial systems because I care about getting a paycheck you might even want to segment your servers to where you have more public servers and more private servers so don't put different classes of servers on different subnets a final idea and concept that we wanted to present to you about firewalls is if the politics don't allow you to move the firewall simply to protect your servers but you have things that need better access to the Internet then you can run through your firewall there's a concept called the science DMZ the notion of a science DMZ is to remove devices in the path from end users to the internet that interferes with the flow of packets and in this case we have directly off the border router that's connected to your end rent a switch or possibly another router where you attach either servers or even end users to the border router that has direct access to the internet without going through the firewall I know many of you are somewhat horrified by that that you would put devices on public IPS well I will tell you that on my desk at the University of Oregon is a computer that's connected at one gigabit to a switch and it has a public IP and there is very little filtering and I've never had that computer broken into you can even ping it right now it's called d.smith work Mac all one word lowercase dot you Oregon edu and you can ping it if you wanted to let's talk for a minute about your border router for many of you the border router will perform more simplistic functions but the border router is mandatory if you're a dual home if you have two internet connections the only way to properly make that work right is to have a border router that provides functions to move traffic to the two outside connections many campuses and emerging regions will do NAT on this border router and this NAT function actually somewhat acts as a firewall simply by the fact that unless there's a static nap translation on the border router nobody from the outside world can deliver traffic to any part of your campus network without that device on your campus Network first initiating an outbound connection so they cannot attack anything inside your campus network without that machine on the campus initiating outbound connection to the attacker so let's put this all together so you can see we have a border router that connects to the ISP and your Ren we have a science dmz that border router connects is probably performing NAT functions it connects to your core router the core Router serves a firewall that addressing your servers and the core router also drives fiber optic cabling to each of your buildings now some of you might find that you can't really afford fiber to some locations or that it's very difficult because some of your campus is on the other side of a very busy street that you don't own in that case we will would serve those remote buildings with wireless it's very important however that you serve those remote buildings as if it were fiber each remote building needs a separate interface on the core router and you simply build a single point-to-point link on the end of that interface out to the remote building a different remote building is a different interface on the core router different IP subnet and a different point to point link so let's talk about these design concepts and the layer 2 layer 3 summary here first off build hub-and-spoke networks both at the campus level and inside of the building you route at the core you switch at the edge and most importantly only by managed switches. If you have some unmanaged network equipment, great. Take that and put it into a computer lab that is only one IP subnet, where the switches in the same room as all of the devices and it's easier to troubleshoot. Do you have any questions?

© Produced by Philip Smith and the Network Startup Resource Center, through the University of Oregon.

Attribution-NonCommercial 4.0 International (CC BY-NC 4.0)
This is a human-readable summary of (and not a substitute for) the license. Disclaimer. You are free to: Share — copy and redistribute the material in any medium or format Adapt — remix, transform, and build upon the material The licensor cannot revoke these freedoms as long as you follow the license terms. Under the following terms: Attribution — You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use. NonCommercial — You may not use the material for commercial purposes. No additional restrictions — You may not apply legal terms or technological measures that legally restrict others from doing anything the license permits.