In this section we're going to discuss
campus network design concepts. This is
typically part of the campus network
design and operations workshop taught by
the Network Startup Research Center. As
we've traveled around the world and
helped people with their campus networks
we've uncovered and discovered that
there are a number of common challenges
that that we've seen all throughout
Africa and Asia and even in the u.s.
these challenges are that many campus
networks are not structured properly and
can't effectively utilize high bandwidth
connections many networks make heavy use
of NAT and firewalls that limit
performance and many are built with
unmanaged Network equipment that provide
no ability for monitoring or tuning the
network campus networks support research
and education and your campus network
needs to support research and education
activities these networks need to be
flexible and open and things you should
consider one is NAT makes it hard to do
some things for example h.323
videoconferencing heavy use of filtering
make it hard for researchers teachers
and students to do interesting things I
will guarantee that if Stanford made
heavy use of filtering that innovative
products such as Google would not exist
today as you think about your campus
Network you never want your campus
network to be the bottleneck typically
in emerging regions the bottleneck is
your internet connection and your
internet connection night today be one
megabit or 10 megabits or 20 megabits
and your campus network will typically
not be the bottleneck but what happens
when you get a gigabit connection you
must make sure that your campus network
isn't the bottleneck so right now today
you can absolutely make a plan to
improve your network and remove all
bottlenecks so when you get that gigabit
connection
it performs much better and the
Chancellor when he goes back to his
office after doing the ribbon-cutting
for the gig connection you will find
that he has great performance what you
don't want to have happen as you make
the big splash and announcement the you
have a gigabit connection now and the
Vice Chancellor goes back to his office
and he gets the same very poor
performance because your campus network
was the bottleneck so as we've looked at
many many campus networks around the
world we've developed several rules that
we would like you to consider as you're
rethinking your design the first rule is
minimizing the number of network devices
in any path the second design
consideration is to use a hub-and-spoke
or star configuration as your design
pattern we want you to segment your
network with routers at the core and
this will break apart your network into
multiple independent segments we want
you to provide services that all users
use near the core of your network and we
want you to think carefully about where
to firewall and where to nap now we'll
look at each one of these in greater
detail the first rule minimize the
number of network devices in the path so
we want you to build these hub-and-spoke
network sometimes called a star network
and you see that here as the top diagram
where you have a aggregation device and
every other device and the network is
connected directly to that and we do not
want you to build these daisy chain
networks sometimes called cascaded
networks where you have a device then
you connect another device and then it's
simpler to connect a third device simply
to their original device this we see
several different places in campus
networks where one building on campus
has that internet connection and the
building adjacent to it says hey I hear
you have some internet can I get some
and pretty soon there's a cat5 running
through the bushes to the adjacent
building and then the building next to
that
says hey I hear you have some internet
can I get some and pretty soon there's a
cat5 running through the bushes and it
goes building to building to building we
also see this inside of a building where
we maybe have internet on one floor and
we want to put the internet on the floor
above that and so we just simply drop
some cat5 cable down to the switch below
and we're going and then put somebody on
the floor above that says hey I hear you
have some internet can I get some and
they'll simply run some cat 5 or cat 6
cable down to the switch on the adjacent
floor and you you end up getting these
cascaded network elements where if one
of them in the path fails then everybody
passed that is out of service so this is
a hub-and-spoke design we're going to
use this design pattern in two separate
places one is on your campus between
buildings we are going to run
fiber-optic cabling from your central
location out to each remote building in
a hub-and-spoke fashion we are not gonna
run fiber from one building to the next
to the next to the next even though that
might be easier inside of each building
we're going to run unshielded
twisted-pair cabling either cat5 cat5e
cat6 and we'll talk about that later and
maybe even fiber from a main rack to all
other racks we also will do the same
from an individual rack out to station
outlets in people's offices so hub and
spoke at the campus level the hub of the
campus at the campus level is going to
be called the core that will be your
central location where you have a small
server room and our best practice will
be to route at the core we will talk
about that in a little bit routing at
the core segments the network into
multiple independent segments and it
limits the amount of broadcasts
hub-and-spoke inside of buildings we're
going to run where fibre enters the
building that is going to be the service
entrance from that service entrance we
will run up
each individual Network rack each
building will be at least one IP subnet
and we want to plan for no more than 250
computers inside of each building if
their building is larger and has more
than 250 computers we would recommend
you segment even multiple different
subnets for example if you have some
large computer labs maybe the computer
labs should be on a separate IP subnet
than the rest of the building inside of
a building the network should only be
switched the VLANs and the separate
subnets will be routed at the core at
your central location and those VLANs
will be carried to the building inside
of each building is simply going to be a
switched layer to network and often this
in-building portion in the network is
called the edge of your network and we
must note take careful note always by
switches there to manage you cannot do
this with unmanaged switches you cannot
provide multiple VLANs with the
unmanaged switches so for example if you
had that computer lab that you wanted on
a separate network then your faculty and
you wanted the faculty on a separate
network than your voice over IP
telephones you cannot do that with
unmanaged network switches so inside of
each building where we have these edge
networks we want every one of these
networks to look like this where there's
fiber to your core location you have an
aggregation switch you have edge
switches that then provide service to
individual computers or access points or
whatever you're serving inside of that
building now we recognize that it might
not be possible to afford to build out
your network in that fashion so we can
take an incremental approach we can run
fiber to the core and place one switch
inside of a building and serve all the
computers we can serve off of that one
switch and as we get additional funding
we can
a second switch maybe that second switch
is on a different wing of the building
or that switch is on a separate floor
and then from that switch we will serve
all the computers that can be served
from there and then we just simply
repeat that by adding additional network
racks and switches in this hub-and-spoke
final configuration that we originally
showed we want to encourage you to
resist the urge to save money by
breaking this model and daisy chaining
networks or buildings together so you
see in this diagram it was easiest from
a network rack and the far wing of the
building to serve an adjacent building
by simply running a cat 6 cable out the
window and to a switch in an adjacent
building we don't want you to do that if
you're gonna do that at times and and we
have I have certainly done this kind of
activity where I have a bunch of very
small buildings all clustered together I
will choose one building where we I will
run five or two and each building will
simply be a separate network rack that
served off the central aggregation
switch in the one building with fiber
moving on to the core network the core
network is the center of the campus and
it's your top level hub-and-spoke let's
talk for a minute about routing versus
switching which is layer two versus
layer three routers provide more
isolation between devices because they
stop broadcasts routing is more
complicated but also more sophisticated
and make much more efficient use of the
network particularly if there are
redundancy elements such as loops as we
think about layer 2 versus layer 3 and
we will look at this in a separate
section of where we do a networking
refresher but if you're in layer 2
network and I don't know if you've ever
thought about this but when you're on a
Windows machine and
you click on add a printer and you say
oh well it's a network printer and
pretty soon a list of printers will show
up how does that happen how does that
work well that works by your computer
sends out a broadcast that says hey are
there any printers out there and the
printers will respond now in small
networks that works fine but if your
network has 20,000 devices and there's a
thousand printers believe me the level
of broadcasts in that network is going
to be crazy because not only do you have
broadcasts when you're looking for a
printer or looking for a server but both
Macs and PCs and Linux boxes broadcast
on a regular basis for example a PC will
broadcast on a regular basis it says hey
I'm a PC and my NetBIOS name is whatever
the NetBIOS name is and as you get more
and more and more computers that level a
broadcast in large networks is a huge
problem so moving to layer 3 segmented
network - where you only have 250 or so
computers in a broadcast domain on an
individual subnet that will make things
work much much better additionally a
segmenting your network has some
security implications for example if you
have servers that are on the same subnet
as your users the users can take over
that server and the way that happens if
you remember how do we translate an IP
address into an Ethernet address so we
can send a packet well that's called ARP
and so if for example somebody on a
large broadcast sub-domain Arps for a
server will the server will spawn to say
hey that's me and the the client machine
will put that ARP entry into its ARP
cache and happily then send the traffic
to the server there's nothing to prevent
as an interloper to come in to your
network plug-in and if this is what if
we're all on the same IP subnet I can
send an ARP reply to the client machine
the PC that's talking to the server and
say hey the server's IP address our
Ethernet address is my address not the
server's and the client machine will
happily just overwrite the server's
Ethernet address with mine so that all
traffic that's sent to the server is
actually sent to me I can on the same
hand I can send to the server an
unsolicited ARP reply that says hey the
this client machine its Ethernet address
is me not the client machines I internet
address and now all traffic between a
client and the server and from the
server to the client comes to me and I
can simply forward that I can record
that traffic and forward it on and now I
have a man on the middle attack and
nobody knows that I'm in the middle so
let's talk about layer 3 switches for
just a minute many vendors use the term
layer 3 switch notice these are
contradictory terms layer 3 is routing
switching is layer 2 so you're - when
you say layer 3 switch you're saying
layer 3 layer 2 quits really is
contradictory term what most vendors
mean is that this is a device that can
be configured as a router or as a switch
or possibly both
at the same time we want to caution you
that wall it's possible to make very
complex and very difficult or very
difficult to understand configurations
we would encourage you to use a layer 3
switch as a router that's fine
turn it into a router use a layer 3
switch as a switch that's fine using
them as both in intermix a.m. where
these two ports are routed and those 2
ports are switched all
of a sudden becomes very difficult
because as you're standing in front of
the switch trying to plug something in
you have to know the internal
configuration of that switch to
successfully plug things into the right
place moving back to this core network
concept at your core network this is
going to be the center of your networked
where a fiber optic cable runs from all
buildings and if the core network is
unreliable then your entire network is
unreliable so reliability is the key in
your core network so your core network
ought to be the place where you invest
in battery backup possibly a generator
and you must have good air handling as
well one of the things I've noticed in
many emerging regions is that grounding
and bonding is sometimes an issue and
you would notice this if you ever touch
a rack or a piece of network gear and
you get a shock that means grounding and
bonding has not been done properly and
you should call an electrician to have
that done if you don't have good
grounding and bonding this can cause all
kinds of problems not only can hurt you
with the electricity but it can cause
all kinds of reliability problems here's
a diagram of what we typically you will
want at your core network you're going
to have a core router and again that
might be a layer 3 switch configured as
a router but you're going to route on
this again the routers give isolation
between subnets from that core route
location you're gonna run fiber-optic
cable to every remote building so this
is a very typical design and we will use
this typical design throughout the rest
of this course as we think about where
to put servers in large institutions you
will have some department maybe it's
your bursar's office or it's your
admissions office
they have a server that has financial
aid financial software or student
information software and they want to
put it underneath their desk because
well it's their server and they want to
see it every morning and greet it every
morning and say hello server I'm happy
to see you this is not a proper design
because that means the server is out in
some random building and what do you do
about good power to it what do you about
to do about good air conditioning and
how do you provide reliable service to
that so the right place to put your
servers are in your core location
service should never be on the same
subnet as any user and so it needs to be
a separate subnet off the core router
and again they need to be in that same
room as your core router where you have
good power and good air conditioning a
typical design is simply to have an
interface off your core router that goes
to a switch that has your service the
next topic is where to put firewalls
this design is a very typical design
many many campuses use this including
campuses at the u.s. all over the world
we will talk about an alternative design
a little bit but the firewall in this
position will protect all of campus from
that nasty mean outside world and that
probably works in a corporate
environment too where every computer and
every device on the campus network is
controlled managed and you know people
don't have administrator rights they
can't install things there's all kinds
of fancy antivirus software but campuses
are not like that people bring the
computers from home students are on
wireless people have phones so the
challenge with the this border firewall
placement as you saw in the previous
diagram is that you're not protecting
users from each other and the reality is
firewalls don't protect users from
getting viruses it used to be back in
the Windows XP days that if you turn to
Windows XP machine on on the internet
and started to install patches on it you
would almost immediately get a virus
that's not the way virus has happened
because every since Windows XP service
pack 2 windows automatically comes
default with its own firewall so
firewalls aren't preventing you from
getting viruses how do you get viruses
on PCs well people are web browsing and
they get a little pop-up that says hey
we noticed you have a virus click here
to clean it well if you click there then
you definitely have a virus people also
get viruses by you know they get some
emails said hey you've won $10,000 open
this attachment for details and how you
collect that well you open that
attachment and guess what now you have a
virus both of these activities are
encrypted you know if that was a gmail
attachment that is running over SSL a
firewalls not going to protect you and
thus you know through your firewall that
you think is protecting you you're
getting no protection at all so you know
viruses again come with clicked links
while web browsing and email attachments
firewall isn't going to help as your
bandwidth increases as you go from the
10 Meg's to 100 to 1000 and heaven's
sake maybe even as many as 10 gigabit
external connections firewalls have
trouble scaling up to those kinds of
speeds so we want to have you think
about an alternative strategy since the
firewalls don't protect users from
viruses and if you have the border
firewall placement it can't protect
users from each other so if somebody
brings a virus infected computer in the
border firewall case and plugs that
computer
into your network you're in the soft
inside middle of your network where
there is no firewall between you and
other users
there is no firewall between you and
your servers where your you know your
bursar's office your payroll office all
the student records are and guess what
if somebody breaks into your payroll
office server that's a bad thing and so
we want you to think about this
alternative firewall placement of
placing the firewall between your campus
network which now is somewhat hostile
it's almost as hostile as the Internet
and the servers that you want to protect
so another thing you want to consider is
that not all servers are created equal
so for example some servers are
dedicated to primarily student use for
example Moodle if you were running your
own local Moodle instance every student
has an account there well I personally
would not put a Moodle server on the
same IP subnet as my payroll in
financial systems because I care about
getting a paycheck you might even want
to segment your servers to where you
have more public servers and more
private servers so don't put different
classes of servers on different subnets
a final idea and concept that we wanted
to present to you about firewalls is if
the politics don't allow you to move the
firewall simply to protect your servers
but you have things that need better
access to the Internet then you can run
through your firewall there's a concept
called the science DMZ the notion of a
science DMZ is to remove devices in the
path from end users to the internet that
interferes with the flow of packets and
in this case we have directly off the
border router that's connected to your
end rent a switch or possibly another
router where you attach either servers
or even end users
to the border router that has direct
access to the internet without going
through the firewall I know many of you
are somewhat horrified by that that you
would put devices on public IPS well I
will tell you that on my desk at the
University of Oregon is a computer
that's connected at one gigabit to a
switch and it has a public IP and there
is very little filtering and I've never
had that computer broken into
you can even ping it right now it's
called d.smith work Mac all one word
lowercase dot you Oregon edu and you can
ping it if you wanted to let's talk for
a minute about your border router for
many of you the border router will
perform more simplistic functions but
the border router is mandatory if you're
a dual home if you have two internet
connections the only way to properly
make that work right is to have a border
router that provides functions to move
traffic to the two outside connections
many campuses and emerging regions will
do NAT on this border router and this
NAT function actually somewhat acts as a
firewall simply by the fact that unless
there's a static nap translation on the
border router nobody from the outside
world can deliver traffic to any part of
your campus network without that device
on your campus Network first initiating
an outbound connection so they cannot
attack anything inside your campus
network without that machine on the
campus initiating outbound connection to
the attacker so let's put this all
together so you can see we have a border
router that connects to the ISP and your
Ren we have a science dmz that border
router connects is probably performing
NAT functions it connects to your core
router the core
Router serves a firewall that addressing
your servers and the core router also
drives fiber optic cabling to each of
your buildings now some of you might
find that you can't really afford fiber
to some locations or that it's very
difficult because some of your campus is
on the other side of a very busy street
that you don't own in that case we will
would serve those remote buildings with
wireless it's very important however
that you serve those remote buildings as
if it were fiber each remote building
needs a separate interface on the core
router and you simply build a single
point-to-point link on the end of that
interface out to the remote building a
different remote building is a different
interface on the core router different
IP subnet and a different point to point
link so let's talk about these design
concepts and the layer 2 layer 3 summary
here
first off build hub-and-spoke networks
both at the campus level and inside of
the building you route at the core you
switch at the edge and most importantly
only by managed switches. If you have
some unmanaged network equipment, great.
Take that and put it into a computer lab
that is only one IP subnet, where the
switches in the same room as all of the
devices and it's easier to troubleshoot.
Do you have any questions?
© Produced by Philip Smith and the Network Startup Resource Center, through the University of Oregon.
Attribution-NonCommercial 4.0 International (CC BY-NC 4.0)
This is a human-readable summary of (and not a substitute for) the license. Disclaimer. You are free to: Share — copy and redistribute the material in any medium or format Adapt — remix, transform, and build upon the material The licensor cannot revoke these freedoms as long as you follow the license terms. Under the following terms: Attribution — You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use. NonCommercial — You may not use the material for commercial purposes. No additional restrictions — You may not apply legal terms or technological measures that legally restrict others from doing anything the license permits.