Tuesday, 30 November 2010

System Infrastructure

The infrastructure of the system is the arrangement of the components that make up those parts of the system that allow it to operate as a network. These parts are normally subdivided into three sections:
  1. Network infrastructure hardware and software
    This comprises all the bits of the system that are used exclusively (or principally) to provide the interconnection between the system's computers. This includes such things as:
    • Hubs and switches
    • Routers and bridges
    • File, application and database servers
    • Cabling and wireless link equipment
  2. End user hardware and software
    This comprises all the various items that provide the interface between the users and the network, such as:
    • Desktop and laptop computers
    • Computer networking software
    • Networked printers, scanners, plotters and their servers
    and such like that are part of the system, either permanently or temporarily.
    It excludes
    • Operating systems
    • Application software, such as Office, accounts packages etc
    • Local peripherals such as non-networked printers.
  3. System services
    This covers all the services that the system provides to you or your users, such as:
    • Networking functions (DNS, DHCP, NAT etc)
    • Security functions (Firewalls, Intrusion detection, network monitoring and tiering, software management)
    • Remote access functions (Internet connectivity, Intranet, Extranet, web, database and application services)
    • Business functions (backup and archive, telephone/VoIP connectivity)
Of course, such divisions are fairly arbitrary and services such as Voice over IP (VoIP) will involve the use of both hardware and software.

Tuesday, 23 November 2010

Designing the Business Network: The Hub

Home and very small business networks commonly use a single all-in-1 device to provide all the central network services, including Internet access, routing, switch/hub etc. Most larger businesses will want to use different, and maybe separate, devices. Why?

  • Functionality

    While the all-in-1 networking device meets the needs of the home user or the tiny one-man (person?) business network, it rarely provides enough functionality for more sophisticated networks. For instance, few all-in-1 switch-routers properly support Demilitarized Zones (DMZs) or provide an 'application layer' or 'stateful' firewall, which inspects the contents of data packets and data streams rather than just filtering on IP address information.
  • Availability and Reliability

    If you put all your networking eggs into a single basket, and that basket fails, the entire network fails with it. To keep costs low, most all-in-1 devices use a cheap, external 'wall-wart' power supply and a small plastic case. Rarely do they have any form of active cooling or any resilience: they are built down to a cost and if a part fails, the entire unit fails.

    You may be happy with this situation if your network is not business-critical or you can quickly replace a failed unit, but most businesses need their network to work, and may lose significant amounts of money if it fails.

    Also, most businesses have significant internal network traffic that is functionally independent of Internet traffic. If you want to make sure that your internal traffic continues even if your Internet Access router fails, then the Internet Access router and your network switch-hub need to be separate devices.

    In addition, many business-level devices are built to a specification rather than to a price (although, of course, price is significant) and have internal power supplies and active cooling (although see a later article concerning cooling fans!) and so are inherently more reliable than the domestic all-in-1 devices.
  • Versatility

    If you think that, later, you may need to enhance your network, then you may decide that the domestic all-in-1 device is not versatile enough. For instance, few of them are modular, their capabilities may be very limited and they may not be upgradeable.

    Business-level devices are often modular, and have expandability built-in, as well as supporting 'firmware' upgrades that allow them to adapt to changing standards. They also support many of the more sophisticated networking protocols that provide resilience in high-availability systems.

    Buying business-grade devices may seem extravagant at first, but will enable you to significantly enhance your network without having to replace them as you enhance your network and thus wasting some of the initial investment.

When do I use a hub, when a switch and when a router?

  • Hubs

    Hubs are dead. Nobody much uses them any more. What is a hub? It is a device that allows data from any attached device to pass unhindered to any other attached device. There is no filtering and every data packet on the segment is visible to every attached device. What does this mean? It means that the file the Financial Director is copying from his PC to the server could be intercepted by any PC on the segment. The video download the salesman is watching clogs up the connections of all the devices on the segment.

    All the devices connected to a hub are in the same 'collision domain'. Hence, if two devices try to send data at the same time, there will be a data collision and the data will be corrupted. The devices detect this and will wait for a random period before trying again. Once the total traffic on the segment exceeds about 70% of the bandwidth of the slowest spoke, then users will start to notice that the network is slowing down. Originally, all the spokes of a hub had to use the same data speed (the speed of the slowest device) although 'two-speed hubs' were developed that contained a switch that allowed devices of different speeds to connect to the same hub.

    Generally, a hub does not require an IP address to be assigned to it and has no, or very limited, management capabilities. Two-speed hubs are more flexible. Since they include a switch, many of the switch management functions may be available in a limited fashion.
  • Switches

    Switches add (limited) intelligence to the hub function. They route traffic between spokes based on the IP source and destination addresses. There is little sophistication to this. All it means is that traffic between two attached devices is blocked from appearing on any spoke that does not form part of that direct link. This keeps the traffic on each spoke to a minimum, and you could have two devices transferring data at almost the full speed of the spoke without significantly slowing traffic on other spokes. Of course, if one of the spokes is connecting to the central file server, or to the Internet, then the total traffic between all the attached devices and the server/internet will pass down that spoke.

    Another function performed by a switch is to bridge Ethernet segments that operate at different speeds. It does this by buffering the data and retransmitting it at the speed of the outgoing spoke. This means that devices of different speeds can be connected to a switch. Each switch-device spoke is a separate collision domain so overall throughput is improved as collisions are less frequent. If full duplex is used (the default) then there will never be a collision on a segment linking a single device to a switch. Data loss can occur in a switch if the incoming data rate is much higher than the outgoing and the protocol does not implement any form of high-level data transmission control. Once the buffer in the switch fills up, data will be dumped. The switch will normally indicate this either to the sending device or on its panel indicators.

    Generally, a switch does not require an IP address to be assigned to it. If the switch has a management capability, then it may need an IP address either from the switched subnets or on a dedicated management port. Management capabilities may include:
    • Enabling/disabling specific ports
    • Assigning a port to a specific subnet (if the switch supports multiple subnets)
    • setting port configuration (speed, duplex, priority, MAC filtering, port mirroring and aggregation etc)
  • Routers

    A router adds an additional rule-based layer to the switch fuction. Traffic can be routed or blocked based on data type, protocol and IP address. A hub or a switch can only deal with data traffic between nodes that are directly connected to it, but a router contains instructions (called a routing table) that tells it what to do with data to and from IP addresses that are not on a directly-connected network. Unlike (most) switches, the rule set can be altered to meet the requirements of the user.

    Since a router is, as far as a switch is concerned, an end-point for traffic passing through it to other subnets, it needs an IP address on each attached port. These addresses will be assigned by the system admin from the pool of addresses assigned to each subnet.

So, when to use a hub, switch or router?

Generally, within a simple home or SME network, there is no need for internal routing. A switch or a hub is all that's necessary to allow the devices attached to your network to communicate. Originally, hubs were cheap and switches expensive, but now switches are often cheaper than hubs, so use switches. In this arrangement, all the devices in your network use IP addresses from the same subnet.

Where you want to exchange data with someone else's network or your internal network has more than one subnet, you will need to use a router. Hence, to connect to the Internet, you will need a suitable Internet Access router.

You may hear talk of bridges, repeaters and gateways. What are they an what do they do?
  • Bridge

    A network bridge is, effectively, a switch. The terms switch and network bridge are often used interchangeably although use of the term network bridge normally indicates that the transport layer is different either side of the bridge (such as Apple Localtalk to Ethernet). A network bridge does not convert the protocol carried on the two media.

    A Protocol Bridge (or protocol converter) interconnects two otherwise incompatible network protocols. This is a more complex function than network bridging and is often carried out on a general-purpose computer. An example of a protocol bridge was where a Novell Netware server could be used to provide a bridging function between a network using IPX/SPX and one using TCP/IP. If you stick to TCP/IP, you won't need to worry about protocol bridging.
  • Repeater

    A repeater is a two-port network hub. It is used to regenerate Ethernet signals so that the normal 100 meter range of a single network spoke can be extended. There are strict limits on how far a single spoke can be extended without using a switch or router due to the timing constraints of the Ethernet specification.
  • Gateway

    Another name for a router. Often used to indicate a router plus a modem for Internet access

Designing the business network: Cabling schemes

Why do you need a cabling scheme? Why not simply lay the cables on the floor?

Safety and reliability is the main justification here: You don't want your family/employees tripping over trailing cables: they may hurt themselves and will almost certainly damage the cables. Damaged cables are a principal cause of mysterious networking faults and can be extremely hard to trace...

The single hub-and-spoke approach

If you are implementing a small home or very small business installation, then you will most probably want to use a simple hub-and-spoke design, with a central Internet Access switch/router and cabled or wireless spokes. This approach can be used relatively easily for up to two adjacent floors: the cables run in the lower floor ceiling void or in trunking at floor level of the upper floor and feed up to the upper floor and down to the lower.

The multiple hub and spoke approach

More than two floors are better addressed by a multiple hub-and-spoke approach, where each floor (or pair of floors) is covered by a separate hub with its own spokes. The separate hubs can then be linked by a single cable.

Unfortunately, many buildings do not lend themselves to easy cabling. Lifting floorboards and drilling through walls and floors is disruptive and damaging. Hence, most people use wireless. The oddities of wireless will be discussed in a separate article.

Ad-hoc or flood wired?

Wired installations generally fall into two types: ad-hoc, where cables are run as needed, and flood-wired, where cables are run to all the likely locations.

Flood wiring has a higher initial cost and greater initial disruption but is far more versatile. Adhoc may have lower initial cost and less disruption, but the cost and disruption is repeated whenever a new cable needs to be run due to expansion of the network or rearragement of the house/office environment. Thus most businesses will opt for a flood-wired installation to be done while the office is being set up, converted or refurbished.

Flood-wiring schemes

It may appear that a flood-wiring scheme is simple to implement, but a number of things should be borne in mind:
  • You will need to identify a central location to house your switch/router. Although a central location is not essential, it is sensible as it minimizes cable lengths.
  • If your office is on more than one floor of a building, then the location needs easy access to all floors.

To minimize disruption, most businesses use skirting or dado rail trunking to distribute data network cables. These often contain mains power distribution and telephone cabling as well.
  • Skirting trunking is popular but can be slightly obtrusive where it has to cross doorways and corridors.
  • Dado trunking is more obvious, but can often be routed above doors and windows and across corridors at ceiling level. You can either put in 'drops' where conduit feeds down the wall from the trunking to sockets at desk level, or, perhaps more commonly, have the power, phone and data sockets mounted on the dado with cables forming the drop. The choice is yours. The former is more visually appealing and may be slightly more reliable but the latter is more versatile.

There are a number of 'rules' (actually, strong recommendations) to bear in mind when flood wiring:
  1. Put in more network cables and points than you think you'll need. They are cheap (at this stage) and will avoid the need for additional wiring later or the inconvenience of scattering small portable hubs/switches around the office to connect additional devices.
  2. Never drape loose cables across access ways or where they can be damaged by furniture. Wheeled office chairs are death to networking cables (and I have seen some extremely dangerous mains extension damage caused by people repeatedly rolling office chairs across a mains lead!). If you must have desk islands that don't touch a wall at any point, then you can:
    • Run trunking across the ceiling and drop down onto the desk island (often seen in supermarket check-outs)
    • Have suitable sockets inset into sunken boxes in the floor: this is nice if you own the building, but it is expensive, not very versatile (if you move the desks, you can't easily move the sockets) and may upset the landlord!
    • Run cables across the gangway inside a special shaped floor-level cable protector. However, remember that people can still trip over cable protectors (especially if they're not well maintained) and that they can be hard to wheel trolleys over.
  3. Keep cables away from heating pipes, radiators and other hot equipment. Steam pipes will melt PVC network cables in seconds! If your cables need to be in contact with heated surfaces, use PTFE-sheathed cable or cover PVC cables with a loose-fitting heat-resistant sheath. Use of trunking obviates such problems.
  4. Keep network cables away from powerful sources of interference. Most networked cables are un-screened and can easily pick up interference, especially pulse interference from electromagnets, arc welders and radio transmitters. If proximity to such equipment is essential, you might want to use screened twisted pair cable, but this is much more expensive and will need special jack boards to terminate and earth the screens properly.
  5. Keep networking devices such a switch/routers, away from heat and interference sources.
  6. If you put your networking devices in a cabinet or cupboard, make sure the ventilation is adequate. Most commercial-grade equipment will fail if the ambient temperature exceeds about 70°C. Similarly, cold will affect the devices too, as will damp, mice and other environmental hazards...
  7. Most flood-wiring schemes result in all the spoke wires being returned to a central location and terminated on jack panels. The hub devices are normally mounted in or near the same rack. Make sure that you provide adequate power, security, access and lighting. Label all jack points so you know which spoke they relate to.

So I've installed my flood-wiring scheme: How do I use it?

To use a flood-wired installation:
  • Plug the device you want to connect into the nearest network socket, remembering the 'rules' about trailing cables, heat sources etc. Note the ID of the socket you've chosen.
  • Go to the network cubby and fit a patch lead between the jack socket that relates to the socket you've used and a spare port on the switch-router.
  • Switch on your device and configure it (see the notes on designing your network and DHCP).

What if there are no spare ports on the switch/router?

Then you didn't design your network properly! But there is a fix:
  • You buy an Ethernet switch-hub and install it in your cubby (this is why you need spare power points in the cubby!)
  • Unplug a patch lead that services a spoke device (NOT the one to your main file server or to another hub!) from the switch-router
  • Plug a new patch lead into the port you've just freed up on the switch-router. Plug the other end into the switch-hub. Normally you can use any port, but sometimes you must use a particular one designated for up-links, and sometimes there's a switch you have to set to the 'up-link' position
  • Plug the patch lead you unplugged into one of the switch-hub ports.
  • Plug a new patch lead from the jack socket you've connected your new end-user device into to a spare port on the new switch-hub.

You're done, and you now have more spare ports on the new switch-hub that you can use in the future...

Some flood-wiring 'gotchas'

There are a few things you need to look out for when flood-wiring a building.
  • The maximum length of any one piece of Cat-5 UTP cable is about 90 meters. Sometimes longer lengths will work, but usually strange faults will appear that will be hard to trace. This limit is a design feature of Ethernet, where there is a maximum design distance of 100 meters between devices
  • If you use a multi-hub design, make sure that you run a few spare cables between the hubs. Why?
    • Firstly, it gives you some spares in case the cable interconnecting your hubs fails.
    • Secondly, if you run out of hub ports on one floor but have spares on another, you can link them between floors using one of these cables, but remember that 100 meter maximum cable length between two devices.
    • Thirdly, if you later decide to upgrade to a resilient design, you can use a spare cable to provide the additional link.

Network Cabling

This is a key part of most networks. Even those that rely heavily on wireless will require at least a minimum of cabling.

There are two main types of cabling in use today:

  1. Unshielded Twisted Pair (UTP) cable.

    UTP cable has had a number of different incarnations. The first that had a wide impact was Category 4, which supported 10Mbps networks (known as 10Base-T). This was soon replaced by Category 5, which supported 100Mbps (100Base-TX), Category 5e and Category 6 which support 1Gbps (1000Base-T/TX). Category 6a also supports 10Gbps Ethernet to a limited extent. Virtually all Category 5, 5e, 6 and 6a cable is eight core (four twisted pairs).

    10Base-T and 100Base-TX will work with two twisted pairs so it is a well documented (but unapproved!) practice to run two Ethernet links down a single 8-core UTP cable. This should be avoided as performance and range are degraded.

    1Gbps and 10Gbps Ethernet requires all 4 pairs so a cable can carry only a single connection. More recent Category 7 and 7a cables are categorized up to higher speeds than Cat 6 and 6a, but have a shielded construction that will require shielded connectors (as do some Cat6 cables)...

    Generally, cables laid into ducts in buildings will be solid-core UTP terminated in wall-mounted 8P8C (or 'RJ45') sockets or 19" rack-mounted 8P8C jack strips. These are fitted using a 'punch-down' tool similar to those used for telephone connections.

    Patch leads that connect between devices and the 8P8C sockets will generally use multi-strand UTP cable (for increased flexibility) terminated with crimped-on 8P8C plugs. Generally, unless you intend to manufacture lots of special or non-standard patch leads, commercial patch leads should be used as the attrition rate for unskilled manufacture of patch leads by hand crimping is very high!
  2. Fiber Optic cable.

    The use of fiber optic cable in home and small business LANs is extremely limited. It is far more fragile and difficult to handle than UTP and the cut fragments of fiber present a significant health and safety hazard. Normally, all work on fiber should be carried out by specialist contractors.

    The two major types of fiber are:
    • Multi-mode, where the diameter of the glass core is much larger than the wavelength of the light. This means that there are multiple different paths the light can take within the fiber and hence there is a significant variability to how long the light pulses take to traverse the fiber. This results in loss of definition of the pulses and severely limits the range that can be achieved to a few hundred meters. Recently, however, multi-frequency interface cards have been introduced to allow several different signals to be passed through a single fiber to achieve greater bandwidth.
    • Single-mode fiber has a core of similar diameter to a wavelength of light. The light is constrained to a single path and much greater ranges can be achieved (up to 70km), at the expense of much greater cost.
    All fibre is extremely sensitive to handling, and tight curves and excessive flexing must be avoided. If the fiber bends too tightly, or the core fractures, the range and performance of the fiber can be grossly reduced.

Most small networks will use Unshielded Twisted Pair (UTP) cables exclusively. The cost and fragility of Fiber Optic cables tend to limit their use to server rooms, extended LAN or WAN connections or backbone connections between buildings or floors of buildings.

Historically,there were two other types of Ethernet network cable. Both used coaxial cable. The original (10Base5) became known a 'Thick wire' and the later 10base2 became known as 'Thin wire'. Old equipment to this standard can still be found in second-hand sales, but should be avoided!

Saturday, 20 November 2010

Implementing the Home Network

Now that you've designed your home network, it's time to install and commission it:
  1. Select and buy the parts
    • The Internet Access switch-router:
    • As stated in the design, this needs to support:
      • A cable modem
      • Internet routing
      • 6 Ethernet switch ports
      • An IEEE802.11g Wi-Fi infrastructure access point
      • A (packet filter) firewall
      • DNS, DHCP and NAT services
      One issue is that there are not many domestic-class switch/routers that have more than four Ethernet ports. If you can't get one, buy a separate four-or-more-port switch and connect it to your switch-router. You will then have at least 6 available Ethernet ports (remember, one of the Ethernet ports on each device will be used to connect them together). Most switches and switch/routers will work out automatically which port is being used to link them together. Some will require you to tell them and others assign a particular port. Sometimes, that particular port has a switch you'll need to set to 'link'
    • A suitable lead and adapter to connect your cable terminal to the Internet switch/router
    • One RJ45 panel socket, faceplate and backing box for each end of the cables. It may be preferred to fit a 'jack strip' near the router or to terminate the router ends of the network cables with flying plugs. A jack strip is the neatest (but dearest) solution. You will need a 'punch-down' tool to secure the wires to the sockets, and a crimping tool if you want to fit plugs to the cables
    • A reel of a suitable Cat-5 cable
    • One short Cat 5 patch lead for each link from the switch(es) to the jack strip/sockets. Normally, a 30cm lead will be long enough.
    • One Cat-5 patch lead to connect each of the room Ethernet points to the device assigned to it. Patch leads up to 5m are readily available. Longer ones are also available but are usually disproportionately expensive.
    • I recommend a surge-protected distribution board to protect your router etc from mains surges.
    Note: if you decide to make your own patch leads, then the Cat 5 cable used to run between sockets is much stiffer than the patch cable. It is single strand rather than multi-strand and so will be much more likely to be damaged by repeated flexing. Hence you are better to buy proper patch cables than try to make your own...
  2. Install and configure the network
    • Run Cat 5 UTP cable from the router location to each of the hard-wired network points.
    • Fit the backing boxes, faceplates and network sockets.  Fit the router-end jack strip, sockets or loose plugs.  Make sure to label the sockets/leads so you know which one goes where.
    • Configure your switch/router
      • Assemble the Internet access switch-router and position it close to your desktop PC.
      • Connect a patch lead directly from your PC's Ethernet socket to one of the switch-router ports. Again, it usually doesn't matter which one, but sometimes it does: read the manual.
      • Power up the PC and the switch-router.
      • Start up a Web Browser on the PC: You may have to manually set the PC's IP address to whatever the switch-router manual recommends.
      • Type the switch-router's IP address into the browser address window: again, follow the switch-router manual
      • Once you've established connection with the switch-router's built-in web server, follow the instructions in the manual to:
        • Set the router to use your chosen IP address subnet
        • Set the static IP address of the switch-router itself (if you're not using the default)
        • Note:You will probably have to reboot the switch-router at this point if you've changed its subnet range or IP address. If so, you may also need to change your PC's IP address to one in your chosen range and set the PC's 'default gateway' to be the IP address of the switch-router to allow it to connect
        • Set up the selected DHCP address range and enable the DHCP server.
        • Enter the settings your cable ISP has provided to configure the cable interface. You should not yet connect the cable interface
        • Configure the firewall. Normally, by default, the firewall is enabled and set so that no connections will be accepted from the Internet via the cable modem, but all outgoing connections will be permitted. If not, set these options.
        • Enable Network Address Translation (NAT)
        • Set the Wi-Fi base station parameters:
          • Set a suitable network name - choose one that doesn't reveal too much while being something you can recognize
          • Select WPA-PSK (Pre-shared key), WPA2-PSK or WPA-PSK+WPA2-PSK ('mixed mode') as the security option, depending on what your peripherals support
          • Select mode g (or g+b if you need it)
          • Select a channel. Which channel you use will depend on what country you are in and whether anyone else nearby is using the default channel (which may cause interference). Stick with the default for the moment but you can change it later if you have trouble connecting to your Wi-Fi service. Most laptop PCs will list all the Wi-Fi services they can detect, and should list the channel each uses. Select a free channel.
          • Choose and set a suitable network key (The 'pre-shared key' mentioned above).  for WPA-PSK and WPA2-PSK this should be between 8 and 63 alphanumeric characters (some symbols can also be included. The password should be one you can remember, and write it down and keep it in a safe place - not all switch-routers allow you to read it once you've set it up! You will need to enter this key into every device that needs to connect to your Wi-Fi service, so don't forget it!
          • Enable the service and allow broadcast of the SSID (Wi-Fi service name)
        Some switch-routers have additional services, such as parental control for Internet access, availability schedules, web site blocking, DMZ service, Dynamic DNS or VPN support, Management passwords etc. Set these up if you choose, but I suggest leaving them until after you've got the system working properly. The less you activate at this stage, the easier it is to troubleshoot faults and mis-configurations...
    • You can now connect the cable modem to the termination unit and allow the router to automatically log in to the Internet service provider. Once this is complete, your PC should be able to access the Internet
    • To check that everything's working, set your PC IP settings to their final value then reboot both PC and switch-router. If everything's set up properly, the PC will connect to the switch-router and will have access to the Internet.
    • Move the switch-router to its final location. Connect the cable feed and connect Cat-5 patch leads between the switch-router (and additional switch) and the jack strip/network sockets (or plug the flying leads into the switch/router). Connect a patch lead from your PC to its room network socket. Your PC should connect to the switch-router and have access to the Internet.
    • Set up the static IP addresses on each of your permanently-connected devices, connect patch leads and ensure that they connect to the switch-router. Most will have a status led near the network socket that will turn green, then flash irregularly as it detects network traffic.
    • Set up your Wi-Fi connected devices to use your named Wi-Fi service. You will need to configure the device to obtain its IP address automatically from the network. You will need to enter the pre-shared key into each device to allow it to connect. Each device should show when it is connected - check out its manual.
You should now have a functioning network with Internet access.  There are several additional tasks you might need to do:
  • Disable SSID broadcast on the switch-router: devices which have been set up to access your Wi-Fi service will still be able to connect, but others will not be able to see your service name. This makes it (slightly) harder for someone to break in to your Wi-Fi network.
  • Put all your windows PCs into a Workgroup, so that they will be able to see one another's network shares (they will still need to enter a username and password to access them)
  • Set up print queues to allow your PCs to print to networked devices
  • Configure all the other functions your switch-router supports. CAUTION: do these one at a time, so that if there's a problem, you know what to undo!

Designing the Home Network

Before you begin your design, you need to make sure that you've answered all the questions I referred to in earlier posts.

This design is based on the following assumptions:
  • The network will use a single tier hub-and-spoke architecture
  • It will be based on a mixture of hard-wired and wireless spokes and will use the Internet Protocol Suite
  • It will connect to the Internet using Cable
  • The Internet will be disconnected when the house is unoccupied
  • There will be three 100Mbps wired nodes downstairs, and three upstairs
  • All Wi-Fi connections will use IEEE802.11g
  • There will be:
    • at least one Wi-Fi connected laptop PC and one hard-wired PC
    • a hard-wired networked All-in-1 printer/scanner/copier
    • a Wi-Fi connected portable printer
    • at least one Wi-Fi connected Voice-over-IP (VoIP) capable phone that will access Skype
    • a Wi-Fi connected smart meter and games console
  • Guest connections will be permitted, and the laptop, portable printer and games console may be connected to other networks
These assumptions imply the following design decisions:
  • Use a domestic class switch-router which incorporates the following:
    • A router
    • A 6-port Ethernet switch
    • A Wi-Fi infrastructure access point
    • A firewall, 
    • A DNS server/relay
    • A DHCP server
    • A NAT server
  • Have a dynamic public IP address assigned by the cable ISP
  • Decide on a location for the router as near the center of the property as is compatible with access to the cable terminal
  • Select a private IP address range.  This is selected for this design to be (i.e a single block of 256 addresses from to
  • Allocate a DHCP block from within the IP range.  This is selected for this design to be to (a single block of 100 addresses)
  •  Allocate an IP address for the router itself from your private IP range. This is selected for this design to be  Some router make this selection for you, and often choose the first address in the subnet (in this case this would be  The actual address chosen is not important, but to make it easy to remember and to help to trace faults later, I suggest either the first or last available address in your chosen range (.1 or .254 - remember, the .0 and .255 addresses cannot be used as device addresses)
  • Allocate addresses for your permanently-connected devices (your desktop PC, printer etc.)  Again, to make it easy to remember, I tend to allocate peripherals such as printers, smart meters etc. addresses next to that for the router, and addresses for PCs from the far end of the address range so, for instance, for this design I would select:
    • for the networked All-in-1 printer
    • .252 for the smart meter (assuming that this can be altered - usually it can!)
    • .251 for the VoIP phone
    • .1 for the desktop PC
  • All the other devices (the laptop, portable printer, games console) will get their IP addresses automatically 
 And that's it.  Your network is designed.

However, we need to consider the implications of what we've designed.

  1. The Pros
  • It is simple and fairly cheap.  
  • All the key functionality is contained within a single device (the Internet Access Router)
  1. The Cons
  • If the Internet Access Router fails, your network is toast...
  • There is no security once a device is connected to your network.  They will have unrestricted access to the Internet and any of your devices that don't have their own built-in security (hence, always use passwords on PCs...)

Thursday, 18 November 2010

Network Architecture

It is important to decide what network architecture you are going to use before selecting any hardware.

The architecture is the arrangement of the components that make up your system.

There are three basic architectures:

  1. A hub-and-spoke architecture comprises a central device (the 'hub') and a number of radiating arms (the 'spokes') terminating with networked devices ('nodes'). It may be extended by replacing the node at the end of one or more of the spokes with another hub plus its associated spokes. There are strict limits on the number of hub devices that can be cascaded in this way. The number of nodes the network supports is limited only by the available ports on the hub(s), the addressing scheme and certain limitations of the timing of the Ethernet signals.

    Virtually all small LANS and many large ones use an exclusively hub-and-spoke architecture, and the vast majority of these use Ethernet as the transport protocol.

    In this architecture, traffic from each node is directed back to the central hub. Traffic between nodes travels into the hub and back out to the target node.

    • It is simple and intuitive.
    • The single cable between the hub and each node and the single cables between linked hubs, simplifies cable runs and allows buildings to be 'flood wired'
    • It supports high speed connections. (Up to 1Gbps now common. 10Gbps becoming available)
    • Hubs can incorporate switches and routers to direct and segment traffic within the LAN, reducing traffic loads on some of the network links. This can also help security as, otherwise, every node can monitor all traffic on the network
    • It supports wireless technology using wireless routers and wireless network interfaces on workstations
    • It is the most widely-used architecture therefore there are plenty of devices available in a wide range of capabilities and prices
    • It uses Ethernet, which is based on "Carrier sense multiple access with collision detection (CSMA/CD)" technology: Each node transmits its data when it's ready to do so and listens to ensure that the transmitted data did not collide with data transmitted by any other node. If it did, it waits for a while and tries again. This means that, if the network is busy, some data can take a long time to be successfully transmitted. The use of full-duplex transmission and segmentation of the network can minimize this problem
    • If the cable connection, the network port or the hub fail, a workstation/server can be isolated from the network. This can be minimized by resilient design
    • if the central hub fails, then the entire network can stop working. Use of resilient design can minimize the impact of failures, but this can be expensive. Hot/cold standby devices can minimize downtime.
    • The maximum data transmission rate of the network is limited by the backbone speed of the hub. If the central hub is slow, there is no point in investing in high-speed data transmission between the hub and the spoke nodes
  2.  A ring architecture comprises one or more a closed rings of devices ('Nodes'), each one connected to both the node before it in the ring and the node after. Several rings may be interconnected using special nodes that route traffic between the rings.
  3. There are two main ring architectures used in local area networking:
    1. IBM Token Ring
    2. Fiber Distributed Data Interface (FDDI)
    Ring architectures tend to use a 'token passing' mechanism, whereby a designated 'master' node issues a 'token' that it passes on to the next node in the ring. This then passes it on to the next and so on until the token returns to the issuing node. Nodes may only transmit onto the network while they are in possession of a token. The configuration of the network deals with issues like the frequency of token issuing (assuming the token does not return) and how long each node can retain the token. Pros:
    • Most ring architectures have a mechanism to deal with a single break in the ring. If the master node does not receive the token back from the ring, it issues a new one after a programmed delay. Additionally, any node that fails to receive a token for a programmed time can elect itself 'master' and issue a token. A down-stream master node that receives a token from a different node will demote itself and cease issuing further new tokens. This means that the node immediately after any break eventually becomes the master and takes over issuing tokens. There will be a delay after the network is broken before the traffic can resume.
    • Each node is connected to the node before it and also the node after it in the ring using separate cables. Hence, each node has two connections, so a single cable failure will not completely isolate the node.
    • Rings may be made bidirectional, using additional cores in the cable connection. FDDI uses this mechanism, with two independent tokens rotating around the ring in different directions. This can double the data rate (to 200Mbps for FDDI).
    • FDDI's inherent resilience makes it ideal for providing a backbone to which to interconnect the main servers
    • The basic ring system requires two cables to each workstation, increasing cabling complexity. Since cables run between adjacent nodes on the ring, the cabling is generally more complex than hub and spoke. IBM introduced a central token ring hub (a Multi-station Access Unit or MAU) which allowed each node to be wired back to a central point. This reduced cabling complexity but also removed the resilience aspect of using a ring.
    • The number of active nodes supported by each ring is strictly limited
    • Token ring is expensive, and FDDI very expensive. They are both slow by modern network standards:
      • IBM Token Ring is limited to 16Mbps (although higher speeds of 100Mbps & 1Gbps were introduced, they generally failed to achieve wide market penetration)
      • FDDI is rated at 100Mbps, although bidirectionality allows up to 200Mbps. This compares unfavorably with modern 1Gbps or 10Gbps hub-and-spoke Ethernet backbones
    The older architectures (such as Token Ring) are now almost extinct, and should not be used for new designs. Since FDDI and other ring architectures have not kept up with modern network speeds, hub-and-spoke is also increasingly used in large corporate networks.
  4. A mesh architecture is where each node is directly connected to all or some (more than two) of the other nodes.

    • It can be very fast, as each node communicates directly with each other node
    • It can be very reliable, especially if the mesh is configured so that nodes will route traffic round a failed node or cable
    • It can be very secure, as traffic is normally routed directly between nodes, so it is impossible to monitor inter-node traffic from other nodes
    • It is very complex and hard to configure, and faults can be hard to trace
    • It is very expensive, as multiple network interfaces are required in each node to allow a dedicated connection to each other connected node

    Although a rather simple form of mesh is used for the backbones on highly-resilient networks, there is no practicable mesh or point-to-point systems in use for home or SME local area networking.

Tiered architectures 
Generally, small networks are arranged in a single tier (i.e all the devices are connected to a segment or number of segments that do not have any security or traffic filtering between them).

This has the following effects:
  • Every device can direct traffic to any other device on the network
  • All devices can send and receive traffic using any protocol supported by the network
Dividing a network into tiers involves splitting the network up so that different devices are connected to different segments, and those segments are separated by some sort of filtering mechanism - normally a router acting as a packet-filtering firewall.

This has the following effects:
  • Only devices in the same tier can communicate directly, using any protocol the segment supports.
  • Devices in different tiers can only communicate at all if the firewall between tiers is set up to allow it, and then only using protocols that the firewall has been configured to pass.
Hence, with a tiered architecture, external Internet access could be limited to dedicated servers located on a 'DMZ' (Demilitarized zone) tier. These servers would be tightly controlled, dedicated to their function of servicing external access traffic and of extremely limited functionality. The firewall would be configured to allow only a very limited number of protocols to pass between these DMZ servers and other devices within the general network.

For design purposes, each tier can be treated as a separate 'network', and it was not uncommon to use a hub-and-spoke architecture for the upper (general-access) tier and an FDDI ring for the lower tiers where all the devices were contained within a single computer room.

The '3-tier' architecture
The most common tiered network is often referred to as a '3-tier' network, and has:
  • a general access tier that all your workstations and 'public access' servers (such as web servers and email servers) connect to
  • application server tier where specialist servers relay queries and replies between the general-access tier and database tier
  • A database tier that contains the database servers that store your precious data

    Why is this good?
    • There is a firewall between the general access tier and the application server tier that limits which devices (and hence users) in the general-access tier have access to the application servers and what protocols they can use, minimizing the risk that users will gain unauthorized access to these servers.
    • There is a firewall between the application server tier and the database server tier that limits access to the database servers to specified application servers using specified protocols. These protocols are almost always different to those passed by the firewall between the general-access and application server tiers. This minimizes the risk that anyone who has obtained access to the application servers can use it to obtain access to the database servers.
    • Thus, there is no direct interaction between the general-access and the database tiers, so, for instance, a general-access workstation cannot log on to a database server. All interactions between workstations in the general-access tier and the servers in the database tier pass through the application servers. These closely scrutinize the queries, pre-process them and make sure that they do not contain any illegal requests or invalid data before passing them on. This minimizes the chance that submitted data will cause corruption of the database.
    So, why doesn't everyone use one?
    • It is very expensive, needing multiple separate servers and router-firewalls: it is considered very bad practice to have any device (other than the router-firewalls that connect them) attached to more than one tier.
    • It is very complex and hard to set up and manage, especially to make it secure enough to justify the cost
    • The system actually needs more than just three tiers. You almost certainly need a separate DMZ tier if you allow connection to the Internet, as well as a separate management tier (of, if you're really paranoid, separate management tiers for each traffic tier...) so it gets silly, and even some of the world's largest organizations have shied from using it.
    Why mention it, then? It is the 'gold standard' of network design, and even relatively small organizations may need to use at least some kind of tiered structure if they store particularly sensitive data or allow third-parties to access their systems.

So, that's all very interesting, but how does it all affect my network design?

Most of this is background to give you perspective and to point out what is available. As I said earlier, virtually all home and SME networks are single-tier, hub-and-spoke architectures, although, if, for instance, you want to let your childrens' friends or visitors to your business access the Internet while keeping your personal or business network private, then you should consider adding a 'DMZ tier' to place a firewall between your guests and your data...