Network Architecture

It is important to decide what network architecture you are going to use before selecting any hardware.

The architecture is the arrangement of the components that make up your system.

There are three basic architectures:

1. A hub-and-spoke architecture comprises a central device (the 'hub') and a number of radiating arms (the 'spokes') terminating with networked devices ('nodes'). It may be extended by replacing the node at the end of one or more of the spokes with another hub plus its associated spokes. There are strict limits on the number of hub devices that can be cascaded in this way. The number of nodes the network supports is limited only by the available ports on the hub(s), the addressing scheme and certain limitations of the timing of the Ethernet signals.
   
   
   
   Virtually all small LANS and many large ones use an exclusively hub-and-spoke architecture, and the vast majority of these use Ethernet as the transport protocol.
   
   In this architecture, traffic from each node is directed back to the central hub. Traffic between nodes travels into the hub and back out to the target node.
   
   Pros:
   
   • It is simple and intuitive.
   • The single cable between the hub and each node and the single cables between linked hubs, simplifies cable runs and allows buildings to be 'flood wired'
   • It supports high speed connections. (Up to 1Gbps now common. 10Gbps becoming available)
   • Hubs can incorporate switches and routers to direct and segment traffic within the LAN, reducing traffic loads on some of the network links. This can also help security as, otherwise, every node can monitor all traffic on the network
   • It supports wireless technology using wireless routers and wireless network interfaces on workstations
   • It is the most widely-used architecture therefore there are plenty of devices available in a wide range of capabilities and prices
   Cons:
   
   • It uses Ethernet, which is based on "Carrier sense multiple access with collision detection (CSMA/CD)" technology: Each node transmits its data when it's ready to do so and listens to ensure that the transmitted data did not collide with data transmitted by any other node. If it did, it waits for a while and tries again. This means that, if the network is busy, some data can take a long time to be successfully transmitted. The use of full-duplex transmission and segmentation of the network can minimize this problem
   • If the cable connection, the network port or the hub fail, a workstation/server can be isolated from the network. This can be minimized by resilient design
   • if the central hub fails, then the entire network can stop working. Use of resilient design can minimize the impact of failures, but this can be expensive. Hot/cold standby devices can minimize downtime.
   • The maximum data transmission rate of the network is limited by the backbone speed of the hub. If the central hub is slow, there is no point in investing in high-speed data transmission between the hub and the spoke nodes
2.  A ring architecture comprises one or more a closed rings of devices ('Nodes'), each one connected to both the node before it in the ring and the node after. Several rings may be interconnected using special nodes that route traffic between the rings.
There are two main ring architectures used in local area networking:
1. IBM Token Ring
2. Fiber Distributed Data Interface (FDDI)
Ring architectures tend to use a 'token passing' mechanism, whereby a designated 'master' node issues a 'token' that it passes on to the next node in the ring. This then passes it on to the next and so on until the token returns to the issuing node. Nodes may only transmit onto the network while they are in possession of a token. The configuration of the network deals with issues like the frequency of token issuing (assuming the token does not return) and how long each node can retain the token. Pros:
• Most ring architectures have a mechanism to deal with a single break in the ring. If the master node does not receive the token back from the ring, it issues a new one after a programmed delay. Additionally, any node that fails to receive a token for a programmed time can elect itself 'master' and issue a token. A down-stream master node that receives a token from a different node will demote itself and cease issuing further new tokens. This means that the node immediately after any break eventually becomes the master and takes over issuing tokens. There will be a delay after the network is broken before the traffic can resume.
• Each node is connected to the node before it and also the node after it in the ring using separate cables. Hence, each node has two connections, so a single cable failure will not completely isolate the node.
• Rings may be made bidirectional, using additional cores in the cable connection. FDDI uses this mechanism, with two independent tokens rotating around the ring in different directions. This can double the data rate (to 200Mbps for FDDI).
• FDDI's inherent resilience makes it ideal for providing a backbone to which to interconnect the main servers

Cons:
• The basic ring system requires two cables to each workstation, increasing cabling complexity. Since cables run between adjacent nodes on the ring, the cabling is generally more complex than hub and spoke. IBM introduced a central token ring hub (a Multi-station Access Unit or MAU) which allowed each node to be wired back to a central point. This reduced cabling complexity but also removed the resilience aspect of using a ring.
• The number of active nodes supported by each ring is strictly limited
• Token ring is expensive, and FDDI very expensive. They are both slow by modern network standards:
  
  • IBM Token Ring is limited to 16Mbps (although higher speeds of 100Mbps & 1Gbps were introduced, they generally failed to achieve wide market penetration)
  • FDDI is rated at 100Mbps, although bidirectionality allows up to 200Mbps. This compares unfavorably with modern 1Gbps or 10Gbps hub-and-spoke Ethernet backbones
The older architectures (such as Token Ring) are now almost extinct, and should not be used for new designs. Since FDDI and other ring architectures have not kept up with modern network speeds, hub-and-spoke is also increasingly used in large corporate networks.
3. A mesh architecture is where each node is directly connected to all or some (more than two) of the other nodes.
   
   
   
   Pros
   
   • It can be very fast, as each node communicates directly with each other node
   • It can be very reliable, especially if the mesh is configured so that nodes will route traffic round a failed node or cable
   • It can be very secure, as traffic is normally routed directly between nodes, so it is impossible to monitor inter-node traffic from other nodes
   Cons:
   
   • It is very complex and hard to configure, and faults can be hard to trace
   • It is very expensive, as multiple network interfaces are required in each node to allow a dedicated connection to each other connected node
   
   Although a rather simple form of mesh is used for the backbones on highly-resilient networks, there is no practicable mesh or point-to-point systems in use for home or SME local area networking.

Tiered architectures 

Generally, small networks are arranged in a single tier (i.e all the devices are connected to a segment or number of segments that do not have any security or traffic filtering between them).

This has the following effects:

• Every device can direct traffic to any other device on the network
• All devices can send and receive traffic using any protocol supported by the network

Dividing a network into tiers involves splitting the network up so that different devices are connected to different segments, and those segments are separated by some sort of filtering mechanism - normally a router acting as a packet-filtering firewall.

This has the following effects:

• Only devices in the same tier can communicate directly, using any protocol the segment supports.
• Devices in different tiers can only communicate at all if the firewall between tiers is set up to allow it, and then only using protocols that the firewall has been configured to pass.

Hence, with a tiered architecture, external Internet access could be limited to dedicated servers located on a 'DMZ' (Demilitarized zone) tier. These servers would be tightly controlled, dedicated to their function of servicing external access traffic and of extremely limited functionality. The firewall would be configured to allow only a very limited number of protocols to pass between these DMZ servers and other devices within the general network.

For design purposes, each tier can be treated as a separate 'network', and it was not uncommon to use a hub-and-spoke architecture for the upper (general-access) tier and an FDDI ring for the lower tiers where all the devices were contained within a single computer room.

The '3-tier' architecture

The most common tiered network is often referred to as a '3-tier' network, and has:

• a general access tier that all your workstations and 'public access' servers (such as web servers and email servers) connect to
• application server tier where specialist servers relay queries and replies between the general-access tier and database tier
• A database tier that contains the database servers that store your precious data

Why is this good?
• There is a firewall between the general access tier and the application server tier that limits which devices (and hence users) in the general-access tier have access to the application servers and what protocols they can use, minimizing the risk that users will gain unauthorized access to these servers.
• There is a firewall between the application server tier and the database server tier that limits access to the database servers to specified application servers using specified protocols. These protocols are almost always different to those passed by the firewall between the general-access and application server tiers. This minimizes the risk that anyone who has obtained access to the application servers can use it to obtain access to the database servers.
  
• Thus, there is no direct interaction between the general-access and the database tiers, so, for instance, a general-access workstation cannot log on to a database server. All interactions between workstations in the general-access tier and the servers in the database tier pass through the application servers. These closely scrutinize the queries, pre-process them and make sure that they do not contain any illegal requests or invalid data before passing them on. This minimizes the chance that submitted data will cause corruption of the database.
So, why doesn't everyone use one?
• It is very expensive, needing multiple separate servers and router-firewalls: it is considered very bad practice to have any device (other than the router-firewalls that connect them) attached to more than one tier.
• It is very complex and hard to set up and manage, especially to make it secure enough to justify the cost
• The system actually needs more than just three tiers. You almost certainly need a separate DMZ tier if you allow connection to the Internet, as well as a separate management tier (of, if you're really paranoid, separate management tiers for each traffic tier...) so it gets silly, and even some of the world's largest organizations have shied from using it.
  
Why mention it, then? It is the 'gold standard' of network design, and even relatively small organizations may need to use at least some kind of tiered structure if they store particularly sensitive data or allow third-parties to access their systems.

So, that's all very interesting, but how does it all affect my network design?

Most of this is background to give you perspective and to point out what is available. As I said earlier, virtually all home and SME networks are single-tier, hub-and-spoke architectures, although, if, for instance, you want to let your childrens' friends or visitors to your business access the Internet while keeping your personal or business network private, then you should consider adding a 'DMZ tier' to place a firewall between your guests and your data...