CST-6406 Network Design & Engineering

L1 Network Design Concepts

Network Design Principles(2M)
Designing a network to meet current requirements and to adapt to future requirements is a
complex task. Networks must be scalable, which means they must be able to accommodate
increases and decreases in size.
● Analysis
● Architecture
● Design

Network analysis, architecture, and design are similar to other engineering processes in
that they address the following areas:
▪ Defining the problems to be addressed
▪ Establishing and managing customer expectations
▪ Monitoring the existing network, system, and its environment
▪ Analyzing data ▪ Developing a set of options to solve problems
▪ Evaluating and optimizing options based on various trade-offs
▪ Selecting one or more options ▪ Planning the implementation
The Need to Scale the Network(2M) => secure, reliable, and highly available
For Case Study
Scalability(2M)
Scalability is the term for a network that can grow without losing availability and reliability.
Network failure domain (2M)
A failure domain is the area of a network that is impacted when a critical device or network
service experiences problems.
L2 Network Layer-Data Plane and Control Plane
Network Layer Functions(2M) =>Forwarding, Routing
Forwarding: When a packet arrives at a router’s input link, the router must move the packet to
the appropriate output link. typically implemented in hardware.
Routing: The network layer must determine the route or path taken by packets as they flow from
a sender to a receiver. The algorithms that calculate these paths are referred to as routing
algorithms. implemented in software
Data Plane Vs Control Plane Functions
The data plane functions of the network layer—the per-router functions in the network
layer that determine how a datagram (that is, a network-layer packet) arriving on one of a
router’s input links is forwarded to one of that router’s output links.
The control plane functions of the network layer— the network-wide logic that controls
how a datagram is routed among routers along an end-to-end path from the source host to the
destination host. Two control-plane approaches:
▪ traditional routing algorithms: implemented in routers
▪ software-defined networking (SDN): implemented in (remote) servers
For Case Study
Head-of-the-Line (HOL) blocking(2M)
Head-of-the-Line (HOL) blocking: a queued packet in an input queue must wait for transfer
through the fabric (even though its output port is free) because it is blocked by another packet at
the head of the line.

L3 Intra-AS and Inter-AS Routing

The link-state routing algorithm is known as Dijkstra’s algorithm.

Dijkstra
Bellman-Ford(4M)
Tables of OSPF (Not including red lines)

OSPF has significant advantages over RIP in that it offers faster convergence and scales
to much larger network implementations.
All the routers in the area send link-state advertisements to each other and thus develop a
complete, consistent map of the area. However, the link-state advertisements of routers that are
not area border routers do not leave the area in which they originated. This has the effect of
making the flooding and route calculation processes considerably more scalable.

Multiarea OSPF (lab)

DR, BDR selection
OSPF Tuto Question
For Concept
Intra-AS (aka “intra-domain”): routing among within same AS (“network”)
all routers in AS must run same intra-domain protocol
▪ routers in different AS can run different intra domain routing protocols
▪ gateway router: at “edge” of its own AS, has link(s) to router(s) in other AS’es
Inter-AS (aka “inter-domain”): routing among AS’es
▪ gateways perform inter-domain routing (as well as intra-domain routing)
eBGP: External BGP is the routing protocol used between routers in different autonomous
systems. eBGP obtain subnet reachability information from neighboring ASes.
iBGP: Internal BGP is the routing protocol used between routers in the same AS. iBGP
propagate reachability information to all AS internal routers.
Prefix several BGP Attributes
▪ prefix: destination being advertised
▪ two important attributes:
▪ AS-PATH: list of ASes through which prefix advertisement has passed
▪ NEXT-HOP: indicates specific internal-AS router to next-hopAS
BGP routers also use the AS-PATH attribute to detect and prevent looping
advertisements; specifically, if a router sees that its own AS is contained in the path list, it will
reject the advertisement.
Hot Potato Routing
hot potato routing: In hot potato routing, the route chosen (from among all possible
routes) is that route with the least cost to the NEX-THOP router beginning that route.

L4 Securing Networks
Attack Vector
An attack vector is a path by which a threat actor can gain access to a server, host, or
network.
Defense-in-Depth
Network professionals must implement various network security techniques to protect the
organization’s assets from outside and inside threats. Connections to untrusted networks must be
checked in-depth by multiple layers of defense before reaching enterprise resources. This is
known as defense-in-depth.
Cloud computing separates the application from the hardware.
Virtualization separates the operating system from the hardware.
Secure the Network Infrastructure
Securing the network infrastructure is critical to overall network security. The network
infrastructure includes routers, switches, servers, endpoints, and other devices. Routers are a
primary target for attacks because these devices direct traffic into, out of, and between networks.
(Including figure)
L5 Access Control Lists (ACL)
Purpose of ACL
● Limit network traffic to increase network performance
● Provide traffic flow control
● Provide a basic level of security for network access
● Filter traffic based on traffic type
● Screen hosts to permit or deny access to network services
● Provide priority to certain classes of network traffic
Two types of ACLs
Standard ACLs- ACLs only filter at Layer 3 using the source IPv4 address only.
Extended ACLs- ACLs filter at Layer 3 using the source and / or destination IPv4 address. They
can also filter at Layer 4 using TCP, UDP ports, and optional protocol type information for finer
control.
Inbound ACL
An inbound ACL filters packets before they are routed to the outbound interface. If the
packet is permitted by the ACL, it is then processed for routing. Inbound ACLs are best used to
filter packets when the network attached to an inbound interface is the only source of packets
that need to be examined.
Outbound ACL
An outbound ACL filters packets after being routed, regardless of the inbound interface.
Incoming packets are routed to the outbound interface and then they are processed through the
outbound ACL. Outbound ACLs are best used when the same filter will be applied to packets
coming from multiple inbound interfaces before exiting the same outbound interface.
For Concept

ACL Tuto Question

L6 WAN CONCEPTS Network Address Translation (NAT)
Purpose of NAT
▪ Private IPv4 addresses cannot be routed over the internet and are used within an organization or
site to allow devices to communicate locally.
▪ To allow a device with a private IPv4 address to access devices and resources outside of the
local network, the private address must first be translated to a public address.
▪ NAT provides the translation of private addresses to public addresses.
NAT Characteristics
▪ The primary use of NAT is to conserve public IPv4 addresses.
▪ A NAT router typically operates at the border of a stub network.
Types of NAT (including fig)
Advantages of NAT
NAT provides many benefits:
▪NAT conserves the legally registered addressing scheme by allowing the privatization of
intranets.
▪ NAT conserves addresses through application port-level multiplexing.
▪ NAT increases the flexibility of connections to the public network.
▪ NAT provides consistency for internal network addressing schemes.
▪ NAT allows the existing private IPv4 address scheme to remain while allowing for easy change
to a new public addressing scheme.
▪ NAT hides the IPv4 addresses of users and other devices.
Disadvantages of NAT
NAT does have drawbacks:
▪ NAT increases forwarding delays.
▪ End-to-end addressing is lost.
▪ End-to-end IPv4 traceability is lost.
▪ NAT complicates the use of tunneling protocols, such as IPsec.
▪ Services that require the initiation of TCP connections from the outside network, or stateless
protocols, such as those using UDP, can be disrupted.
L7 WAN CONCEPTS WAN Architectures
Topologies (For general)
Hub and Spoke, Dual Home
Service level agreement (SLA)
The SLA outlines the expected services relating to the reliability and availability of the
connection.
L8 WAN CONCEPTS Virtual Private Network (VPN)
Virtual private networks (VPNs)
▪ A VPN is virtual in that it carries information within a private network, but that information is
transported over a public network.
▪ A VPN is private in that the traffic is encrypted to keep the data confidential while it is
transported across the public network.
Benefits of VPN (including details)

Site-to-Site and Remote Access VPNs

A site-to-site VPN is created when VPN terminating devices, also called VPN gateways,
are preconfigured with information to establish a secure tunnel. VPN traffic is only encrypted
between these devices. Internal hosts have no knowledge that a VPN is being used.
A remote-access VPN is dynamically created to establish a secure connection between a
client and a VPN terminating device. For example, a remote access SSL VPN is used when you
check your banking information online.
IPSec

(not include DF key gps)

IPsec Transport and Tunnel Mode Transport and Tunnel Modes

▪ Transport Mode - In transport mode, security is provided only for the transport layer of the OSI
model and above. Transport mode protects the payload of the packet but leaves the original IP
address in plaintext. The original IP address is used to route the packet through the internet. ESP
transport mode is used between hosts.
▪ Tunnel Mode - Tunnel mode provides security for the complete original IP packet. The
original IP packet is encrypted and then it is encapsulated in another IP packet. This is known as
IP-in-IP encryption. The IP address on the outside IP packet is used to route the packet through
the internet.

IKE
IKE is a hybrid protocol that implements key exchange protocols inside the Internet
Security Association Key Management Protocol (ISAKMP) framework.

L9 NETWORK SERVICES AND MANAGEMENT (QoS Concepts)

Quality of Service (QoS)
QoS is the ability for an application to obtain the network service it requires for
successful operation.
Network Transmission Quality
▪ When traffic volume is greater than what can be transported across the network, devices queue
(hold) the packets in memory until resources become available to transmit them.
▪ Queuing packets causes delay because new packets cannot be transmitted until previous
packets have been processed.
▪ If the number of packets to be queued continues to increase, the memory within the device fills
up and packets are dropped.
▪ One QoS technique that can help with this problem is to classify data into multiple queues.
The need for QoS(For 2M)
Bandwidth
▪ The overall capacity of the link, measured in bits per second (Kbps, Mbps, Gbps, etc.,)
▪ QoS tools allow to reserve a certain amount of a link’s bandwidth for specific kinds of traffic.
▪ For example: 20% voice traffic, 30% for specific kinds of data traffic, leaving 50% for all
other traffic.
Delay
▪ The amount of time it takes traffic to go from source to destination (one-way delay)
▪ The amount of time it takes traffic to go from source to destination and return (two-way delay)
Jitter
▪ The variation in one-way delay between packets sent by the same application
▪ IP phones have a ‘jitter buffer’ to provide a fixed delay to audio packets.
Loss
▪ The percentage of packets sent that do not reach their destination
▪ Can be caused by faulty cables
▪ Can also be caused when a device’s packet queues get full, and the device starts discarding
packets.
What could prevent an application to obtain the network service it requires for successful
operation?
▪ Shared network links, in which two or more users or devices must contend for the same
communication channel
▪ Delays caused by networking equipment (e.g., inability to process large loads)
▪ Delays caused by distance (satellite links) or excessive hops (cross-country or global routed
networks)
▪ Poorly managed network capacity or insufficient capacity. If a link has fixed bandwidth, the
only option to improve performance is to manage QoS
▪ Network congestion, caused by overflowing queues and retransmission of dropped packets
There are four common techniques to improve QoS:
▪ Scheduling
▪ Traffic shaping
▪ Resource reservation
▪ Admission control
Techniques to improve QoS: Scheduling
Scheduling dynamically allocates resources when multiple flows compete. A good
scheduling technique treats the different flows in a fair and appropriate manner.
Several scheduling techniques are designed to improve the QoS:
▪ First-In, First-Out (FIFO)
▪ Priority Queuing (PQ)
▪ Weighted Fair Queuing (WFQ)
Techniques to improve QoS: Traffic Shaping
▪ Traffic shaping is a mechanism to control the amount, and the rate of the traffic sent to the
network.
▪ “Shapes” the traffic before it enters the network.
▪ Real apps generate varying traffic, so it is unrealistic for apps to smooth the traffic.
▪ Shaping traffic flows constrains the load they may place on the network.
▪ Limiting the total traffic enables bandwidth guarantees
▪ Limiting bursts avoids unnecessary delay and loss
▪ Two popular techniques used for traffic shaping are
▪ Leaky bucket
▪ Token bucket
Leaky Bucket
▪ Input rate can vary but output rate remain constant. Smooth out busty traffic.
▪ Packets may be generated in a bursty manner, but after they pass through the leaky bucket, they
enter the network evenly spaced.
▪ Leaky Bucket: doesn’t allow bursty transmissions
▪ In some cases, we may want to allow short bursts of packets to enter the network
without smoothing them out.
▪ For this purpose, we use a token bucket, which is a modified leaky bucket.
Token Bucket
▪ The bucket holds tokens instead of packets. Tokens are generated and placed into the token
bucket at a constant rate.
▪ When a packet arrives at the token bucket, it is transmitted if there is a token available.
Otherwise, it is buffered until a token becomes available.
▪ The token bucket has a fixed size, so when it becomes full, subsequently generated tokens are
discarded.
▪ It allows bursts, but up to a regulated maximum length.
L10 NETWORK SERVICES AND MANAGEMENT (QoS Models and
Implementation Techniques)
L11 NETWORK SERVICES AND MANAGEMENT (Network Management)
Components of Network Management
Managing server: application, typically with network managers (humans) in the loop
Network management protocol: used by managing server to query, configure, manage device;
used by devices to inform managing server of data, events.
Managed device: equipment with manageable, configurable hardware, software components
Data: device “state” configuration data, operational data, device statistics
Layer 2 Discovery Protocols
Layer 2 discovery protocols such as CDP and LLDP share information with and discover
information about neighboring (connected) devices.
▪ CDP is a Cisco proprietary protocol.
▪ LLDP is an industry standard protocol (IEEE 802.1AB).
Stratum Level
NTP networks use a hierarchical system of time sources. The stratum level is defined as
the number of hop counts from the authoritative source.

L12 EMERGING NETWORK TECHNOLOGIES (Software-Defined

Network)
Control Plane: The Traditional Approach
▪ The routing algorithm determines the contents of the routers’ forwarding tables.
How is this communication performed?
▪ By exchanging routing messages containing routing information according to a routing
protocol!
Control Plane: The SDN Approach
The control plane (SDN) approach is at the heart of software-defined networking (SDN),
where the network is “software-defined” because the controller that computes forwarding tables
and interacts with routers is implemented in software.
How might the routers and the remote controller communicate?
By exchanging messages containing forwarding tables and other pieces of routing
information.
The data plane components of the Traditional approach and the SDN approach identical.
In the SDN approach; however, control plane routing functionality is separated from the physical
router—the routing device performs forwarding only, while the remote controller computes and
distributes forwarding tables. The remote controller might be implemented in a remote data
center with high reliability and redundancy and might be managed by the ISP or some third
party.
Match-plus-action table
“match-plus-action” paradigm, where the “match” can be made over multiple header
fields associated with different protocols at different layers in the protocol stack. The “action”
can include forwarding the packet to one or more output ports (as in destination-based
forwarding), load balancing packets across multiple outgoing interfaces that lead to a service (as
in load balancing), rewriting header values (as in NAT), purposefully blocking/dropping a packet
(as in a fire wall), sending a packet to a special server for further processing and action (as in
DPI), and more.
For Flow Table
SDN Architecture
Data-plane switches:
▪ fast, simple, commodity switches implementing generalized data-plane forwarding in hardware
▪ flow (forwarding) table computed, installed under controller supervision ▪ API for table-based
switch control (e.g., OpenFlow)
• defines what is controllable, what is not
▪ protocol for communicating with controller (e.g., OpenFlow)

SDN controller (network OS):

▪ maintain network state information
▪ interacts with network control applications “above” via northbound API
▪ interacts with network switches “below” via southbound API
▪ implemented as distributed system for performance, scalability, robustness fault-tolerance,
robustness
Network-control apps:
▪ “brains” of control: implement control functions using lower-level services, API provided by
SDN controller
▪ unbundled: can be provided by 3rd party: distinct from routing vendor, or SDN controller
(IMPORTANT)
L13 EMERGING NETWORK TECHNOLOGIES (Software-Defined
Network)
Type 1 Hypervisor
This type of hypervisor runs directly on the system hardware. It is commonly referred to
as “bare metal” or “native.”
Northbound APIs
Northbound APIs to communicate with the upstream applications, helping network
administrators shape traffic and deploy services.
Southbound APIs
Southbound APIs to define the behavior of the data planes on downstream switches and
routers. OpenFlow is a widely implemented southbound API.

L14 EMERGING NETWORK TECHNOLOGIES (Network Automation)

Network Automation Concepts
▪ Network automation is the process of automating the configuring, managing, testing,
deploying, and operating of physical and virtual devices within a network. With everyday
network tasks and functions automated and repetitive processes controlled and managed
automatically, network service availability improves.
▪ Any type of network can use network automation. Hardware- and software-based solutions
enable data centers, service providers, and enterprises to implement network automation to
improve efficiency, reduce human error, and lower operating expenses.
API
An API is software that allows other applications to access its data or services. It is a set
of rules describing how one application can interact with another, and the instructions to allow
the interaction to occur.
Public APIs:
▪ These APIs are publicly available and can be used by anyone with no restrictions.
▪ Examples include the International Space Station API and Google Maps API.
Internal or Private APIs:
▪ These APIs are used exclusively within an organization or company for internal purposes.
▪ They provide access to internal data and services that are not intended for public use.
▪ An example could be an API that allows authorized salespeople to access internal sales data on
their mobile devices.
Partner APIs:
▪ Partner APIs are used between a company and its business partners or contractors to facilitate
collaboration and business processes.
▪ Access to these APIs typically requires a license or permission from the organization providing
the API.
▪ An example is a travel service using an airline's API to book flights and access airline-related
data.

L15 EMERGING NETWORK TECHNOLOGIES (Configuration

Management Tools)

******************************************************************************