Computersight -

All successful large scale organizing structures and activities start with a plan. This becomes ever more critical when we are dealing with complex entities, such as “networks” that are intended to be free to grow (scale), evolve (develop new capabilities and services) and to require the least amount of administrative maintenance. Here’s how it’s done.

Hierarchies

For the most part the large scale plans that we humans find easiest to comprehend and thus implement tend to be based and structured around a hierarchal model. So, rather than using a “flat network” model upon which to base our design we will use the far more plastic hierarchal model as it allows us a far greater degree of granular control and subdivision of roles and functionalities of its constituent components.

We are now going to take a quick look into the key principles of three-tiered hierarchal network design model that allow the network’s which we design to scale as and when required whilst still providing the means by which we can retain control over its functionalities, performance, accessibility, maintenance and evolution with as little effort as possible.

As the name indicates the three-tier network model is a dramatic departure from the flat network philosophy of the past. Fundamentally; this is a layered approach, where the three layers into which all devices are classified are; the core layer, the distribution layer and the access layer. More than 90% of all network elements including infrastructure components like transmission media will fall neatly into one or other of these three categories.

I say more than 90% because there will be those special components which may straddle layer functionalities or perform multiple roles. The modern ADSL broadband modem router with a built-in multi-port Ethernet switch is a common example of this type of device. So do not be fooled into thinking that a three-tiered model ordains that there must be separate devices for each layer.

The number of devices (routers, switches etc) will be in large dictated by the situation specific requirements and resources of each internetwork being designed on a per internetwork basis. What might be considered to be appropriate for a particular internetwork design solution may be totally unreasonable for another.

Always remember that it is the internetwork designer’s capacity to incorporate appropriate levels of plasticity and redundancy into their design solutions that is the art in forging an internetwork design that will work and perform in accordance with the desires and capabilities of those commissioning the internetwork. Budgetary concerns will, as is nearly always the case, be one of the biggest driving forces at work here.

The Core Layer

At the top of the hierarchy the core layer is literally the core of the network. A network’s core layer’s purpose & responsibility is squarely focused upon the transportation of large amounts of traffic both reliably and quickly.

This means that the core should switch traffic as fast and reliably as possible because any failures at the core level will most likely affect every single user of the network. User data should be processed by the distribution layer which will forward it to the core layer if appropriate. When designing a network the high priority objectives that should be built into the core layer include:

High speed, highly-reliable fault tolerant components possessing the lowest possible latency characteristics connected in such a manner as to eliminate bottlenecks are all high priority factors greatly desirable of a networks core layer. Therefore, the routing protocols implemented at the network’s core layer must be those with the lowest convergence times as any delays will be amplified downstream throughout the network and hence felt by all.

The core layer’s data-link technologies must exhibit high speed with built-in redundancy such as FDDI, Gigabit Ethernet or 10G Ethernet incorporating redundant links and even SONET or ATM both of which also include multiple redundant links.

Ideally there should be no access lists, access list processing or packet filtering performed by the core layer. This means that there will be no workgroup access or workgroup access support provided by the core. Nor will any inter-VLAN routing take place here.

One final point of advice is that one should upgrade to increase core performance rather than expand (adding routers etc.) as the internetwork grows.

The Distribution Layer

The distribution layer (also referred to as the workgroup layer) is the communication point between the core layer and the access layer. The distribution layer should not duplicate the roles or functionalities provided by any of the other layers. Your design solutions should therefore reflect this by ensuring that the distribution layer is characterized by the deliberate exclusion of all factors, services and functions that are or should be the providence another layer.

Furthermore, other design concepts that need to be at the forefront of one’s thought processes when designing a network are that the primary functions of the distribution layer will encompass many intermediary or “middle-man” network aspects, functionalities and services. These functions must be transparent to the user.

Network functionalities implemented at the distribution layer will include many of the network’s core infrastructure-based decision making processes including routing, routing protocol redistribution, static routing, inter-VLAN routing, best path determination and address translation. Ideally, the definition of broadcast and multicast domains, packet filtering, queuing and the implementation of access lists should all occur at the distribution layer.

Network policy implementation and network security implementation occurs at the distribution layer and includes both hardware and software devices and solutions. Since WAN access provision is generally implemented at the distribution layer firewalls (Cisco PIX, Microsoft ISA server, Zone Alarm etc.), intrusion detection systems and intrusion prevention systems and appliances are incorporated into the network at the distribution layer.

Other critical decision making functions of the network that get implemented at the distribution layer involve core layer access determination (the how & when packets can access the core) and core layer access restriction (limiting access to the core layer on an only if absolutely necessary basis).

The determination of the manner and mechanisms for handling network service requests is conducted by distribution layer devices. For example determination of the fastest way for requests to be forwarded to servers and other peripheral Services (e.g. Internet Access).

Workgroup support functions, the implementation of additional tools and the provisioning of network operation flexibility are some more tasks generally assigned to the distribution layer.

The Access Layer

This brings us to the access layer which is also referred to as the “desktop” layer. The main functions of the access layer revolve around access control, regulation of users and workgroup access to the network/internetwork’s assets, resources and services.

The pervading philosophy of “shortest distance” should prevail when designing an internetwork’s access layer. This means that those resources that the majority of a group of users or workgroups access regularly should be available locally. Here is where the 80/20 rule comes into play.

The 80/20 rule states that 80% of all network traffic should remain within the boundaries of the local segment. Even better is to subnet a Local Area Network (LAN) and so contain the “local” traffic to a single broadcast domain and only 20% of all network traffic will be transported via the core layer throughout the entire internetwork. This does translate to “real world” performance gains for all concerned.

With the distribution layer taking care of any requests for remote resources & services the access layer’s functions, resources and services should focus primarily upon such criteria as workgroup connectivity to the distribution layer and the elimination of potential avenues of direct unabated user or workgroup access to the core layer.

Access layer traffic containment and resources access strategies often include additional network segmentation through the creation of separate collision domains (e.g. by using transparent bridging workgroup class switches or LAN Switches) and more specific access controls & policies to further augment those implemented by the distribution layer.

Static routing protocols rather than dynamic routing protocols should be used at the access layer. DDR Ethernet switching is another technology commonly used at the access layer. Local resources at the access level will include local printers, workstations, caching servers and workgroup switches the use transparent bridging.

Temporary and mobile devices (laptops, notebooks, PDAs, smart phones etc.) must not be permitted any direct access to the core or distribution layers. Rather they should connect via the access layer in a highly secure manner.

This is most often implemented via demilitarized zones (DMZs) as one can never be sure what nasties the device may have picked up on its wanderings. Generally the device will be scanned immediately upon connection and cannot be used for network access until after it passes its sanitization requirements. Better safe than sorry.

DMZs are also widely employed to allow Internet traffic a web site while reducing the web site/web site’s owner potential exposure to malware. Email, bulletin boards and interactive Web 2.0 sites are other situations where implementation of DMZs is commonly used to erect a “barrier” between the public and private domains while allowing users (including the anonymous variety) to maintain their full site experience without unduly exposing the site to every piece of malware or bad intent out there.