1

System & Network Administration

•Chapter 18 – Networks

By Chang-Sheng Chen (20080304)

2

Contents of Chapter 18

18.1 The Basics18.1.1 The OSI Model18.1.2 Clean Architecture18.1.3 Network Topologies18.1.4 Intermediate Distribution

Frame18.1.5 Main Distribution Frame18.1.6 Demarcation Point18.1.7 Documentation18.1.8 Simple Host Routing18.1.9 Use Network Devices18.1.10 Overlay Network

18.1.11 Number of Vendors18.1.12 Standard-based

Protocols18.1.13 Monitoring18.1.14 Single Administrative

Domain

18.2 The Icing18.2.1 Leading-Edge vs.

Reliability18.2.2 Multiple Administrative

Domains

18.3 Conclusion

3

The Closed Network ( 封閉網路)

•PSTN = Public Switched Telephone Network

4

The Network Today

5

Internet 、 Intranet & Extranet

• Intranets differ from "Extranets" in that the former are generally restricted to employees of the organization while extranets can generally be accessed by customers, suppliers, or other approved parties.

• The Internet is a worldwide, publicly accessible series of interconnected computer networks that transmit data by packet switching using the standard Internet Protocol (IP). It is a "network of networks" that consists of millions of smaller domestic, academic, business, and government networks, which together carry various information and services, such as electronic mail, online chat, file transfer, etc.

6

Local-area Networks (LANs)

7

802.3 LAN Development: Today’s LANs

8

Wide-area Networks (WANs)

9

Metropolitan-Area Network (MANs)

•POP = Point of Presence

10

Storage-Area Networks (SANS)

11

18.1.1 OSI Model

12

Network Protocols

13

Peer-to-Peer Communication

14

Devices Function at Layers

15

18.1.2 Clean Architecture

• A network architecture should be as simple and clean to understand as it can be.– It should be possible to briefly describe the approach

used in designing the network and to draw a few simple pictures to illustrate that design.

• A clean architecture makes debugging network problem much easier.– You can tell what path traffic should take from point A

to point B. You can tell which links affect which networks.

– Having a clear understanding of traffic flow on your network puts you in control of it.

16

Clean Architecture (cont.)

• A clean architecture encompasses both physical and logical network topologies and the network protocols that are used on both host and network equipments.– It also has a clearly defined growth strategy,

both for adding LAN segments and for connecting new remote offices.

17

Developing a LAN Topology

18

18.1.3 Network Topology

• Network topologies change as technologies and cost structures change.– They also change as companies grow, set up large

remote offices, or buy other companies.• Typical Network Topologies

– Star topology: • Pro: it is easy to understand, simple and often cost-

effective to implement.• Con: it has an obvious single-point-of-failure problem.

– Extended star topology (multi-star)• A common variant of the start topology, consisting of

multiple stars, the centers of which are connected to each other with redundant high-speed links.

19

交通大學校園網路骨幹示意圖

20

Network Topology

21

Typical Network Topologies (cont.)

• Ring topology (i.e., redundant links)– Most often used for particular low-level topologies

such as SONET rings. They are often found in local area and campus networks and are sometimes useful for WANs.

– Any one link or network entity can fail without affecting connectivity between functioning members of the ring.

– Adding new members to the ring, particularly in a WAN, can involve reconfiguring connectivity at multiple sites, however.

• There are many other possible network topologies, as shown in the figures of the previous page.

22

Network Topology (cont.)- Logical Network Topology

• The star, multistar, ring topologies described previously can appear in either physical or logical topology.

• In the following, we will describe some other common logical topologies.– Flat topology (bus topology)

• In a flat topology, there are no layer 3 devices except at the egress point ( 對外出口 ).

• E.g., all machines reside in the same address block with the same network number and network mask.

– Location-based topology• Layer 2 networks are assigned based on physical location.

– Functional group-based topology (e.g., VLAN)• Each member of a group that works as a functional unit is

connected to the same (flat) network regardless of location (within reason).

23

VLANs and Physical Boundaries

24

18.1.4 Intermediate Distribution Frame (IDF)

• An Intermediate Distribution Frame (IDF) is a fancy name for a wiring closet ( 接線盒 / 盤 ).– The distribution system is the set of network closets

and wiring that brings network connectivity out to the desktops.

• The need for IDFs, and how to design them and lay them out, is not something that has changed dramatically over time.

• The technologies and wiring specifics are what change with time.

25

Extended Star Topology in a Multi-Building Campus

26

Intermediate Distribution Frame (cont.)

• New innovations in network hardware require high-quality copper or fiber wiring to operate at increase speeds.– If you use the newest, highest-specification wiring

available when you build your cable plant, it is reasonable to expect it to last for five years before network technologies outpaces it.

– However, if you try to save money by using older, cheaper, lower-specification wiring, you will need to go through the expense and disruption of an upgrade sooner than if you had selected better cabling.

• E.g., Category 3 (10M), Category 5 (fast ethernet), etc.

27

Cabling Standards (1/2) -- Unshielded and shielded twisted pair

cabling standards

The listed information is from Wikipedia• Cat 1: Previously used for POTS telephone

communications, ISDN and doorbell wiring (Currently unrecognized by TIA/EIA).

• Cat 2: Previously was frequently used on 4 Mbit/s token ring networks (Currently unrecognized by TIA/EIA).

• Cat 3: Currently defined in TIA/EIA-568-B, used for data networks using frequencies up to 16 MHz. Historically popular for 10 Mbit/s Ethernet networks.

• Cat 4: Provided performance of up to 20 MHz, and was frequently used on 16 Mbit/s token ring networks (Currently unrecognized by TIA/EIA).

28

Unshielded and shielded twisted pair cabling standards (2/2)

• Cat 5: Provided performance of up to 100 MHz, and was frequently used on 100 Mbit/s ethernet networks. May be unsuitable for 1000BASE-T gigabit ethernet (Currently unrecognized by TIA/EIA).

• Cat 5e: Currently defined in TIA/EIA-568-B. Provides performance of up to 100 MHz, and is frequently used for both 100 Mbit/s and gigabit ethernet networks.

• Cat 6: Currently defined in TIA/EIA-568-B. It provides performance of up to 250 MHz, more than double category 5 and 5e.

• Cat 6a: Future specification for 10 Gbit/s applications.

• Cat 7: An informal name applied to ISO/IEC 11801 Class F cabling. This standard specifies four individually-shielded pairs (STP) inside an overall shield. Designed for transmission at frequencies up to 600 MHz.

29

Intermediate Distribution Frame (cont.)

• There are two ways to make a connection between two IDFs.– One is to run bundles of cables between IDFs

within a building.• However, if there are large number of IDFs, the

number of links can make this very expensive and complicated to maintain.

– The other is to have a central location (i.e., MDF, Main Distribution Frame) and only run bundles from IDFs to this central location.

• Then, to connect any two IDFs, one simply creates a cross-connect in the MDF.

30

Intermediate Distribution Frame (cont.)

• You generally only get a chance to lay out and allocate space for your IDFs before moving into a building.– It is difficult and expensive to change at a later date if you

decide that you did the wrong thing.• You should have one IDF per floor, more if the floor is

large.– You should align those IDFs vertically within the building

(in other words, located in the same place on each floor, so that they stack on each other through the building).

• Vertical alignment means that cabling between the IDFs and the MDF is simpler and cheaper to install and it is easier to add extra cabling between the IDFs at a later date.

• The IDFs should be numbered with the building number, floor number, and closet number.

31

Intermediate Distribution Frame (cont.)

• IDF should be locked and subject to restricted access.– Wiring closet should also be on protected power.

• IDF closets should have special cooling beyond what the building air-conditioning can supply.– Network equipment is compact, so you will have hot-

generating devices packed into a small area. A small IDF closet can get very hot without extra cooling.

• You should also provide remote console access to all the devices located in the IDFs that support the functionality.

32

Intermediate Distribution Frame (cont.)- Wiring to the Desktop (1/2)

• It is less expensive to install jacks at construction time rather than add them one at a time afterward as needed.– It is reasonable to install one or two more jacks at

every desktop than you think any of your customer will add later.

– Extra wiring to the closet is very expensive and disruptive to add later.

• The same is true when running fiber to the desktop.– Fiber cable is cheap compared with the cost of

terminating the fiber itself.– Some sites run fiber to the desktop but only terminate

what they actually planning on using (plus 5 to 10 percent in case of failure).

33

Intermediate Distribution Frame (cont.)- Wiring to the Desktop (2/2)

• Another thing to consider about installing network jacks is their orientation ( 方向 / 方位 ).– Jacks are installed in some kind of termination

box or face-plate, which determines which way the jacks face (e.g., Up, Down, Right, Left).

– If the jacks are on the side of the box they can face up, down, right, or left.

• Face right or left (good), Face Up or down (not good)

34

18.1.5 Main Distribution Frame (MDF)

• The Main Distribution Frame (MDF) is what connect the IDFs together and to the data center. – There should always be plenty of cabling between the

MDF and the IDFs.

• It is common for part of the data center to be the MDF.– In a data center, the MDF is often referred to as the

network row or network racks. – Patch panels in these racks connect to a patch panel

( 配線盤 ) at the top of each rack in the data center.

35

Main Distribution Frame (cont.)

• The MDF must have protected power because it connects all the server networks that are on protected power to each other. It also needs adequate cooling.– It often connects the Internet, WANS, and remote access

customers to the data center.– It connects the IDFs to each other and everything else.

• Typically, there is a single MDF per campus. – A large campus, or one that is particularly concerned about

redundancy, may have more than one.• An MDF should have the same level of restrict access as

the data center.– Only the network administrator team should need access

to it.

36

18.1.6 Demarcation Point

• A demarcation point( 網路權責分界點 ) is the boundary between your organization and a utility company, such as telephone company or network provider.– It can be a fiber cabinet, a set of punch down blocks, a board

in a rack, a piece of network hardware or a small plastic box on the wall with a jack or socket for plugging in a cable.

• The telephone company is only responsible for the wiring up to its demarcation points (demarc).– If you have a fault with a line, you need to be able to show the

service engineer where the correct demarc is, so that he does not end up trying to test and fix another operational line.

• The main thing to know about your demarcation points is where they are.– Make sure they are properly labeled.

37

Example: HiNet ADSL 固定制的安裝責任範圍界定

38

18.1.7 Documentation

• Network documentation takes on many forms, the most fundamental of which is labeling.

• Maps of the physical and logical networks should be part of the network documentation.– The physical network map should show where the

wires go and the end points or ranges of wireless networks.

• If redundancy was part of the physical network design, it should clearly indicate and document the physical diverse paths.

– The amount and type of connectivity available for each link should be indicated.

39

Documentation (cont.)

• The logical map should show the logical network topology, with network numbers, names, and speeds.– It should also show routing protocols and

administrative domains if those vary across the network.

• Both the physical and logical network maps should reach to the perimeter of the organization’s network and identify its outer boundaries.

40

Documentation Logical Diagram

41

Documentation (cont.)

• Labeling is the single most important component of the network documentation.– Clear, consistent labeling on patch panels and

long distance connections is particularly important.

• A patch panel ( 配線盤 )– should clearly indicate the physical location of

the corresponding patch panel or jacks, and each of the connections on the patch panel should be clearly and consistently labeled at both ends.

42

Documentation (cont.)

• Long distance connections – should clearly indicate where the circuit

goes, who to report problems to, and what information will be required when reporting a problem, such as the circuit ID and where it terminates.

• Network cables are often hard to label.– One of the most effective is to use a cable tie

with a protruding flat tab, to which standard sticky labels can be affixed.

43

Documentation (cont.)• less-permanent connections, such as the

network connection for each host connection, should also be labeled.– You should only attempt to do this level of labeling if

you can maintain it. Or, incorrect labels are worse than none at all.

• The other key location for documentation is online, as part of the configuration of the network devices themselves.– Wherever possible, comment fields and device names

should be used to provide documentation for the network administrators.

– Routers (and switches) usually permit a text comment to be recorded with each interface.

44

Server Placement

45

18.1.8 Simple Host Routing

• The routing within a site should be simple, deterministic, predictable, and easy to understand and diagnose.– Using simple routing techniques on hosts.– Making routing on hosts simple makes it possible to

have the same configuration on all host devices and know that they will behave in the same deterministic way.

– Redundancy for such hosts should be taken care of by the network devices and should be transparent to the hosts.

46

Simple Host Routing (cont.)

• If a host is simple-homed, it should have a single default route.– it should not listen to any dynamic routing information.

• If a host is multi-homed, it should not route packets from other sites.– It should only accept packets that are addressed to it.– It should have a static routing table and not listen to

any dynamic routing information.• Simple host routing makes debugging network

problems easier and more predictable.– There is also a performance problem with requiring

hosts to perform routing.

47

18.1.9 Use Network Devices

• The building blocks of any modern networks should be dedicated network devices, such as routers and switches, rather than general-purpose hosts that have been configured to do routing.– They should be designed to perform only tasks

directly related to pushing packets, managing the traffic and the device itself.

– They should not be “all-purpose” devices that are configured to handle just network traffic, and they should most definitely not be devices that are also trying to perform other tasks or to perform additional services.

48

Networking Devices

49

18.1.10 Overlay Networks

• An overlay network is a logical topology that rides on top of a physical topology.– Examples include VLAN (virtual LAN), Frame

Relay, ATM, etc.

– This lets us design simple physical architectures that can support whatever complexity we require in the logical overlay, yet maintain simplicity on the physical layer.

50

Overlay Networks (cont.)

• One the WAN level, this could mean that all sites have a single connection to the ATM or Frame-Relay cloud. – The Frame-Relay or ATM switches are then

configured to provide virtual connections (circuits) between them.

– Another WAN example is the use of encrypted tunnels (virtual private network, VPNs) across the Internet.

• On the LAN level, an overlay network usually means – creating a simple, flat physical topology and using

IEEE 802.1q VLAN protocols to overlay subnetworks that are needed by the customers.

51

Virtual Private Networks (VPNs)

52

VPN Scenario: Multiple Internet Access Methods

Headquarter

53

Benefits of VPNs

54

VLANs

VLANs logically segment switched networks based on an organization's functions, project teams, or applications as opposed to a physical or geographical basis.

55

18.1.11 Number of vendors

• Using equipment from many vendors can add unnecessary complexity.– The more vendors whose equipment is on the

network, the more interoperability problems you are likely to experience.

– In addition, there is extra overhead for the network administrative staff in learning the configurations and quirks of the diverse equipment and in tracking software upgrades and bugs.

– Minimize the number of the vendors makes the network more reliable and easier to maintain.

56

Number of vendors (cont.)

• However, exclusive use of a single vendor has its own problems.– A single vendor cannot possibly make the best

product in every area.– Exclusive use of a vendor also leaves your protocol

interoperability untested, which can lead to a surprise the first time a new vendor is introduced.

• Somewhere between the extremes is a reasonable balance.– Some sites find choosing a single vendor for each

protocol layer (e.g., layer1/2/3/7, etc) or each tier of the network works well.

57

18.1.12 Standards-based Protocols

• An organization’s network should be built using standards-based protocols.– Vendor-proprietary protocols lock you into a single

vendor by making it difficult to integrate equipment from competing vendors.

– Being locked into a particular vendor makes it difficult to negotiate for better prices and prevent you from adopting another company’s products to take advantage of their improvements.

– It also leaves you vulnerable to that vendor’s business problems.

58

18.1.13 Monitoring

• You don’t know how your network is performing or how reliable it is until you monitor it.

• There are two primary types of network monitoring.– One is real-time availability monitoring (e.g., MRTG of

routers/switches) and alerting.

– The other is gathering data to do trend analysis to predict future demand or for usage-based billing purpose.

59

18.1.14 Single Administrative Domain

• A single administrative domain– having a single, closely tied network administrative

team with a single management structure.

• A network should be a single organism that moves traffic around in a coherent, coordinated fashion.– It should be governed by a single set of policies and

practices that are implemented consistently across the entire network.

• Properly designing networks, maintaining them, and debugging problems across multiple organizations are

always difficult.

60

Single Administrative Domain (cont.)

• There are security issues associated with not having a single administrative domain.– When different groups have control over different

parts of the network, they probably will also have different policies with respect to connecting other networks to their piece of network and the security that should surround those connections.

• This results in an unknown level of security for the network because it is a single entity and only as secure as the weakest link.

61

Single Administrative Domain (cont.)

• Having a single administrative domain does not exclude the possibility of having regional or divisional network teams that:– all report to the same management structure – and all are governed by the same set of policies and

practices.• The network will still act as a single organism if multiple

teams work closely together in a coordinated fashion.

62

18.2.1 Leading-Edge vs. Reliability

• Typically, the most important quality people seek in their networks is reliability.– Older products that have gone through many firmware

and hardware revisions tend to be more reliable. • The bugs have been shaken out.

– On the other hand, new features and faster connectivity are often only available in new products, which may not be field tested.

63

Leading-Edge vs. Reliability (cont.)

• There are different ways to manage this risk.– You might perform your own certification of new

products in a lab before they are put into product situations and then only slowly deploy them to establish confidence before beginning a major installation.

– You might have separate customer groups that differ in the amount of risk they are willing to accept.

64

Leading-Edge vs. Reliability (cont.)

• Some may be willing to accept slightly lower reliability in exchange for having access to newer features. – Even then, such equipment should be tested in the

lab first. People who want cutting edge performance still want reliability.

• Sometimes, the customer groups that are willing to take the risks are in a different SA team’s domain of control.– They may have customer groups with business

requirements that mean they must use some of the new technologies when they become available.

– Let them suffer through the teething problems, if you can, and take advantage of your chance to let others work out the bugs for you.

65

Leading-Edge vs. Reliability (cont.)

• If you use leading-edge gear, make sure that each person who is going to be affected by its early problems knows that he is likely to suffer outages because the technology is so new.– If you do not do that in advance, your customer will be

unhappy and the reputation of your network as a whole will be adversely affected.

• If a high-level manager approves the risk, make sure the end-users and their direct managers are aware of this decision,– so that outages are not blamed on you.

66

18.2.2 Multiple Administrative Domains

• For political, practical, or security reasons, it is sometimes impossible to have a single administrative domain.– If different organizations manage different parts of the

network and are not governed by the same set of policies or managed by the same management chain, the network needs a different model.

– The various pieces of the network should have explicit borders between them, making use of border routing protocols (e.g., BGP) and security mechanism (e.g., firewalls) to provide routing stability and known levels of security in each of the administrative domains, independent of the others.

67

Multiple Administrative Domains (cont.)

• If you have multiple administrative domains, you should do it the right way.– The choices and actions of one network

administrative team should be completely independent of what the other teams are doing and unable to affect the operations or reliability of other networks.

68

Discussion

• Cutting edge– Windows Vista 的使用– KMS authentication

• Routers vs. firewall• All-in-one servers (e.g., DNS, mail, web, etc.)• Wireless LAN

– 802.11n vs. 802.11 abg– Thin client– Features: Mesh ID, controller– Backbone (wired, wireless)

69

交通大學校園網路與BetaSite 測試平台簡介

( 修訂，原始資料由劉大川老師提供 )

70

交大校園網路架構圖10G全國宿舍網路骨幹

10G

教育部

台灣大學 中央大學中興大學

成功大學 中山大學

台灣學術網路TANET

1G

國際獨立專用電路TWGate1.25G

台灣學術研究網路TWAREN

1G

竹苗交換中心HCIX

ISP連線

1 *G N

行政網路區 教學網路區 宿舍網路區

中心 10G網路

71

交大對外網路簡介• 交大對外網路共有五個出口，各使用一台獨立 router • 以 1G 連往 TANet 竹苗區網中心• 以 2G 連往 TWAREN 交大 POP• 以 10G 連往 HCIX 轉 12 條 1G 與 ISP 交換• 以 1.6G/2.5G 連往 TWgate 轉國外• 以 10G 與教育部 3G/10G ，台大 1.25G/10G ，中央

1.5G/10G ，中興 1.25G/10G ，成大 1.25G/10G ，中山1.25G/10G ，交大台北管研 1G/1G ， TWIX625M/1G ，TPIX625M/1G ，陽明大學 620M/1G ，中正大學500M/1G ，東華大學 300M/1G ，宜蘭大學 200M/1G ，台北榮總 120M/1G 十四點多點連線

72

交大校內網路簡介• 全校教學研究館舍及宿舍分別以 96 芯單模

(single-mode) 光纖連回資訊館 ( 計算機與網路中心 ) 。

• 校內網路分為四群：教學研究網路、行政網路、宿舍網以及測試專用網路，各群使用一台獨立 router 。

73

交通大學網路流量分析• 交大對外總流量 6~8 Gbits/sec• <= 128 Bytes/packet 佔 91%• 網路封包特性， 90% 屬於 TCP 、 UDP

unknown (e.g., P2P 應用 ) ， 10% 屬於 well known (e.g., Mail, DNS, HTTP, etc.) 。

• 70% 與國內 ISP 交換， 20% 與國內學術單位交換， 10% 與國外 ISP 交換。

• Top 200 使用掉 40% 。– Top 200 一半來自系所網路，一半來自宿舍網路。– NO.1 用戶使用掉 1% ， NO.200 使用掉 0.1% 全校

總頻寬

74

交大校園網路測試平台簡介• 獨立的 Cisco 7609 目前有 144 port 無阻塞 Giga bits Ethernet • 提供 144 port SM mini GBIC 、 12 port TX mini GBIX• 提供 port mirror 監測服務• 提供 pass through 監測服務• 提供手動 router pass 服務• 提供 Buffer rs232 out bound control 服務• 提供交大網路分機• 提供網路監視系統• 提供上鎖機櫃• 提供 7 天 24 小時現場測試• 提供校內異常 IP 來源追蹤• 提供校外異常流量警示• 提供斷訊警示

75

測試平台架構圖台灣學術網路

TANET1G

國際獨立專用電路TWGate1.25G

ISP

1 *G N

校園網路1G

Switch * 48

2G 2G

PC * 2500

Switch * 12

有線測試區 無線測試區

76

測試平台成員與容量• 目前架設在全校宿舍網路及無線網路上• 測試者均與交大計中簽訂測試合約• 高用量 TOP200 使用者 90% 以上參與測試• 認證無線網路全部參與測試• 使用 Real IP• 有線網路最大容量 2500 台電腦• 無線網路最大容量 250 台電腦同時上線• 最大容量 144 條 1G

77

交大網路實測之特色• 交大採開放式網路管理• 交大對使用者不做任何實質管制• 交大不限制網路應用• 交大不限制網路頻寬• 交大有有最多元化的網路應用• 交大病毒、攻擊、後門、 spam 、 open proxy 充滿校園網路• 交大骨幹電路標準，骨幹設備標準• 交大測試網路採 ISP 高規格設計，由內往外、由外內均可順暢通過

，不被測試平台限制。• 交大用戶電路、用戶電腦、應用程式環境惡劣，是嚴苛又實際的網路

測試環境• 在交大實測可以遇到最新的網路狀況，領先業界克服• 在交大實測可以遇到最多網路狀況，不會疏漏• 通過交大網路實測代表可適合任何網路環境