Selecting Internetworking Devices For A Campus Network

Published Date: 02 Nov 2017

At this point in the network design process, you have developed a network topology and should have an idea of which segments will be shared with hubs or repeaters, bridged with bridges or switches, or routed using routers. Table 10-6 provides a review of the major differences between hubs (repeaters), bridges, switches, and routers.

Table 10-6. Comparing Hubs, Bridges, Switches, and Routers

OSI Layers Implemented

How Bandwidth Domains Are Segmented

How Broadcast Domains Are Segmented

Typical Deployment

Typical Additional Features

Hub

1

All ports are in the same bandwidth domain.

All ports are in the same broadcast domain.

Connects individual devices in small LANs

Autopartitioning to isolate misbehaving nodes

Bridge

1–2

Each port delineates a bandwidth domain.

All ports are in the same broadcast domain.

Connects networks

User-configured packet filtering

Switch

1–2

Each port delineates a bandwidth domain.

All ports are in the same broadcast domain.

Connects individual devices or networks

Filtering, ATM capabilities, cut-through processing, multimedia (multicast) features

Router

1–3

Each port delineates a bandwidth domain.

Each port delineates a broadcast domain.

Connects networks

Filtering, firewalling, high-speed WAN links, compression, advanced queuing and forwarding processes, multimedia (multicast) features

After you have designed a network topology and made some decisions regarding the placement and scope of shared, switched, and routed network segments, you should then recommend actual hubs, switches, bridges, and routers from various vendors. This section covers selection criteria you can use when making decisions.

Criteria for selecting internetworking devices in general include the following:

The number of ports

Processing speed

The amount of memory

The amount of latency introduced when the device relays data

Throughput in packets per second (or cells per second for ATM)

LAN and WAN technologies supported

Autosensing of speed (for example, 10 or 100 Mbps)

Autodetection of half- versus full-duplex operation

Media (cabling) supported

Ease of configuration

Manageability (for example, support for Simple Network Management Protocol [SNMP] and remote monitoring [RMON], status indicators)

Cost

Mean time between failure (MTBF) and mean time to repair (MTTR)

Support for packet filters and other security measures

Support for hot-swappable components

Support for redundant power supplies

Support for QoS features

Availability and quality of technical support

Availability and quality of documentation

Availability and quality of training (for complex switches and routers)

Reputation and viability of the vendor

Availability of independent test results that confirm the performance of the device

For switches and bridges (including wireless bridges), the following criteria can be added to the first bulleted list in this section:

Bridging technologies supported (transparent bridging, spanning-tree algorithm, remote bridging, and so on)

Advanced spanning-tree features supported (rapid reconfiguration of spanning trees [802.1w] and multiple spanning trees [802.1s])

The number of MAC addresses that the switch or bridge can learn

Support for port security (802.1X)

Support for cut-through switching

Support for adaptive cut-through switching

VLAN technologies supported, such as the Virtual Trunking Protocol (VTP), Inter-Switch Link (ISL) protocol, and IEEE 802.1Q

Support for multicast applications (for example, the ability to participate in the Internet Group Management Protocol [IGMP] to control the spread of multicast packets)

The amount of memory available for switching tables, routing tables (if the switch has a routing module), and memory used by protocol routines

Availability of a routing module

For routers (and switches with a routing module), the following criteria can be added to the first bulleted list in this section:

Network layer protocols supported

Routing protocols supported

Support for multicast applications

Support for advanced queuing, switching, and other optimization features

Support for compression (and compression performance if it is supported)

Support for encryption (and encryption performance if it is supported)

For wireless access points and bridges, the following criteria can be added to the first bulleted list in this section:

Wireless speeds supported (11 Mbps, 5.5 Mbps, and 54 Mbps)

Speed of uplink Ethernet port

Support for Dynamic Host Configuration Protocol (DHCP), Network Address Translation (NAT), and IP routing

Support for VLANs

Support for inline power over Ethernet if the access point is unlikely to be mounted near power outlets

Antenna range and support for higher-end antenna attachments

Transmit power and receive sensitivity

The ability to tune the transmit power

Availability of a rugged model for outside use

Support for authenticating client devices by MAC address

Support for user authentication with 802.1X and the Extensible Authentication Protocol (EAP)

Support for mutual authentication, which allows a client to be certain that it is communicating with the intended authentication server

An option for disabling service set identifier (SSID) broadcasts

Support for 128-bit or better encryption

Support for dynamic keys, unique keys for each user, per-packet keying, and a message integrity check (MIC)

Support for one-time passwords or token cards

Support for Publicly Secure Packet Forwarding (PSPF)

Support for security enhancements specified by Wi-Fi Protected Access (WPA), Robust Security Network (RSN), or 802.11i

Optimization Features on Campus Internetworking Devices

Chapter 13, "Optimizing Your Network Design," covers optimization and QoS in more detail, but it is worth mentioning here that optimization and QoS features are more important in campus network designs than many designers might expect. Not only is QoS required in the WAN, where the available bandwidth is lower than in the campus, but stringent requirements for low delay and jitter drive the need for QoS in LAN switches and routers as well. Even in campus networks, bandwidth demand on the network often exceeds the available bandwidth. QoS features should be considered when selecting internetworking devices for campus networks.

In most networks, at least some elements are oversubscribed and therefore require QoS features. QoS features are most often required on uplinks from the distribution layer to the core layer of a hierarchical network design. Sometimes QoS is required on uplinks from the access layer to the distribution layer also. The sum of the speeds on all ports on a switch where end devices are connected is usually greater than that of the uplink port. When the access ports are fully used, congestion on the uplink port is unavoidable.

Access layer switches usually provide QoS based only on Layer 2 information, if at all. For example, access layer switches can base QoS decisions on the input port for traffic. Traffic from a particular port can be defined as high-priority traffic on an uplink port. The scheduling mechanism on the output port of an access layer switch ensures that traffic from such ports is served first. Input traffic can be marked to ensure the required service when traffic passes through distribution and core layer switches.

Distribution and core layer switches can provide QoS based on Layer 3 information, including source and destination IP addresses, port numbers, and QoS bits in an IP packet. QoS in distribution and core layer switches must be provided in both directions of traffic flow. See Chapter 13 for more information on QoS and optimization.

An Example of a Campus Network Design

The goal of this section is to present a campus network design that was developed using the design methodology in this book. The example is based on a real network design. Some of the facts have been changed or simplified to preserve the privacy of the design customer, to protect the security of the customer's network, and to make it possible to present a simple and easy-to-understand example.

Background Information for the Campus Network Design Project

Wandering Valley Community College (WVCC) is a small college in the western United States that is attended by about 600 full- and part-time students. The students do not live on campus. Approximately 50 professors teach courses in the fields of arts and humanities, business, social sciences, mathematics, computer science, the physical sciences, and health sciences. Many of the professors also have other jobs in the business community, and only about half of them have an office on campus. Approximately 25 administration personnel handle admissions, student records, and other operational functions.

Enrollment at WVCC has doubled in the past few years. The faculty and administration staff has also doubled in size, with the exception of the IT department, which is still quite small. The IT department consists of one manager, one server administrator, two network administrators, and two part-time student assistants.

Because of the increase in enrollment and other factors covered in the next three sections, the current network has performance and reliability problems. The administration has told the IT department that both student and faculty complaints about the network have increased. Faculty members claim that they cannot efficiently submit grades, maintain contact with colleagues at other colleges, or keep up with research due to network problems. Students say that they have had to hand in homework late because of network problems and that their grades are affected. Despite the complaints about the network, faculty, staff, and student use of the network has doubled in the past few years.

Wireless access has become a point of contention between the IT department and other departments. Students often place wireless access points in the Computing Center and the Math and Sciences building without permission from the IT department. The IT manager is concerned about network security and has assigned the part-time students to roam the network looking for unauthorized access points and then to remove them from the network if found. The part-time students hate this task as it is their friends in many cases who are installing the access points. Also, they think that wireless access should be allowed. Many students, faculty, and staff members agree.

Business Goals

The college still wants to attract and retain more students. The college Board of Trustees believes that the best way to remain fiscally sound is to continue to increase enrollment and reduce attrition.

The college administration and Board of Trustees identified the following business goals:

Increase the enrollment from 600 to 1000 students in the next 3 years.

Reduce the attrition rate from 30 to 15 percent in the next 3 years.

Improve faculty efficiency and allow faculty to participate in more research projects with colleagues at other colleges.

Improve student efficiency and eliminate problems with homework submission.

Allow students to access the campus network and the Internet using their wireless notebook computers.

Allow visitors to the campus to access the Internet using their wireless notebook computers.

Protect the network from intruders.

Spend a grant that the state government issued for upgrading the campus network. The money must be spent by the end of the fiscal year.

Technical Goals

The IT department developed the following list of technical goals, based on research regarding the causes of network problems, which is covered in more detail in the "The Current Network at WVCC" section:

Redesign the IP addressing scheme.

Increase the bandwidth of the Internet connection to support new applications and the expanded use of current applications.

Provide a secure, private wireless network for students to access the campus network and the Internet.

Provide an open wireless network for visitors to the campus to access the Internet.

Provide a network that offers a response time of approximately 1/10th of a second or less for interactive applications.

Provide a campus network that is available approximately 99.90 percent of the time and offers a MTBF of 3000 hours (about 4 months) and a MTTR of 3 hours (with a low standard deviation from these average numbers).

Provide security to protect the Internet connection and internal network from intruders.

Use network management tools that can increase the efficiency and effectiveness of the IT department.

Provide a network that can scale to support future expanded usage of multimedia applications.

Network Applications

Students, faculty, and staff use the WVCC network for the following purposes:

Application 1, homework. Students use the network to write papers and other documents. They save their work to file servers in the Computing Center and print their work on printers in the Computing Center and other buildings.

Application 2, e-mail. Students, faculty, and administrative staff make extensive use of e-mail.

Application 3, web research. Students, faculty, and administrative staff use Mozilla or Microsoft Internet Explorer to access information, participate in chat rooms, play games, and use other typical web services.

Application 4, library card catalog. Students and faculty access the online card catalog.

Application 5, weather modeling. Meteorology students and faculty participate in a project to model weather patterns in conjunction with other colleges and universities in the state.

Application 6, telescope monitoring. Astronomy students and faculty continually download graphical images from a telescope located at the state university.

Application 7, graphics upload. The Art department uploads large graphics files to an off-campus print shop that can print large-scale images on a high-speed laser printer. The print shop prints artwork that is file-transferred to the shop via the Internet.

Application 8, distance learning. The Computer Science department participates in a distance-learning project with the state university. The state university lets WVCC students sign up to receive streaming video of a computer science lecture course that is offered at the state university. The students can also participate in a real-time "chat room" while attending the class.

Application 9, college management system. The college administration personnel use the college management system to keep track of class registrations and student records.

User Communities

Table 10-7 shows the user communities at WVCC. The expected growth of the communities is also included. Growth is expected for two reasons:

New PCs and Macintoshes will be purchased.

Wireless access will allow more students and visitors to access the network with their personal laptop computers.

Table 10-7. WVCC User Communities

User Community Name

Size of Community (Number of Users)

Location(s) of Community

Application(s) Used by Community

PC users in Computing Center

30, will grow to 60

Basement of library

Homework, e-mail, web research, library card catalog

Mac users in the Computing Center

15, will grow to 30

Basement of library

Homework, e-mail, web research, library card catalog

Library patrons

15, will grow to 30

Floors 1–3 of library

E-mail, web research, library card catalog

Business/Social Sciences PC users

15, will grow to 30

Business and Social Sciences building

Homework, e-mail, web research, library card catalog

Arts/Humanities Mac users

15, will grow to 25

Arts and Humanities building

Homework, e-mail, web research, library card catalog, graphics upload

Arts/Humanities PC users

25, will grow to 50

Arts and Humanities building

Homework, e-mail, web research, library card catalog, graphics upload

Math/Science PC users

25, will grow to 50

Math and Sciences building

Homework, e-mail, web research, library card catalog, weather modeling, telescope monitoring, distance learning

Administration PC users

25, will grow to 50

Administration building

E-mail, web research, library card catalog, college management system

Visitors to the campus

10, will grow to 25

All locations

Web research, library card catalog, e-mail

Outside users

Hundreds

Internet

Surfing the WVCC website

Data Stores (Servers)

Table 10-8 shows the major data stores (servers) that have been identified at WVCC.

Table 10-8. WVCC Data Stores

Data Store

Location

Application(s)

Used by User Community (or Communities)

Library card catalog Windows server

Computing Center server farm

Library card catalog

All

AppleShare IP file/print server

Computing Center server farm

Homework

Mac users in the Computing Center and in Arts and Humanities building

Windows file/print server

Computing Center server farm

Homework

PC users in all buildings

Windows web server

Computing Center server farm

Hosts the WVCC website

All

Windows e-mail server

Computing Center server farm

E-mail

All users except visitors (who use their own servers)

College management system Novell server

Computing Center server farm

College management system

Administration

Windows DHCP server

Computing Center server farm

Addressing

All

Windows network management server

Computing Center server farm

Management

Administration

UNIX DNS server

State community college network system

Naming

All

The Current Network at WVCC

A few years ago the college buildings were not even interconnected. Internet access was not centralized, and each department handled its own network and server management. Much progress has been made since that time, and today a Layer 2 switched, hierarchical network design is in place. A single router that also acts as a firewall provides Internet access.

The logical topology of the current campus backbone network at WVCC consists of a hierarchical, mesh architecture with redundant links between buildings. Figure 10-5 shows the logical topology of the campus backbone.

Figure 10-5. The Wandering Valley Community College's Current Campus Backbone Network

The campus network design has the following features:

The network uses switched Ethernet. A high-end switch in each building is redundantly connected to two high-end switches in the Computing Center. Figure 10-5 shows these switches.

Within each building, a 24- or 48-port Ethernet switch on each floor connects end-user systems. Figure 10-6 shows the building network architecture.

Figure 10-6. The Building Network Design for WVCC

The switches run the IEEE 802.1D Spanning Tree Protocol.

The switches support SNMP and RMON. A Windows-based network management software package monitors the switches. The software runs on a server in the server farm module of the network design.

All devices are part of the same broadcast domain. All devices (except two public servers) are part of the 192.168.1.0 subnet using a subnet mask of 255.255.255.0.

Addressing for end-user PCs and Macintoshes is accomplished with DHCP. A Windows server in the server farm acts as the DHCP server.

The e-mail and web server use public addresses that the state community college network system assigned to the college. The system also provides a DNS server that the college uses.

The router acts as a firewall using packet filtering. The router also implements NAT. The router has a default route to the Internet and does not run a routing protocol. The WAN link to the Internet is a 1.544-Mbps T1 link.

The physical design of the current network has the following features:

Buildings are connected via full-duplex 100BASE-FX Ethernet.

Within buildings, 10-Mbps Ethernet switches are used.

Every building is equipped with Category 5e cabling and wallplates in the various offices, classrooms, and labs.

The router in the Computing Center supports two 100BASE-TX ports and one T1 port with a built-in CSU/DSU unit. The router has a redundant power supply.

A centralized (star) physical topology is used for the campus cabling. Underground cable conduits hold multimode fiber-optic cabling. The cabling is off-the-shelf cabling that consists of 30 strands of fiber with a 62.5-micron core and 125-micron cladding, protected by a plastic sheath suitable for outdoor wear and tear.

Figure 10-7 shows the campus cabling design.

Figure 10-7. The Campus Cabling Design for WVCC

Traffic Characteristics of Network Applications

The student assistants in the IT department conducted an analysis of the traffic characteristics of applications. The analysis methods included capturing typical application sessions with a protocol analyzer, interviewing users about their current and planned uses of applications, and estimating the size of network objects transferred on the network using Table 4-5, "Approximate Size of Objects That Applications Transfer Across Networks." The students also used Table 4-6, "Traffic Overhead for Various Protocols," to estimate extra bandwidth required by protocol headers.

The students determined that the homework, e-mail, web research, library card catalog, and college management system applications have nominal bandwidth requirements and are not delay sensitive. The other applications, however, use a significant amount of bandwidth, in particular a high percentage of the WAN bandwidth to the Internet. The distance-learning application is also delay sensitive.

The users of the weather-modeling and telescope-monitoring applications want to expand their use of these applications, but are currently hindered by the amount of bandwidth available to the Internet. The graphics-upload application users are also hindered from sending large files in a timely fashion by the shortage of bandwidth to the Internet.

The distance-learning application is an asymmetric (one-way) streaming-video application. The state university uses digital video equipment to film the class lectures in real-time and send the video stream over the Internet, using the Real-Time Streaming Protocol (RTSP) and the Real-Time Protocol (RTP). The remote students do not send any audio or video data; they simply have the ability to send text questions while the class is happening, using a chat room web page.

A user subscribes to the distance-learning class by accessing a web server at the state university, entering a username and password, and specifying how much bandwidth the user has available. The web page currently does not let a user specify more than 56 Kbps of available bandwidth.

At this time, the distance-learning service is a point-to-point system. Each user receives a unique 56-Kbps video stream from the video system at the state university. For this reason, WVCC limits the number of users who can access the distance-learning system to 10 students who are located in the Math and Sciences building.

In the future, the distance-learning system will support IP multicast technologies. In the meantime, however, students and IT staff agree that a solution must be found for allowing more than 10 students to use the distance-learning system at one time.

A Summary of Traffic Flows

The student assistants used their research regarding user communities, data stores, and application traffic characteristics to analyze traffic flows. They represented cross-campus traffic flows in a graphical form, which Figure 10-8 shows.

Figure 10-8. Cross-Campus Traffic Flows on the WVCC Campus Network

[View full size image]

In addition to the cross-campus traffic flows, the students documented traffic flows inside the library and Computing Center and traffic flows to and from the Internet. Inside the library and Computing Center, traffic travels to and from the various servers at about the following rates:

Application 1

96 Kbps

Application 2

72 Kbps

Application 3

240 Kbps

Application 4

60 Kbps

Total

468 Kbps

Traffic travels to and from the router that connects the campus network to the Internet at about the following rate:

Application 2

120 Kbps

Application 3

740 Kbps

Application 5

240 Kbps

Application 6

200 Kbps

Application 7

400 Kbps

Application 8

600 Kbps

Total

2300 Kbps

Performance Characteristics of the Current Network

From the analysis conducted by the student assistants and from switch, router, and server logs, the IT department determined that bandwidth on the Ethernet campus network is lightly used. However, three major problems are likely the cause of the difficulties that users are experiencing:

The IP addressing scheme supports just one IP subnet with a subnet mask of 255.255.255.0. In other words, only 254 addresses are allowed. A few years ago, the IT department assumed that only a small subset of students and faculty would use the network at one time. This is no longer the case. As use of the network grows and students place wireless laptops on the network, the number of addresses has become insufficient. Users who join the network mid-morning after many other users have joined often fail to receive an IP address from the DHCP server.

The 1.544-Mbps connection to the Internet is overloaded. Average network utilization of the serial WAN link, measured in a 10-minute window, is 95 percent. The router drops about 5 percent of packets due to utilization peaks of 100 percent.

The router itself is overloaded. The student assistants wrote a script to periodically collect the output of the show processes cpu command. The assistants discovered that the 5-minute CPU utilization is often as high as 90 percent and the 5-second CPU utilization often peaks at 99 percent, with a large portion of the CPU power being consumed by CPU interrupts. Using a lab network, the assistants simulated actual network traffic going through a similar router with and without access lists and NAT enabled. The assistants determined that the Internet router CPU is overutilized not just because of the large amount of traffic but also because of the access lists and NAT tasks.

The Network Redesign for WVCC

Using a modular approach, the network administrators and student assistants designed the following enhancements to the campus network:

Optimized routing and addressing for the campus backbone that interconnects buildings, provides access to the server farm, and routes traffic to the Internet

Wireless access in all buildings, both for visitors and users of the private campus network (students, faculty, and administrative staff)

Improved performance and security on the edge of the network where traffic is routed to and from the Internet

Optimized IP Addressing and Routing for the Campus Backbone

The network administrators and student assistants decided to keep the hierarchical, mesh logical topology that their predecessors so wisely chose. However, to fix the IP addressing problems, a routing module was added to each of the building high-end switches, essentially turning the switches into fast routers. With this new approach, the administrators were able to subdivide the network logically into multiple subnets. The administrators decided to stay with private addresses. They assigned the following address ranges to the campus network:

Server farm. 192.168.1.1–192.168.1.254

Library. 192.168.2.1–192.168.2.254

Computing Center. 192.168.3.1–192.168.3.254

Administration. 192.168.4.1–192.168.4.254

Business and Social Sciences. 192.168.5.1–192.168.5.254

Math and Sciences. 192.168.6.1–192.168.6.254

Arts and Humanities. 192.168.7.1–192.168.7.254

Users of the secure, private wireless network. 192.168.8.1–192.168.8.254. (This is a campus-wide subnet that spans all buildings and outside grounds.)

Users of the open, public wireless network. 192.168.9.1–192.168.9.254. (This is a campus-wide subnet that spans all buildings and outside grounds.)

The e-mail and web server use public addresses that the state community college network system assigned to the college.

Instead of relying on the Layer 2 Spanning Tree Protocol for loop avoidance, the designers chose a Layer 3 routing protocol. They chose Open Shortest Path First (OSPF) because it is not proprietary and runs on many vendors' routers, converges quickly, supports load sharing, and is moderately easy to configure and troubleshoot.

The Wireless Network

The wireless enhancements to the network represented the biggest challenge due to biases and other Layer 8 (nontechnical issues). The IT department preferred a single solution that was extremely secure. Many students and faculty wanted secure access to the campus network and support for visitors using the wireless network to access the Internet.

The solution was to provide two access points in each building, with different security policies implemented on them. An open access point in each building provides access for visitors, while a secure access point in each building provides secure access for students, faculty, and staff. The open access points are on a different channel from the other access points to avoid interference and boost performance. The access points support IEEE 802.11b and each provide a nominal bandwidth of 11 Mbps.

The IT department chose Cisco Aironet series access points because of their support for security features and interoperability with Cisco tools for authentication and wireless network management. The IT department asked the college bookstore to stock Cisco Aironet series wireless LAN client adapters and compatible adapters for students to purchase.

From an IP addressing point of view, two separate subnets were used, as mentioned in the "Optimized IP Addressing and Routing for the Campus Backbone" section—one for the secure, private wireless LAN (WLAN) and one for the open, public WLAN. Each of these subnets is a campus-wide subnet. With this solution, a wireless user can roam the entire campus and never require the lease of a new address from the DHCP server.

In each building, a switch port on the routing switch connects the access point that supports the open network. A different switch port connects the access point that supports the secure, private network. Each of these switch ports is in its own VLAN. Another VLAN is used for the ports that connect wired switches and users within the building.

The open access points are not configured for WEP or MAC address authentication, and the SSID is announced in beacon frames so that users can easily associate with the WLAN. To protect the campus network from users of the open WLAN, the routing switches are configured with access lists that forward only a few protocols. Packets sent from users of the open WLAN to TCP ports 80 (HTTP), 25 (SMTP), and 110 (POP), and UDP ports 53 (DNS) and 67 (DHCP) are permitted. All other traffic is denied. Some students and faculty wanted to support more protocols, but the IT department insisted that, at least for now, these are the only supported protocols. This protects the network from security problems and avoids visitors using too much bandwidth for other applications.

The private access points implement many more security features. The SSID is hidden and not announced in beacon frames. Although a determined user could still discover the SSID, removing it from beacon packets hides it from the casual user and avoids confusing visitors, who see only the public SSID. Students, faculty, and staff who want to use the private WLAN must know the private SSID and type it into the configuration tool for their wireless adapters.

To protect the privacy of data that travels across the private WLAN, WEP enhancements are used on the access points and clients. For now, access points and clients use Wi-Fi Protected Access (WPA) enhancements required by the Wi-Fi Alliance, such as the Temporal Key Integrity Protocol (TKIP). In the future, after IEEE 802.11i has been ratified, more stringent methods for encryption, such as Advanced Encryption Standard (AES), can be used. See Chapter 8 for more information on wireless security options.

The private access points are also configured to use 801.1X and Lightweight Extensible Authentication Protocol (LEAP). Users of the private WLAN must have a valid user ID and password. To accomplish user authentication, the IT department purchased a Cisco Secure Access Control Server Solution Engine, which is a dedicated one-rack-unit (one-RU) hardened appliance that operates as a centralized Remote Authentication Dial-In User Service (RADIUS) server for user authentication. They chose an appliance rather than software for a generic PC platform to avoid security vulnerabilities found in typical industry-standard operating systems. Also the appliance is reliable and easy to configure and troubleshoot.

The IT department also chose a dedicated hardware appliance for managing the wireless network. The department placed a CiscoWorks Wireless LAN Solution Engine (WLSE) in the Computing Center. The engine allows the administrators to remotely manage the access points.

The WLSE also supports the discovery of rogue access points that students or faculty might install without permission from the IT department. Aironet access points and Cisco-compatible client devices can sample every few seconds on a channel-by-channel basis for beacon frames consistent with ad-hoc rogues and radio-frequency (RF) signatures that indicate the presence of camouflaged rogues. The local access point collects data about these samples and uploads it to the WLSE appliance. The CiscoWorks WLSE software compares sampled data with valid MAC addresses for known access points, and reports potential rogue devices (or other 2.4-GHz network interference) and the device's approximate location (calculated by triangulation) to the IT staff.

Improved Performance and Security for the Edge of the Network

To fix the problems with high CPU utilization on the Internet router, the designers chose to break apart the network functions of security and traffic forwarding. The Internet router will now focus on traffic forwarding. The administrators reconfigured the router with a simpler list of access filters that provide initial protection from intruders, and they removed NAT functionality from the router. Instead, a Cisco PIX Security Appliance firewall was placed into the topology between the router and the campus network. The PIX firewall provides security and NAT.

The IT department chose a PIX firewall because of its appliance form factor, its hardened operating system, and its support for OSPF routing, NAT, URL filtering, and content filtering. The IT department also recognized the importance of industry certification. The PIX Firewall has Common Criteria Evaluation Assurance Level 4 status and ICSA Labs Firewall and IPSec certification. The IT department chose a PIX Firewall model that supports multiple 10/100-Mbps Ethernet interfaces. For now, four interfaces will be used. The outside interface will connect the Internet router; two inside interfaces will connect the campus network; and the demilitarized zone (DMZ) interface will connect the e-mail and web server.

To fix the problem of high utilization on the WAN link to the Internet and the high incidence of packet dropping, the WAN link was replaced with a 10-Mbps Metro Ethernet link. The IT department discovered that a few service providers in the area were willing to bring in a single-mode fiber-optic link and support Ethernet rather than a WAN protocol. The IT department ordered a 10/100BASE-FX interface for the router and chose a service provider that offers a reasonable monthly charge and has a good reputation for reliability. In addition, the provider makes it easy for its customers to upgrade to more bandwidth. For example, if the college decides it needs a 100-Mbps Ethernet link, the college can make a single phone call to the provider and the provider guarantees to make the change that day.

The IT department also factored into the choice of provider the experience level and knowledge of the installation and support staff. In particular, the provider's network engineers had many practical ideas for addressing redundancy for future network designs.

Figure 10-9 shows the new design for the WVCC campus network.

Figure 10-9. The Enhanced Network for WVCC

[View full size image]

Future Enhancements for the WVCC Campus Network

The work of an IT department is never finished. The network administrators and student assistants have many plans for the next network upgrade. Their main concern at this point is availability. Although the hierarchical mesh network does have some redundancy, there are many single points of failure. Availability of applications can be adversely affected by any one of these points failing. It is left to the reader to design some solutions to this problem.