Router and Switch Design

maidtweetΔίκτυα και Επικοινωνίες

29 Οκτ 2013 (πριν από 3 χρόνια και 7 μήνες)

69 εμφανίσεις

Router and Switch Design

Updated: February 3, 2004

On
This Page


In This Module


Objectives


Applies To


How to Use This Module


Design Guidelines


Device Definitions


Classes


Switch Classes


Class 1
-

Low
-
end Fixed S
witches


Class 2
-

Low
-
end Flexible Switches


Clas
s 3
-

Midrange Switches


Class 4
-

High
-
end Switches


Routers


Router Classes


Class 1
-

Software Route
rs


Class 2
-

Low
-
end Fixed Routers

Download the Complete
Solution

Windows Server System
Reference Architecture


Class 3
-

Low
-
e
nd Flexible Routers


Class 4
-

Midrange Routers


Cla
ss 5
-

High End Routers


Class 6
-

ISP Routers


Secu
rity


Router Security Considerations


Switch Securit
y Considerations


Snapshot of a Secure Network


Summ
ary


Additional Information

In This Module

This module considers methods for selecting switches and routers. It
identifies features that are available i
n these devices and helps you to
choose which features you may require. Switches and routers are
grouped into classes determined by typical features in each class.
From these classes you should be able to determine the types of
switches and routers that yo
ur organization requires. There are many
types of switches and routers available and, because they seem to
offer similar features, it can be difficult to make the right choice. This
module identifies salient features and explains how they can meet your
req
uirements. It also covers router and switch security and explains
how to ensure the security of your router and switch configuration.

Top of page

Objectives

Use this

module to:



Help choose the appropriate switches and routers for your
organization.



Identify key security considerations for routers and switches.



Secure your router and switch configurations.

Top of page

Applies To

This module applies to the following technologies:



Ethernet switches



Ethernet and Internet Protocol (IP) routers

Top of page

How to Use This Module

This module will help you to select the most appropriate switches and
routers for your organization. It provides a check list of desirable
features in switches and routers and explains the function of each
f
eature. You can use this checklist to determine which features you
require. It then classifies switches and routers into groups based on
the features each group has. No single switch or router will satisfy
your organization's requirements and by comparing
your requirements
against the classes you can determine the best products for each
location.

Top of page

Design Guidelines

This section considers the requirements fo
r routers and switches in the
enterprise network, the types of devices that can meet those
requirements, and the options available for their deployment. Routers
and switches are two critical components in the network, and proper
selection of these key devi
ces helps ensure that the network provides
fast and reliable service and can adapt to rapidly changing needs.

Design Inputs

When designing the implementation of switches and routers, the
following inputs are required:



Networkarchitecture



Routingprotoc
ols



Availability

Network Architecture

You should design your network before determining which class of
routers or switches you need, where those devices should be placed in
relation to each other, and what functionality is required. The following
infor
mation is required from the network design before choosing the
router and switch classes:

1.

How many devices are currently present on the network, how many need connectivity now, and
what is the estimated future growth?

2.

Which devices need to communica
te with which other?

3.

How much bandwidth is required between different devices that need to communicate?

4.

Where is switching (versus routing) required in the network design?

5.

Whether virtual local area networks (VLANs) are required and how many, w
hich hosts will be on
each VLAN, and whether any routing will be performed between VLANs?

6.

What is the acceptable latency?

Network Design

There are many organizational structures, and many ways of designing
a network architecture around them. However t
here are two popular
models which could be used as a basis for your design. They are the
multilevel switching architecture, for use perhaps at your head office,
and the small branch office architecture.

Figure 1 shows an example of a multilevel architectur
e, typically used
where there is a public website layer and a backend database layer.
Starting from the public
-
facing side of the network and moving inward
from there, the first segment is a border network with a border router
facing the Internet which pro
vides initial firewall capability. This is
followed by a switch which links the router to a perimeter firewall and
the latter provides a more robust firewall. The perimeter firewall in
turn connects via a switch to Web servers in the perimeter network,
and

the Web servers connect via another switch to an internal firewall.
The internal firewall then connects by a switch to the internal servers
and user PCs in the backend network. This figure shows a logical
design but physically all the switches could be se
parate VLANs on the
same switch. Preferable the border switch is a separate device as this
is in a less secure zone. The backend switch can also be multiple
switches depending upon your preference for a single large switch or
multiple smaller switches.


Figure 1. Multilevel switching architecture

See full
-
sized image

Figure 2 shows an architecture suitable for use at a small branch
office. This comprises three network devices: a modem, a router, and
a switch
. These three devices could be combined in two devices or a
single device depending on the network connection. Low cost routers
often contain an Ethernet switch and a firewall function, while for
broadband connection a modem can also be incorporated in the

router.


Figure 2. Small branch office architecture

See full
-
sized image

Routing Protocols

In designing the network, an important decision has to be made about
which routing protocol or protocols to use for the ex
change of routing
information. Routers need routing tables to indicate how to reach
destination networks. Routing tables can be configured manually as
static routes, but these are only suitable for small networks. The
alternative is to use routing protocol
s whereby the routing table is built
up by automatically discovering other networks. If a link fails, the
failed link is removed automatically from the routing table, so the
router always knows the best active route to a destination network.

The following
list describes the two primary industry standard routing
protocols used in a network, RIP and OSPF, and a special protocol,
BGP.



Routing Information Protocol (RIP)

RIP is designed for exchanging routing information in a small
-

to
medium
-
sized inter
-
netwo
rk and is widely available on a variety of
routers.

The biggest advantage of RIP is that it is extremely simple to
configure, but it has several major disadvantages; it is unable to
handle large networks, it generates a large volume of network traffic,
and

it is slow to respond to network failures (convergence time). For
these reasons, it is usually not considered for anything other than
small local area networks (LANs). For further information about RIP
go to:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/l
ibrary/serverhelp/8959B951
-
8A50
-
4B2F
-
96B7
-
EB5F83DDDF5D.mspx



Open Shortest Path Firs
t (OSPF)

OSPF is an industry standard routing protocol that is very efficient
and scales well to large networks. The advantages of OSPF are that it
causes very little network overhead, even in very large inter
-
networks, and responds rapidly to link failure
s. The main
disadvantages of OSPF are its complexity and the fact that it is more
difficult to configure and administer.

Most enterprise networks today use OSPF as their routing protocol
because it is more efficient than RIP. It is usually available on
mid
range to large routers and sometimes on smaller routers. For
further information about OSPF go to:
http://technet2.micr
osoft.com/windowsserver/en/library/CE541016
-
4ACD
-
4810
-
86E7
-
D3C4703836FF1033.mspx?mfr=true



Border Gateway Protocol (BGP)

BGP is an exterior gateway routing protocol used on Internet
-
connected routers to provide both routing availability and load
-
balanci
ng capability. Generally, BGP is only available on large
routers, and you should discuss its configuration with your Internet
Service Provider (ISP).

Availability

High availability is required in a network, and the larger the network,
the higher the avail
ability required. There are a number of ways in
which routers and switches can be configured and located to meet
these availability requirements. These include duplicate components,
such as power supplies and engines in the network devices, and
duplication

of the devices themselves. The latter approach adds
considerably to the cost but can provide a totally resilient solution.

Top of page

Device Definitions

This secti
on defines the following types of network devices:



Switches



Routers

These devices are at the core of the network linking together all the
local area network (LAN) and wide area network (WAN) segments.

Switches

Switches are used to link physical segme
nts of a network together and
allow data to move between these segments. Switches operate at
layer 2 of the OSI model and direct traffic based on the layer 2
address; for example the Ethernet MAC address. Some switches also
provide additional functions suc
h as VLANs and layer 3 switching.

Switches configure themselves automatically. They listen to traffic on
each Ethernet port and discover to which port each attached device is
connected. The switch then sends traffic directly to the destination
port. Unles
s additional features require activation, the switch requires
no configuration which is a major benefit when installing a network.
The switching process is performed in hardware at wire
-
speed with
effectively no latency.

Originally switches linked segments

with multiple devices but as switch
prices dropped, it became normal to attach a single device to each
port. This is known as "switched" Ethernet rather than "shared"
Ethernet. With only one active device per port there can be no
collisions, so network pe
rformance is improved and devices can run in
full duplex to achieve higher throughput.

Network traffic includes broadcast messages and these have to be
copied to every port having a significant impact in a large network.
Because most users want to communic
ate with a limited group of
servers and associates, any broadcast traffic could be sent just within
that group. One method of reducing the broadcast traffic is to provide
a switch for each group and then link them together with a router
because a router do
es not transmit broadcasts. Another method is to
use VLANs on the switch. A VLAN is a group of devices that are
configured to communicate as if they were attached to the same wire,
when in fact they are located on a number of different physical LAN
segment
s. A broadcast from one member of the VLAN only goes to
other members of the same VLAN, thereby reducing the spread of
broadcast traffic.

Routers

Routers operate at layer 3 of the OSI model. They pass traffic between
two different IP networks which may be
either LANs or WANs. The
routing process is based on examining the destination IP address of
the incoming data and sending on the data through an egress port
based upon a routing table. Routing tables can be manually configured
or discovered using routing
protocols but, unlike switches, routers will
always require some configuration.

Large switches may also include a router, typically on an add
-
in card.
This is often described as layer 3 switching but it is functionally
identical to routing.

Top of page

Classes

Routers and switches have been split into classes to identify the
different levels of devices available and the features provided. If a
router or a switch fits
into a specific class, it can support all features
linked to that class of devices.

Several core features make up the overall router and switch classes. In
particular, the processing power of a router or switch is a major
criterion in addition to its upgra
deability, flexibility, and resilience.
Low
-
end switches and routers are generally designed for a specific
task and, to keep the price down, have little or limited expansion
capability. As you move up the classes, not only more power but also
greater expan
sion capability is available. The highest classes also
provide resilience.

Selecting the correct switch or router can be confusing with a plethora
of claims from each manufacturer that they have the most, the fastest,
the cheapest set of features. In orde
r to evaluate products you will
have to discriminate between features and benefits. A feature is
something a product has or can do but it is only a benefit if it is of use
to you. For example, the ability to connect to fiber optic cable rather
than just co
pper is a benefit in a large data center where one switch is
connected to another. However, this is of no use in a small office with
only a single switch.

Before selecting a switch or router, the network should be designed
and then devices evaluated to mat
ch that design. There is likely to be
more than one design suitable and the different architectures should
be evaluated. While the purchase price is a major criterion, the
running costs should be included as a low cost device may have high
operating costs.


For a large organization a major design decision is whether to have
multiple switches, or a few very large switches at the central site. The
preferred design is a few large switches but this partly depends upon
the physical layout of the central site off
ices. Many small switches may
lead to manageability problems while larger switches may require
VLANs and be more complex to configure.

Common Features of Switches and Routers

The following are the most common features found in switches and
routers. Each fe
ature is explained and evaluated. As you go through
the list check whether each feature is relevant to your organization.
For example, most companies have a large head office, and many
small remote offices. The large office is more likely to require featur
es
such as resilience and scalability while low cost may be more desirable
at small, but very numerous, offices.

This list shows desirable features common to both switches and
routers, and is followed by features individual to either a switch or
router.



Scalability

Expanding the number of Ethernet ports is usually very useful,
particularly in switches at large sites as the number of users and
servers may grow. You do not want to install a switch that cannot
cope with future growth as it will eventually ha
ve to be discarded
and replaced by another switch. Switches tend to be either:



Fixed configuration with a set number of Ethernet ports



Flexible where additional cards can be added for more ports



Fully upgradeable, typically based on an empty chass
is and good
expandability.

Expansion in routers is also desirable but growth may not be
dramatic as a switch. What frequently changes in routers are the
WAN links, either because the WAN technology is changed, from
ISDN to ADSL for example, or because add
itional WAN links are
implemented.

While expansion capability is always desirable it comes at a cost and
for branch offices a fixed configuration switch/router may be the
most effective product.



High speed Ethernet support

The normal speed of Ethernet t
oday is 100Mbps rather than the
original 10Mbps. The cost of Gigabit Ethernet is dropping
dramatically but generally its use is confined to servers and
backbone links between switches as the PC cards are still expensive.
10Gbps Ethernet is also emerging an
d, as costs drop, will probably
displace Gigabit Ethernet for the most important backbone links. All
switches and routers should support 100Mbps Ethernet, but usually
only mid to high range models will support higher speeds.



Resilience

What happens whe
n a component of the switch or router fails? Does
the whole unit die or does it have a redundant design so it can keep
on running? Higher level switches and routers may include duplicate
components such as power supplies, engines, and switch fabrics so a
f
ailure does not affect operations. In a large device with many
connections this is a very desirable feature. However, in a smaller
switch or router, for example at a small remote office, the additional
cost may not be justified. As an alternative, can two
switches or
routers work in parallel, with one functional and the other in hot
standby, waiting to take over if the primary fails? Is there a
mechanism available to handle the switchover automatically?



Manageability

Switches start functioning without r
equiring any configuration, and
learn the network topology by listening to Ethernet frame
transmissions and deducing the port location of each device. All
switches perform this function but access to the switch is desirable
for additional configuration and

monitoring purposes. Lower end
switches have no configuration options but as the feature set
increases configuration is required to make best use of these
features.

Routers always require configuration, to define port IP addresses and
the method to be use
d for building routing tables.

Remote access over the network is required to configure and
manage the devices. This can significantly reduce the management
costs since visits to the devices to rectify problems may not be
required. Additionally the devices
can be monitored by network
management software, reporting errors automatically.



Voice over IP (VoIP)

Voice over IP is the ability to pass voice conversations over the local
Ethernet network and perhaps over your WAN. The immediate
benefits are the redu
ction in cabling since the voice shares the
Ethernet cable with data rather than having a separate telephony
cable network but the future benefits are the increased flexibility in
positioning staff and equipment. The traditional legacy PBX is usually
repla
ced by an IP PBX based on a standard PC platform rather than
proprietary hardware.

For a data center with an existing telephone network, VoIP may not
be necessary in the near
-
term but in the future may be required as
the organization expands, or business n
eeds evolve. Switches and
routers suitable for handling VoIP should have two features:



Support for the IEEE 802.1p standard, Quality of Service (QoS)

This allows the switch to prioritize traffic between data and voice
so that voice traffic is sent before

data traffic.



Support for the IEEE 802.3af standard, inline power for IP
telephones

This allows a switch to provide low voltage power over the Ethernet
Category 5 UTP cables to power IP telephones.




Security

Security is Increasingly becoming a ve
ry significant requirement in
all network components. Implementing security is discussed in more
detail later in this module but switches and routers should be
evaluated with security in mind to see whether there are any special
features which make securit
y easier to implement.

There are two areas of security involved. To start with there are
security intrusions carried by the network that the device may be
able to curtail. Secondly, there are security intrusions targeted at the
device itself. The first cat
egory may be device oriented and could
include the device itself. Does the device (primarily routers) have a
firewall capability? The second category will be attacks intended to
access the configuration of the device. To prevent the latter, can
additional
controls can be implemented restricting who has
configuration access?

Low cost switches cannot usually be configured, nor do they have IP
addresses so they are relatively immune from network born attacks.
Large switches and routers will usually have sophis
ticated access
control mechanisms, and they can also be configured to limit
intrusion. Midrange switches and routers are probably the most
vulnerable but if a good firewall system is in use external intrusions
can be eliminated.

Can the device support VLAN
s improving security by limiting user
access to related servers?



Support

Support from the manufacturer is very important in a large network.
Generally the support will be dependant upon what you pay. Low
cost devices will usually have only email support
, with no guaranteed
response time. The more expensive a device is, the more complex it
is likely to be, and you may require a support contract. Purchasing
all the switches and routers from the same manufacturer reduces the
inter
-
device problems that can o
ccur when each manufacturer
blames the other for any difficulties that you experience.



Product range and manufacturer viability

For each class of switch or router, there may be manufacturers who
provide the best device for that class, but they may not b
e able to
provide devices in the other classes. For example, at the small office
level there are a large number of manufacturers with good products
at very competitive prices but most of these manufacturers do not
produce products suitable for a large ente
rprise. The longevity of the
manufacturer and the service level they can provide for problems
should also be considered, as many small manufacturers experience
fierce competition and may not survive.



Cost

Inevitably purchase cost is a major factor in de
vice selection but
running costs should also be included. Switches are often classified
on the basis of their price per port. This is measured by taking the
total cost of the switch and dividing it by the number of Ethernet
ports to get the individual cost

of each port. This measurement
should only be used to compare switches in the same class, as it
does not take into account the additional features gained by moving
up the classes. For example, simple switches probably have the best
price per port but also

have the fewest features. Routers do not have
the same cost comparison method but should be gauged on their
routing performance and flexibility. You may be tempted to make a
selection based on the most competitive price in each class.
However, the cost of

operation and maintenance must also be
considered, for example, the cost of training the staff in different
methods of configuring devices for each manufacturer.



Performance

Assessing the processing power or performance of a router or switch
is more co
mplex than assessing a computer where the CPU power
can be used as a starting point. A router or a switch is usually based
on the manufacturer's own proprietary hardware and, although there
is a CPU, it does not provide an accurate indication of the overal
l
power. Switch performance is measured in both number of bits per
second (bps) and packets per second (pps), while router
performance is usually measured in just pps. Router and switch
manufacturers often do not reveal the performance of their devices.
Ad
ditionally, there is no industry standard for measuring
performance, making direct comparisons difficult. Manufacturers of
small routers also tend not to reveal the performance figures.

Switch Specific Features

This section highlights desirable features s
pecific to switches.



Spanning Tree Protocol

The Spanning Tree Protocol is used to calculate the best path
between switches where there are multiple switches and multiple
paths through the network. This is necessary to prevent data being
sent down multipl
e paths simultaneously, resulting in duplication of
the data. It is essential in a large network that the switches support
this protocol but it is often not available in small switches.



VLAN support

VLANs are used to segment the network into groups of c
omputers
with similar communication requirements, thereby cutting down on
network traffic. It can be used on any size network but is particularly
desirable where a few very large switches are installed. Low cost
switches frequently do not support VLANs. Th
is is unimportant in a
small network, but VLAN support is essential for large networks.



Uplink connectivity

Uplinks are used to connect switches together in the network. While
all switches can be connected via ordinary Ethernet links, higher
class switc
hes support higher speed links using trunking protocols
intended for switch
-
to
-
switch connection.



Consolidation

Amalgamating other functions within the switch may reduce costs
and improve manageability. For example, low cost switches intended
for small
branch offices may also include a router and firewall, and
perhaps even a broadband modem. As well as reducing costs this
also simplifies manageability as there is only one physical unit. High
end switches can also incorporate a router module, known as Lay
er 3
switching, as well as other functions such as load balancing and a
firewall. Again, this often improves manageability of the network.
This consolidation should be considered carefully as it may result in a
reduction in resilience since total failure o
f the box will bring down all
consolidated services.

Top of page

Switch Classes

This section defines a number of classes of switches. The classes are
not rigid and
you may find a specific model from a manufacturer may
belong in more than one class due to upgrade options, while two
different models from that manufacturer belong in the same class. The
switch classes covered in this section are:



Class 1
-

Low
-
end Fixe
d Switches



Class 2
-

Low
-
end Flexible Switches



Class 3
-

Midrange Switches



Class 4
-

High
-
end Switches

Top of page

Class 1
-

Low
-
end Fixed Switches

Low
-
en
d switches have limited features and expansion capabilities and
no fault tolerance. This class of switches is designed to have a fixed
number of Ethernet ports (typically between 4 and 24) and their
limited performance is usually adequate in view of the co
nnectivity
restrictions.

The switches in this class are inexpensive but they lack upgradeability
and flexibility. Ethernet connectivity is built into the hardware and
features of the device (for example, number of ports) cannot be
changed as requirements c
hange. Low
-
end switches are designed for
stand
-
alone operation, without coordination of traffic with other
switches. They may not support features such as Spanning Tree
Protocol, remote management, high
-
speed uplinks, and VLANs. Uplinks
to other switches c
an usually be supported at the standard Ethernet
speeds using either a special port or an Ethernet crossover cable. The
switch function may also be combined with a router.

Typically these switches are designed for small offices, branch offices
of large org
anizations, and home users. Lack of management
capability is probably of no consequence for small businesses or home
users; however, it becomes a significant weakness when used for
branch offices of an enterprise. Table 1 summarizes Class1 switch
features.

Table 1: Class 1
-

Low End Fixed Switches

Typical Features

No configuration required or available

No expansion capability

Probably no support for Spanning Tree Protocol

No VLAN support

No remote management

Limited manufacturer support

No VoIP suppo
rt

Cost
-

Low

Advantages

The advantages of low
-
end fixed switches include:



Affordability:

These devices are generally inexpensive because of their simple
physical construction and feature set; also, there are many
manufacturers in fierce competition. I
f their deficiencies can be
ignored, they offer the best value among all switch classes in terms
of price per port.



Simple configuration:

These devices usually have no configuration options and they are
very easy to install; the switch discovers its env
ironment and
configures itself. Having no configuration options is a benefit when
installed at a remote site because that makes it safe from tampering.

Disadvantages

The disadvantages of low
-
end fixed switches include:



Not upgradeable:

As a consequence
of the low cost of construction, these devices
usually have no upgradeability when more Ethernet ports are
required.



No configuration and manageability:

These devices have no configurable options and there is no
configuration program to enable remote ma
nagement and
monitoring. Typically, these devices are installed in small remote
sites without local technical support, so the lack of monitoring
capability can be a serious deficiency. As a further consequence of
the lack of configurability, the switch wil
l not support the Spanning
Tree Protocol or VLANs, which means that this class of switches is
not a preferred choice for a large central enterprise network.



Limited support:

Support for this class of routers is usually limited and is provided
through W
eb sites, FAQs, and email contact with no guaranteed
levels of service. There is fierce competition, the product life cycle is
very short, and models are frequently replaced with consequential
downgrading of support for obsolete models. Warranties are limi
ted
to replacement, which is not guaranteed to be done in a specified
time period. If the device fails after the warranty period, it is not
cost
-
effective to repair it. The support level might be considered
adequate because of the simplicity of the device
and the cost savings
on its purchase.

Top of page

Class 2
-

Low
-
end Flexible Switches

Low
-
end flexible switches provide similar capabilities to the low
-
end
fixed
switches but have upgradeable hardware to support changes in
requirements. Typically, these switches allow an increase in the
number of Ethernet ports (with more ports than a fixed switch),
provide more flexible uplink capability (frequently Gigabit Ethern
et),
and support the Spanning Tree Protocol. Usually they provide higher
throughput of Ethernet traffic than fixed switches because they have to
support a higher number of ports. They also cost more than low
-
end
fixed switches because they are upgradeable
and often have remote
management capabilities and VLAN support. Stackable fixed
configuration switches can be considered to be in the same class,
offering the same technical features but supporting expansion by
stacking new switches on existing switches an
d connecting them using
high
-
speed buses so that they act as one. Note that the term stackable
has no standard definition. Some manufacturers may mean that a
switch can be physically placed on top of another but for this class it is
assumed that there is a

high
-
speed bus between the two switches and
these switches are managed as a single switch.

Low
-
end flexible switches can be used where growth is anticipated or
where a low
-
end fixed switch does not provide enough ports. This
includes floors of buildings,
departments, remote branch offices, or
individually in small organizations. The initial cost is higher than the
low
-
end fixed switches but in the long term, growth can be handled
without having to discard the switch. As the low
-
end flexible switches
usuall
y have more potential connectivity than low
-
end fixed switches,
larger offices can be accommodated. Table 2 summarizes Class 2
switch features.

Table 2: Class 2
-

Low End Flexible Switches

Typical Features

Ethernet port upgradeability

Uplink port flexibi
lity

Upgradeable to more Ethernet ports than Class 1 switch

Spanning Tree Protocol

Configurability, manageability, and remote access

VoIP support rare

Typical Features

VLAN support

Cost
-

Low to High

Advantages

The advantages of low
-
end flexible switches include:



Affordability:

These devices have a higher cost per port than Class 1 switches.
However, they provide better management features and expansion
capability and are inexpensive compared to the higher
-
class
switches.



Upgradeability:

These devices have metho
ds of increasing the number of Ethernet
ports, either by the inclusion of additional ports on the base unit, or
by attaching an additional base unit to the existing one by
connecting it directly to the internal bus. The uplink port used to
connect to other

switches can accommodate a variety of connectivity
media including Gigabit Ethernet and fiber or copper.



Configurable:

These switches have capability for configuring Spanning Tree
Protocol and VLANs. These devices are therefore suitable for use in
ente
rprise networks. These switches also support remote
management and monitoring.

Disadvantages

The disadvantages of low
-
end flexible switches include:



Inflexible upgradeability:

These devices usually provide a limited increase in the number of
Ethernet po
rts and limited changes to the uplink port features.
Adding another stacking unit will result in a large increase in ports,
even if only a few additional ones are required. Usually, there are no
options for adding other features such as layer 3 switching.



VoIP support is rare:

Although VoIP may not be currently required, its availability could
become mandatory if an organization upgraded its telephone
network.



Little or limited resilience:

Typically, these switches have little resilience; if available
, the only
resilience feature is likely to be a redundant power supply.

Top of page

Class 3
-

Midrange Switches

Midrange switches offer more power and much higher
port density and
expansion capability than Class 2 switches. They also have a higher
level of management capability, redundancy, and resilience. Typically,
these switches are modular chassis, rather than fixed chassis, with
plug
-
in port cards. Often differ
ently sized chassis are available with
varying numbers of slots. These switches typically include multiple hot
swappable redundant power supplies, while resilience features include
protocols to handle changeover to an alternative switch. They may
also offe
r a second engine; this is the processor unit of the switch
providing resilience in case of a failure of the first switch.

These switches may be used to provide the core switching at a
medium sized organization, at larger branches, or to aggregate
divisio
ns of a large organization connecting to a larger switch. They
provide great flexibility and growth capacity for WAN and LAN
connectivity and tend to have a long life cycle as they can be upgraded
for future technologies. Table 3 summarizes Class 3 switch
features.

Table 3: Class 3
-

Mid Range Switches

Typical Features

Chassis system unit with differently sized chassis

Redundant power supplies

High Ethernet port density

Flexible uplink ports

Configurability, manageability, and remote access

Spanning T
ree Protocol

VLAN support

VoIP support

Typical Features

Layer 3 switching

Redundant power supply

Redundant engine

Cost
-

High

Advantages

The advantages of midrange switches include:



Cost
-
effectiveness:

Although the price of the base midrange switch unit is higher
than
the lower end switches, the price per port reduces considerably as
the unit expands in the number of ports. This is particularly true for
larger chassis units.



Simple configuration:

These devices have more complex features, such as VLANs, which
nee
d configuration. This class of switches generally provides
browser
-
based graphical interface for configuration in addition to the
traditional command
-
line methods. The same tools can also be used
to remotely manage and monitor activity.



Manageability:

T
his class of switches offers superior manageability features because
of improved software tools and specifically designed hardware
features.



Resilience:

As the switch increases in port capacity, resilience becomes more
critical and this class of switche
s can provide an optional redundant
power supply and engine.



Scalability and long life cycle:

As these switches are chassis
-
based, all connectivity options are
plug
-
in cards. This means that the unit can be easily upgraded as
requirements change or new
technologies become inexpensive. This
also extends the life of the switches, whereas lower class switches
may have to be discarded.

Disadvantages

The disadvantages of midrange switches include:



Higher cost:

These devices have a higher base cost than the

lower classes;
although they become more cost
-
effective with higher port densities,
particularly for the large sized chassis.



Complex configuration:

Because these devices have more options, configuration is more
complex although this is mitigated by gr
aphical configuration tools.

Top of page

Class 4
-

High
-
end Switches

High
-
end switches offer high performance, increased expansion,
extremely high fault tolerance,
and high availability capabilities. The
hardware design is extremely flexible and provides multiple
connectivity options along with other options such as multiple power
supplies and processors, and other features that make the system
highly resilient.

Ther
e is a greater emphasis on high
-
speed protocols, such as
asynchronous transfer mode (ATM) for linking to other network
devices. These switches offer extreme versatility in supporting
different hardware media, including copper and optical fiber, and have
th
e power to handle multiple Gigabit Ethernet links. This class of
switches may also contain a router module, which enables them to act
as routers as well. This capability is especially useful for linking VLANs.
Table 4 summarizes Class 4 switch features.

Ta
ble 4: Class 4
-

High End Switches

Typical Features

Chassis system unit

Redundant power supplies

High Ethernet port density

Flexible uplink ports

10 Gigabit Ethernet support

Typical Features

Configurability, manageability, and remote access

Spanning Tree Protocol

V
LAN support

VoIP support

Layer 3 switching

Layer 4
-
7 switching

Security features

Redundant power supply

Redundant engine

Cost
-

High

Advantages

The advantages of high end switches include:



Cost
-
effectiveness:

As with the Class 3 switches, switche
s of this class also have a high
base unit price. However, as the unit is expanded and the port
density is increased, the cost per port drops considerably.



Manageability:

Just like the Class 3 switches, this class of switches offers superior
manageabili
ty features because of improved software tools and
specifically designed hardware features.



Resilience:

As the switch increases in port capacity, resilience becomes more
critical. This class of switches provides advanced resilience features
including re
dundant and hot swappable power supplies, redundant
engines, and redundant switch fabric.



Scalability and long life cycle:

As these switches are chassis
-
based, all connectivity options are
plug
-
in cards. This means that the unit can be easily upgraded a
s
requirements change or new technologies become inexpensive. This
also extends the life of the switches, unlike lower class switches that
may have to be discarded.



Security:

This class of switches usually offers advanced security features to
protect th
e network from intrusion.



Layer 3
-
7 switching:

This class offers layer 3 switching (routing) as an option. It may also
offer other advanced features such as layer 4
-
7 switching, load
balancing, and firewalls. Having these as inbuilt services reduces the

cost compared with external units and improves performance.

Disadvantages

The disadvantages of high end switches include:



High initial cost:

The initial cost of these chassis
-
based units is high because it
includes the cost of components such as the ch
assis, engine, and
power supply. The price per port is particularly high when the chassis
has fewer ports. However, the price per port reduces as the port
density increases.



Complex configuration:

Offering additional features inevitably increases the co
mplexity of
configuring the switches. Skilled engineers are required to configure
switches belonging to this class.

Top of page

Routers

Many different classes of ro
uters may be required to perform different
tasks in the network, such as the border routers facing the Internet,
internal routers linking VLANs, and small office routers.

Router Specific Features

This section highlights desirable features specific to route
rs.



Routing Protocols

For campus routers a range of routing protocols should be available
and router selection should be done in conjunction with network
design and routing protocol selection. The most common standard
routing protocols are RIP and OSPF,
but RIP is not suitable for a
large scale network.



Range of WAN links and protocols

What protocols do you intend using over your WAN links, and what
may you use in the future? High end routers should be selected to
support a variety of high speed links
and protocols, even if you do
not currently require them. Small branch offices may have dial
-
up,
ISDN or broadband connections and low
-
end routers should support
these connection methods. Although broadband may be the best
choice for your current branch of
fice structure, it is not universally
available and dial
-
up or ISDN may be the only solutions for remoter
locations,



Network Address Translation (NAT)

Network Address Translation (NAT) is used on routers facing the
Internet to translate a single unique
Internet address to multiple
private network addresses. This means that many devices can share
a single Internet address, and as the private addresses cannot be
accessed directly from another Internet user this gives a measure of
security. It should be ava
ilable on routers in small offices connected
via the Internet and also at large sites for the border router.



Dynamic Host Configuration Protocol (DHCP)

DHCP is used to automatically issue IP address to PCs so that they
do not need their address to be ma
nually configured. This simplifies
PC setup since they can be configured to use DHCP and will pick up
an address when switched on and connected to the network. It is
also useful for laptop computers used in different locations since they
will automatically

receive an IP address suitable for each
location. At
central sites a DHCP service will be running on a server running
Microsoft Windows 2000 operating system or Microsoft Windows
Server™ 2003, but at small offices there may be no server so there
may be a requirement for the router itself to issu
e DHCP addresses.



Firewall

Routers may offer a firewall feature and this is useful in any router
facing the Internet such as a branch office router or a border router
at larger sites. Although a full scale router is advisable at large sites
the border r
outer is on the outside of the firewall and needs to
protect itself.



Virtual Router Redundancy Protocol (VRRP protocol)

At large sites duplicate network devices may be installed as a fail
-
safe arrangement with one device operating as the master, and the

other device operating as a hot standby device and becoming active
only if the master fails. VRRP is a protocol which runs on a link
between the routers, so that each router knows when the other
router is alive and when the link fails the active device ca
n react.



Virtual Private Network (VPN)

VPNs are used to provide privacy and security for a connection
through the Internet. It effectively provides a private line through a
public service and its main use is either for individual users
connecting in fro
m home or for small branch offices connecting to a
central site. There are various methods of setting up the VPN link
including starting the process at the client PC, in which case the
router is unaware of the VPN connection. However the router can
also be

configured with direct router
-
to
-
router VPN links that do not
involve the users and this may be a requirement for small branch
offices.

Top of page

Router Classes

Similarly to switch classes, multiple classes have been defined and
products may fall into more than one class depending upon the options
available. The router classes covered in this section are:



Class 1
-

Software Routers



Class 2
-

Low
-
end Fixed Rou
ters



Class 3
-

Low
-
end Flexible Routers



Class 4
-

Midrange Routers



Class 5
-

High
-
end Routers



Class 6
-

ISP Routers

Top of page

Class 1
-

Software Route
rs

Software routers are computer systems with a standard operating
system and software functions installed that provide routing capability
between a LAN and a WAN. The computer system provides the
standard computer functionality while the routing features
are
performed in the background. Typically, these routers provide shared
Internet access to a small number of computers for home users or
small businesses. Their performance is limited because the routing
function is a background activity rather than the m
ain function of the
device. Its performance is also dependent on the foreground activity.
The resilience is limited to that of the computer. As the computer is
usually a workstation, it is particularly dependent upon the user not
switching it off. Upgradea
bility and flexibility are low because the
software supports a restricted set of WAN protocols. An example of
this class of software routers is Internet Connection Sharing (ICS)
which is available on Windows 98, ME, 2000, 2003 and XP operating
systems.

Sof
tware routers are useful when there are a few local users and a
lower requirement for WAN access. They are used increasingly in
homes where there are a number of users requiring Internet access
over a single phone line. As usage increases and outruns the c
apability
of this routing solution, a dedicated hardware router of the next router
class can be installed. Table 5 summarizes Class 1 router features.

Table 5: Class 1
-

Software Routers

Typical Features

Software only

Simple configuration

Built
-
in netw
ork address translation (NAT)

No routing protocols

Free with operating system or very low cost

Advantages

The advantages of software routers include:



Inexpensive:

These routers require no additional hardware units beyond a modem
and are either include
d with the operating system or are available at
a low cost. Low cost is the major benefit but disadvantages such as
lack of features and performance may outweigh this advantage.



Simple configuration:

Configuration is usually limited to just turning on t
he routing
function. NAT will also be turned on together with Dynamic Host
Configuration Protocol (DHCP), which then provides each computer
on the internal network with a private address automatically.

Disadvantages

The disadvantages of software routers i
nclude:



Inconsistent performance:

This routing function relies on the processing power of a single
computer that would usually be processing other tasks as well;
therefore, its performance is restricted and variable. It is intended
primarily for occasion
al rather than continuous Internet access and
although adequate for one computer in a stand
-
alone mode, its
performance degrades as more computers are connected or the
Internet usage rises.



Limited configuration options:

With no routing protocols availa
ble, the configuration options are
usually negligible and only basic firewall features are available.



No resilience:

Resilience is limited to that of the computer on which the router
software is installed; this usually implies no resilience at all.
Cons
equently, the routing software is particularly prone to user
actions such as shutting down the computer.

Top of page

Class 2
-

Low
-
end Fixed Routers

Low
-
end fixed r
outers typically have limited performance, features and
expansion capabilities, and no fault tolerance. This class of routers is
designed to route an Ethernet LAN to a WAN. The WAN connections
are usually restricted to a dial
-
up modem, ISDN, X25 link, broa
dband,
or a cable modem. The router will typically have a built
-
in hub or
switch (which may also include wireless connectivity to computers
equipped with wireless cards) and may also have simple firewall
capability.

The WAN connectivity is built into the r
outer hardware and cannot be
changed if user requirements change. However, the routers are
inexpensive and the lack of upgradeability is the penalty for the low
price.

These routers have no resilience features but are dedicated devices
and can be left swit
ched on all the time. Because they are inexpensive,
a second router can be installed to provide redundancy. They offer
only a limited range of routing protocols such as RIP and OSPF, but
they usually have a NAT feature to enable multiple internal users on
the LAN to access the Internet through a single address.

Performance is restricted but better than the Class 1 devices as the
hardware is designed for the routing function with no other functions
running at the same time.

This class of routers is designed
for the small office, or for
telecommuters working from home to access the Internet, or for small
branch offices to connect to larger offices in a hierarchical network
structure. ISDN has been very popular in this role because the
connection is only made w
hen a data transfer is required. This means
that the expensive WAN link is used efficiently and cost
-
effectively. As
the cost of this class of routers came down, this level of routing
migrated into homes and the most popular routers in this class are
restr
icted to ISDN or broadband Internet connectivity. Table 6
summarizes Class 2 router features.

Table 6: Class 2
-

Low End Fixed Routers

Typical Features

Limited WAN protocols

No hardware upgradeability

RIP routing protocol, possibly OSPF

Limited perform
ance

Frequently simple configuration

No fault tolerance

Built
-
in switch or hub

Built
-
in firewall

Built
-
in NAT/DHCP

Limited manufacturer support

Cost
-

Low

Advantages

The advantages of low
-
end fixed routers include:



Affordability:

Routers in this
class are inexpensive, partly due to their restricted
performance and functionality, and partly because of fierce
competition at this level. Because these routers may also include a
hub or switch and a firewall, they can be of particularly good value
as sm
all network routers.



Simple configuration:

To match the competition for this class of router and the limited
options, configuration is frequently simple, often through a browser
and a graphical interface.



Range of WAN connectivity:

While many low cos
t routers are limited to ISDN or ADSL WAN
connections, others in this class may include X25 and Frame Relay,
albeit at a higher cost. The WAN link must be selected at the time of
purchasing the router and cannot be changed if the requirements
change.



Bu
ilt
-
in features:

These routers provide NAT and DHCP to automatically provide
addresses to attached computers. Optionally they may provide a
four
-

or eight
-
port hub or switch, and now increasingly include a
basic firewall as well. Built
-
in wireless switches

are becoming
increasingly popular.

Disadvant ages

The disadvantages of low
-
end fixed routers include:



Limited upgradeability:

This class of routers is not hardware upgradeable but usually their
firmware is upgradeable. There may be choices of WAN connec
tivity,
number of Ethernet ports, and built
-
in switches at the time of
purchase but these options cannot be changed after the purchase.
However, because of their low initial cost, these products are easily
discarded if they cannot satisfy future requiremen
ts.



Limited performance:

These routers have limited performance. Manufacturers usually do
not reveal throughput figures but these routers are typically suitable
for about eight users depending on the users' activities.



Limited support:

Support for th
is class of routers is usually limited and is provided
through Web sites, FAQs, and email contact with no guaranteed
levels of service. There is fierce competition, the product life cycle is
very short, and models are frequently replaced with consequential

downgrading of support for obsolete models. Warranties are limited
to replacement, which is not guaranteed to be done in a specified
time period. If the device fails after the guarantee period, it is not
cost
-
effective to repair it. The support level migh
t be considered
adequate because of the simplicity of the device and the cost savings
on its purchase.



Limited manageability and features:

Designed for simple networks, this class of routers will have limited
manageability features. This becomes a weak
ness when used for
remote sites of an enterprise network. These routers also have
limited routing options and may not have some features essential for
enterprise users, such as the OSPF routing protocol.



No resilience:

This class of routers lacks resili
ence.

Top of page

Class 3
-

Low
-
end Flexible Routers

Low
-
end flexible routers provide capabilities similar to low
-
end fixed
routers but have upgradeable hardware wh
ich allows for growth as an
organization's requirements change. Typically, these routers allow
different types of WAN connectivity or multiple WAN ports and, if there
are built
-
in Ethernet hubs or switches, additional local devices can be
connected. Usuall
y they provide better performance than a fixed router
because they are designed to support the maximum port expansion
without any upgrade of the processors. Because they are upgradeable,
they are more expensive than low
-
end fixed routers. Like the low
-
end
fixed routers, they usually offer a limited range of routing protocols.

These routers are frequently used in small or branch offices where
growth is anticipated. Although the initial cost is higher than that of
fixed routers, you gain in the long run becau
se future growth can be
handled by upgrading and not by having to replace the router.
Because the low
-
end flexible routers are usually more powerful than a
low
-
end fixed router, they can accommodate larger offices. Table 7
summarizes Class 3 router feature
s.

Table 7: Class 3
-

Low End Flexible Routers

Typical Features

Upgradeable

Broad range of WAN connectivity

RIP and OSPF routing protocols

VLAN support

VoIP support

No fault tolerance

Built
-
in switch or hub

Built
-
in firewall

Built
-
in NAT/DHCP

Cos
t
-

Low to High

Advantages

The advantages of low
-
end flexible routers include:



Affordability:

Although more expensive than Class 2 routers, these routers can still
be considered low cost. They offer more features, better
performance, and upgradeability
which justifies the higher price tag.



Simple configuration:

Because these routers are generally used in simple networks, they
typically have graphical configuration tools. You can resort to
command
-
line systems for more complex configuration.



Advanc
ed feature set:

These routers have the advanced features such as OSPF, VoIP,
firewall, and NAT. This makes them suitable for use as components
in an enterprise network.



Upgradeability:

This class of routers has a broad range of WAN connectivity options
and if the requirements change after purchase, these can be
upgraded. Memory can be upgraded to improve performance and the
operating system can be upgraded to introduce additional features.

Disadvantages

The disadvantages of low
-
end flexible routers incl
ude:



Limited performance:

Although manufacturers may not reveal the performance of their
routers, this class of routers does have performance limitations and
is intended for small offices or small departments, depending upon
the activity of these locatio
ns and the WAN traffic.



Limited configuration options:

Although routers in this class do have a good feature set, these are
still limited when compared with the features of the higher class of
routers.



Low scalability:

WAN connectivity can generally
be upgraded (though this may be
restricted in number) but the number of LAN ports cannot be
upgraded.



No resilience:

Routers of this class have a few or no resilience features.

Top of page

Class 4
-

Midrange Routers

Midrange routers offer more power and hardware expansion
capabilities than Class 3 routers. They provide multiple LAN and WAN
ports with faster Ethernet connectivity, including Gigabit Ethernet as
well

as fiber and copper connectivity. Additional protocols may be
available, particularly for backbone connectivity, to connect to other
network devices such as routers or switches rather than individual
computers. These routers are usually used for dial
-
in c
onnections from
individual computers of home workers or from small Internet service
providers (ISPs) using analog modems or ISDN. Typically, they also
support VoIP, which allows simultaneous voice and data transmission
over the same cable.

Although midrang
e routers offer limited or no built
-
in hardware
resilience, they provide an alternative resilience method by the use of
dual routers (a primary and a standby router) and protocols to ensure
a rapid switchover in the event of a failure.

Routers of this clas
s may be used as the core routers at medium
-
sized
organizations, at larger branches, or to aggregate divisions of a large
organization connecting to a larger router. The dial
-
in capability is
frequently used by telecommuters to directly connect to the
orga
nization without going through the Internet. They provide great
flexibility and growth capacity for WAN and LAN connectivity and tend
to have a long life cycle as they can be upgraded for future
technologies. Table 8 summarizes Class 4 router features.

Tab
le 8: Class 4
-

Mid Range Routers

Typical Features

Upgradeable

Broad range of WAN connectivity

Performance >40kpps

RIP and OSPF routing protocols

VLAN support

VoIP support

No fault tolerance

Built
-
in firewall

VRRP resilience protocol

Built
-
in NAT
/DHCP

VPN support

Cost
-

Low to High

Advantages

The advantages of midrange routers include:



Performance:

The routers of this class have a throughput of at least 40 kbps and
they can be considered medium performance routers suitable for
large branch of
fices or medium
-
sized organizations.



Expansion and scalability:

This class of routers has considerable expansion capability and can
accommodate increases in the number of ports and a broad range of
connectivity types.



Full feature set:

These routers
usually have a full feature set including a wide range
of WAN connectivity, routing protocols, NAT, DHCP, firewall, VLANs,
VoIP, and VPN.

Disadvantages

The disadvantages of midrange routers include:



Low resilience:

These devices typically have no built
-
in resilience although routers at
the higher end of the class may have redundant power supplies.
However, they should support redundant routing protocols, such as
VRRP, using which a standby router can provide resilience.



Low performance and scalabilit
y:

These devices are unlikely to have the power or connectivity required
to act as the core router of a large enterprise.

Top of page

Class 5
-

High End Routers

Hig
h end routers offer high performance, increased expansion, and
extremely high fault tolerance and availability. The hardware design is
flexible; it provides multiple connectivity options like the Class 4
routers and has additional options such as multiple
power supplies,
multiple processors, and other features that make it highly resilient.

There is a greater emphasis on high
-
speed protocols, such as ATM and
SONET, to link to other network devices and carry large volumes of
data between sites while smaller
routers or switches concentrate on
workstation connections. These routers are extremely versatile and
support a large number of WAN and LAN protocols and different
hardware media including copper and optical fiber. Table 9
summarizes Class 5 router feature
s.

Table 9: Class 5
-

High End Routers

Typical Features

Chassis
-
based unit

Typical Features

Broad range of WAN connectivity

Performance >900 kpps

RIP and OSPF routing protocols

VLAN support

VoIP support

Redundant power supply

Redundant engine

Built
-
in firewall

VR
RP resilience protocol

Built
-
in NAT/DHCP

VPN support

Cost
-

High

Advantages

The advantages of high end routers include:



Performance:

Routers of this class have a throughput of at least 900 kbps, which is
considerably higher than the corresponding thr
oughput of Class 4
routers; therefore, they can be considered high performance routers
suitable for uses such as a WAN gateway or a core router for
medium to large organizations.



Expansion and scalability:

Being chassis
-
based, Class 5 routers have cons
iderable expansion
capability to accommodate a larger number of ports and a broad
range of connectivity types.



Full feature set:

These routers usually have a full feature set including a wide range
of WAN connectivity, routing protocols, NAT, DHCP, fire
wall, VLANs,
VoIP, and VPN.



Resilience:

These devices have built
-
in resilience options such as a redundant
hot swappable power supply and redundant engines. They also
support redundant routing protocols, such as VRRP where a standby
router monitors the

primary router and can takeover if the primary
one fails.

Disadvantages

The disadvantage of high end routers is their high cost. Because these
devices have considerable upgrade capabilities and resilience, their
starting price is high but the price per
port falls as the chassis is
populated.

Top of page

Class 6
-

ISP Routers

ISP routers are used by ISPs on the backbone of the Internet. They
can also be used in an e
nterprise for the ultimate performance. They
provide extremely high performance, along with high availability and
resilience, and can handle hundreds and thousands of Internet users
and connect to the Internet backbone at high speeds. Table 9
summarizes Cl
ass 5 router features.

Table 9: Class 5
-

High End Routers

Typical Features

Chassis
-
based unit

Broad range of WAN connectivity

Broad range of LAN connectivity

Performance multimillion pps

Vast expansion capability

Redundant power supplies

Redundant
engines

Cost
-

Very High

Advantages

The advantages of ISP routers include:



High performance:

Routers of this class are designed for very large enterprises or an
ISP backbone or edge use. They provide extremely high
performance.



Scalability:

These ro
uters are chassis
-
based and can be upgraded extensively.
Typically, a chassis may have up to 16 slots with each blade having
the capability for multiple connections.



Extensive range of WAN/LAN protocols:

Routers of this class support virtually every rel
evant protocol
including many very high
-
speed WAN protocols such as OC 192.

Disadvantages

The disadvantages of these routers are their high cost and potentially
complex configuration.

Top of page

Security

Security is extremely important in designing a network, to control
external intrusions from the Internet and internal intrusions from
employees or others with access to the internal network. There are
four major are
as of protection which should be considered:



Control intrusion through the switch or router



Control intrusion against the switch or router



Control administrator access to the switch or router



Physical protection of the routers and switches

The
switches and routers pass packets through the network and are
the first point at which to filter out intrusion attempts, followed by a
firewall providing a higher level of filtering. This filtering should also
prevent attacks on the network devices themsel
ves. Most switches and
routers can be reconfigured and therefore strict controls must be put
in place to limit who has administration access. Most routers and
switches have some back
-
door access method to bypass logical
security and therefore these devices

should be physically locked up to
prevent this intrusion.

Most routers have specific and well
-
known vulnerabilities and the
manufacturer's website should be visited for details of these
vulnerabilities and the methods for combating them.

Top of page

Router Security Considerations

The router is the very first line of defense and also the first line of
attack. It provides packet routing, and it can also be configured t
o
block or filter the forwarding of packet types that are known to be
vulnerable or used maliciously, such as ICMP or Simple Network
Management Protocol (SNMP). You should use the router to block
unauthorized or undesired traffic between networks. The rout
er itself
must also be secured against reconfiguration by using secure
administration interfaces and ensuring that it has the latest software
patches and updates applied.

If you do not have control of the router, there is little you can do to
protect your
network beyond asking your ISP what defense
mechanisms they have in place on their routers.

When considering router security, it is useful to use the following
configuration categories:



Patches and updates



Protocols



Administrative access



Service
s



Auditing and logging



Intrusion detection

Patches and Updates

Subscribe to alert services provided by the manufacturer of your
networking hardware so that you are up to date with both security
issues and service patches. As vulnerabilities are foun
d
-

and they
inevitably will be found
-

good vendors make patches available quickly
and announce these updates through e
-
mail or on their Web sites.
Always test the updates before implementing them in a production
environment.

Protocols

Denial of service a
ttacks often take advantage of protocol
-
level
vulnerabilities, for example, by flooding the network. To counter this
type of attack, you should:



Use ingress and egress filtering



Screen ICMP traffic from the internal network



Block Trace Route



Con
trol broadcast traffic



Block other unnecessary traffic

Use Ingress and Egress Filtering

Spoofed packets are indicative of probes, attacks, and other activities
by a knowledgeable attacker. Routers route packets based on the
destination address and norm
ally ignore the source address which may
not be that of the author of the packet. Incoming packets with an
internal address can indicate an intrusion attempt or probe and should
be denied entry to the perimeter network. Likewise, set up your router
to rout
e outgoing packets only if they have a valid internal IP address.
Verifying outgoing packets does not protect you from a denial of
service attack, but it does keep such attacks from originating from
your network and if other networks apply the same outgoin
g
verification, your network could be saved from a denial of service
attack.

This type of filtering also enables the originator to be easily traced to
its true source since the attacker would have to use a valid
-

and
legitimately reachable
-

source addres
s. For more information, see
"Network Ingress Filtering: Defeating Denial of Service Attacks Which
Employ IP Source Address Spoofing" at
http://www.rfc
-
editor.org/rfc/rfc2267.txt
.

Screen ICMP Traffi
c from the Internal Network

ICMP is a stateless protocol that sits on top of IP and allows host
availability information to be verified from one host to another.
Commonly used ICMP messages are shown in Table 10.

Table 10 Commonly Used ICMP Messages

Messag
e

Description

Echo request (Ping)

Determines whether an IP node (a host or a router) is
Messag
e

Description

available on the network

Echo reply (Ping reply)

Replies to an ICMP echo request

Destination unreachable

Informs the host that a datagram cannot be delivered

Source

quench

Informs the host to lower the rate at which it sends
datagrams because of congestion

Redirect

Informs the host of a preferred route

Time exceeded

Indicates that the time to live (TTL) of an IP datagram
has expired

Blocking ICMP traffic at the ou
ter perimeter router protects you from
attacks such as cascading ping floods and other denial of service
attacks. Other ICMP vulnerabilities exist that justify blocking this
protocol. While ICMP Echo Request, or Ping, can be used for
troubleshooting, it ca
n also be used to discover devices on your
network and map its architecture and so should be ignored unless
there is a good reason to keep it. The Ping can also be used for a Ping
of Death denial of service so it is best blocked.

Block Trace Route

Trace ro
ute is a means to collect network topology information. It
detects devices en
-
route to a destination system and is very useful in
determining whether your data is traveling along optimal routes. Its
implementation varies for each manufacturer; some use a P
ing with
differing Time to Live (TTL) values while others use a UDP datagram.
The variable Ping can be controlled by blocking ICMP messages as
mentioned above, while the UDP datagram may require an ACL to
block it. By blocking packets of this type, you pre
vent an attacker from
learning details about your network.

Control Broadcast Traffic

Directed broadcast traffic can be used to enumerate hosts on a
network and as a vehicle for a denial of service attack. For example,
by blocking specific source addresses,

you prevent malicious echo
requests from causing cascading ping floods. Source addresses that
should be filtered are shown in Table 11.

Table 11 Source Addresses That Should be Filtered

Source address

Description

0.0.0.0/8

Historical broadcast

10.0.0.0/
8

RFC 1918 private network

127.0.0.0/8

Loopback

169.254.0.0/16

Link local networks (APIPA addresses)

172.16.0.0/12

RFC 1918 private network

192.0.2.0/24

TEST
-
NET

192.168.0.0/16

RFC 1918 private network

224.0.0.0/4

Class D multicast

240.0.0.0/5

Class

E reserved

248.0.0.0/5

Unallocated

255.255.255.255/32

Broadcast

Block other unnecessary traffic

Incoming traffic from the Internet to the border router is from
unknown untrusted users who require access to your Web servers.
They are accessing a specifi
c list of IP addresses and port numbers
and can be restricted to access no other port numbers or IP addresses.
Using access control lists, available on most routers, only traffic for the
desired combination of addresses and ports can be let through the
bor
der router, on the assumption any other addresses are potentially
hostile.

Note:
Port numbers in this example are not related to ports on a
switch which are the physical sockets that Ethernet cables are plugged
into. Here, the reference is to the IP addre
ssing system, where the IP
address is extended with a TCP or UDP port number. For example a
Web server is frequently on port 80: the full address of the Web
service on a server with an IP address of 192.168.0.1 would be
192.168.0.1:80.

Cisco routers and s
witches use a proprietary protocol, CDP or Cisco
Discovery Protocol, to discover information about their neighbors such
as model numbers and operating system revision level. However this is
a security weakness as a malicious user could gain the same
inform
ation, so CDP should be disabled definitely on the border router,
and possibly on the internal routers and switches dependant upon
whether required for management software.

Administrative Access

Where will the router be accessed from for administration pur
poses?
You must decide which interfaces and ports an administration
connection is allowed into, and from which network or host the
administration is to be performed. Restrict access to those specific
locations. Do not leave an Internet
-
facing administratio
n interface
available without encryption and countermeasures to prevent
hijacking. In addition:



Apply strong password policies



Use an administration access control system



Disable unused interfaces



Consider static routes



Shutdown Web based con
figuration



Services



Auditing and logging



Intrusion detection



Control physical access

Apply Strong Password Policies

Firstly add a password to the administrator
-

many systems are
hacked into just because the administrator has left the password

blank. Secondly, use complex passwords. Brute force password
software can launch more than just dictionary attacks and can discover
common passwords where a letter is replaced by a number. For
example, if "p4ssw0rd" is used as a password, it can be cracke
d.
Always use uppercase and lowercase, number, and symbol
combinations when creating passwords. Similarly SNMP is probably
required for management purposes and although SNMP security is not
at all strong, do add passwords (community string) when configurin
g
it. SNMP v3 provides much improved security.

Use an administration access control system

Rather than embedding the administrator's name in the configuration,
use a triple A system for authenticating the administrator. This
controls who he is, what he can

do, and logs what he does. Triple A is:



Authentication:

The process of identifying and verifying a user. Several methods can
be used to authenticate a user but the most common include a
combination of username and password.



Authorization:

The process

of what an authenticated user can access and do.



Accounting:

The recording of what a user is doing or has done on a device.

Triple A systems refer to a database held on a central server to
authenticate the administrator when he first logs on, and contr
ol
what he attempts to do during his connection session. One of the
major benefits of Triple A is the centralisation of the security
information, so a single logon will control his access to all network
devices rather than having to set up separate logins
on each device.

There are two non
-
proprietary triple A systems:



RADIUS (Remote Authentication Dial
-
in User Service)



Kerberos

Another very popular triple A system is TACACS+ but this is a Cisco
proprietary system and therefore would only control acce
ss on Cisco
devices.

Disable Unused Interfaces

Only required interfaces should be enabled on the router. An unused
interface is not monitored or controlled, and it is probably not updated.
This might expose you to unknown attacks on those interfaces. Usua
lly
Telnet is used for administrative access so limit the number of Telnet
sessions available and use a time
-
out to ensure that the session closes
if unused for a set time.

Consider Static Routes

Static routes prevent specially formed packets from changing

routing
tables on your router. An attacker might try to change routes by
simulating a routing protocol message to cause denial of service or to
forward requests to a rogue server. By using static routes, an
administrative interface must first be compromis
ed to make routing
changes. However, remember that static routes are static
-

if a link
fails the routers will not switch over automatically to use an alternate
route and also static routes may need complex configuration.

Shutdown Web Based Configuration

I
f an inbuilt Web server is an optional method for configuration access,
as well as a command line mode, disable the Web service as it is
probably prone to many TCP/IP security weaknesses.

Services

On a deployed router, every open port is associated with a
listening
service. To reduce the attack potential, default services that are not
required should be shut down. Examples include
bootps
and
Finger
,
which are rarely required. You should also scan your router to detect
which ports are open.

Auditing and Logg
ing

Most routers have a logging facility and can log all deny actions which
would show intrusion attempts. Modern routers have an array of
logging features that include the ability to set severities based on the
data logged. An auditing schedule should be
established to routinely
inspect logs for signs of intrusion and probing.

Intrusion Detection

With restrictions in place at the router to prevent TCP/IP attacks, the
router should be able to identify when an attack is taking place and
notify a system admin
istrator of the attack.

Attackers learn what your security priorities are and attempt to work
around them. Intrusion Detection Systems (IDSs) can show where the
perpetrator is attempting attacks.

Control Physical Access

As mentioned above, most routers are

vulnerable if the attacker can
get physical access to the device since they usually have a back
-
door
access method to overwrite the existing configuration so lock the
routers away in a room with restricted access.

Top of page

Switch Security Considerations

Similarly to the router, the switch itself must also be secured against
reconfiguration. You must use secure administration interfaces, ensure
that it has the late
st software patches and updates applied, control
administration access and provide physical security.

This document considers some well
-
known switch vulnerabilities and
how to counter them.

Many of the security concepts defined for a router are equally
app
licable to a switch, such as control of who has administrative
access. Since the switch just looks at Ethernet frames, not IP packets,
it cannot control wayward IP intrusions, but the switch will always be
behind either a router with firewall capability or

a firewall so this is
unnecessary.

The following configuration categories help you to ensure secure
switch configuration:



Patches and updates



VLANs



Use an administration access control system



Disable unused ports



Services



Encryption

Patc
hes and Updates

Patches and updates must be installed and tested as soon as they are
available.

VLANs

Virtual LANs allow you to separate network segments and apply access
control based on security rules. A VLAN without ACLs provides a first
level of securi
ty, limiting access to members of the same VLAN.
However inter
-
VLAN traffic is usually required and this is provided by
the router routing traffic between the IP subnets and this can be
controlled by the use of ACLs.

ACLs between VLANs restrict the flow of

traffic between different
segments of the network. This filtering is typically a simple static
packet filter, as opposed to stateful packet inspection or application
-
layer proxying, which many dedicated firewall devices perform.

Using ACLs between VLANs p
rovides an intermediate level of
protection by blocking internal intrusions from within the enterprise
while intrusions from outside are already blocked by the border
network. In addition to firewall filtering, VLAN ACLs can also be
implemented for an addi
tional layer of security. The disadvantage of
implementing ACLs on the VLANs is that they may have an impact on
performance and must be configured correctly and efficiently.

Use an Administration Access Control System

Use the same methods as for a router t
o control administrative access
to the switch.

Disable Unused Ports

Unused Ethernet ports on the switch should be disabled to prevent
hackers plugging into an unused port.

Services

Make sure that all unused services are disabled. Also make sure that
Trivia
l File Transfer Protocol (TFTP) is disabled, Internet
-
facing
administration points are removed, and ACLs are configured to limit
administrative access.

Encryption

Although it is not traditionally implemented at the switch, data
encryption over the wire ens
ures that sniffed packets are useless in
cases where a monitor is placed on the same switched segment or
where the switch is compromised, allowing sniffing across segments.

Top of page

Snapshot of a Secure Network

Table 12 provides a snapshot of the characteristics of a secure
network. The security settings are abstracted from industry security
experts and real
-
world applications in secure deployments. You can
use the

snapshot as a reference point when evaluating your own
solution.

Table 12: Snapshot of a Secure Network

Component

Characteristic

Router


Patches and Updates

Router operating system is patched with up
-
to
-
date software.

Component

Characteristic

Protocols

Unused protocols and por
ts are blocked.

Ingress and egress filtering is implemented.

ICMP traffic is screened from the internal network.

Trace route is disabled.

Directed broadcast traffic is not forwarded.

Large ping packets are screened.

Routing Information Protocol (RIP) packe
ts, if
used, are blocked at the outermost router.

Static routing is used.

Administrative access

A strong administration password policy is
enforced.

Use an administration access control system

Unused management interfaces on the router are
disabled.

Web b
ased administration is disabled.

Services

Unused services are disabled (for example
bootps

and
Finger
).

Auditing and logging

Logging is enabled for all denied traffic.

Logs are centrally stored and secured.

Auditing against the logs for unusual patterns
is in
place.

Intrusion detection

IDS is in place to identify and notify of an active attack.

Physical access

Limit physical access

Switch


Patches and updates

Latest security patches are tested and installed or the threat from
known vulnerabilities is
mitigated.

VLANs

Use VLANs and ACLs.

Component

Characteristic

Disable unused ports

Disable unused Ethernet ports.

Services

Unused services are disabled.

Encryption

Switched traffic is encrypted.

Other


Log synchronization

All clocks on devices with logging capabilities are s
ynchronized.

Administrative access to
the network

Kerberos or RADIUS is used to authenticate administrative users.

Network ACLs

The network is structured so ACLs can be placed on hosts and networks.

Top of page

Summary

This module has provided information and options to help network
design engineers select devices that meet the requirements of an
enterprise network architecture. This module has outlined device
desi
gn in terms of the process of selecting the appropriate devices.

The design process defined in this module includes selection of the
right class of devices to meet the required levels of service. In
addition, it is important to select the appropriate optio
ns to ensure
that devices are capable of being supported by the organization's
network staff and managed by any network management solution that
may already be in place. The aim of this guidance is to produce a set
of device specifications that will fit in
to the organization's network
architecture to enable the design and implementation of a complete
network.

Top of page

Additional Information

For related standards in
formation, see the following references:



Internet protocol standards from the IETF (Internet Engineering Task
Force) Request for Comments (RFCs) to be found at
http://www.ietf.org/rfc.html



Ethernet standard
s from the IEEE (Institute of Electrical and
Electronics Engineers, Inc.) to be found at
http://standards.ieee.org/getieee802/

For related security information, various router and switch
manufacturers
have published their recommendations for securing
networks and these can often be read as good practices applicable to
all networks rather than when used solely with their products. Refer to
the following:



Nortel Networks have documentation on their secu
rity architecture at
http://www.nortelnetworks.com/solutions/securenet/index.html



"Improving Security on Cisco Routers" at
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_n
ote09186a0080120f48.shtml



"Configuring Broadcast Suppression" at
http://www.cisco.com/en/US/products/hw/switches/ps708/products_
configuration_guide_chapter09186a00800eb778.html



"Ne
twork Ingress Filtering