上QQ阅读APP看书，第一时间看更新

Places in the network

"A place for everything, everything in its place."

- Benjamin Franklin

A network is a collection of interconnected devices performing specific functions. These functions are performed at different places on the network. For example, controlling access to the network based on the user profile and credentials is done at the edge of the network; choosing one link out of multiple options to send traffic across the WAN is done at the WAN Edge; enforcing security policies to protect the server infrastructure of the company is done within the data center, and so on. This segregation of network functions helps to keep the network simple and modular.

Let's take a small organization as an example to discuss this concept in a bit more detail. Let's assume an organization ABC Inc. that starts in a single location. This organization will have a set of users who would be connected to the Local Area Network (LAN), and will have a farm of servers that will host the applications for the users, for example, email application and any other business applications that have resources that are shared among the users. Let's call this server farm a mini data center (DC). The users also need connectivity to the internet, and the company has an internet link that connects the organization to the internet service provider.

The data center and the user LAN are connected to allow the users to access the servers in the DC. Similarly, the DC and the internet need connectivity to allow the organization to host its website or even exchange emails with the external world. The LAN block needs connectivity to the internet so that the users can access the internet for any research on the internet, or any other activity permitted by the rules of the organization.

The server infrastructure hosts critical information, and delivers business-critical services for the organization. Connecting this server infrastructure or the DC to the internet would require implementing security policies and controls on the connection. Similarly, the user LAN connectivity to the internet would need security policies to ensure that the users do not get infected by any malware on the internet. The following figure depicts the network setup for a very small organization, with the block in between depicting the security controls between the various network parts:

Figure 7: A sample network for a small organization

Hence, the basic organizational network consists of three broad parts, which are the LAN, the Data Center (DC), and the Internet.

Now, let's consider that the organization ABC Inc. grows over time, and sets up multiple branches at different remote locations outside its main office where they initially started. There would be users who would work out of the remote locations, and would need connectivity to the applications that are critical for the business of the organization. These applications are hosted in the DC at the main office and it would not be practical to host these applications at each remote location. This could be for a variety of reasons; for example, there might not be enough space and power at the branches to host the servers, maintaining servers at the remote locations requires dedicated skilled manpower at these locations which is not always possible, the applications use databases that are common for all users and so on. Hence, the remote branches need to connect to the DC at the main office. This can be done by providing connectivity from the branches to the central DC over leased lines taken from a bandwidth service provider, or even shared bandwidth using Virtual Private Networks (VPNs) from VPN service providers. Some branches might be at locations where there is no service provider available who can offer leased lines or VPN services, and the internet might be the only form of connectivity. These users would connect to the main DC over encrypted tunnels.

There are multiple methods of connectivity, and each method would have its own advantages and disadvantages. We will cover the pros and cons and the various approaches in depth in Chapter 6, Understanding and Configuring WAN Technologies. The example organization we have built has evolved to the one shown in the following figure. Note that we still have the connectivity to the internet only from the main site. This is primarily to ensure centralized accounting of resources, and to ensure that the internet access policy and the necessary security controls can be enforced at the central location, rather than proliferating it to all sites that would lead to management overhead.

Figure 8: A sample network for a medium organization

Next, let's consider that ABC Inc. has done too well and has grown so big that it sets up another main office and a backup data center at a different location. Some of the branches have grown into large campuses, which have a large number of users. The company has expanded into the cloud and has provided internet connectivity at all branches so that access to cloud-hosted applications can be provided directly from the branches over the local internet connection, rather than the users having to come all the way to the main locations for internet access. The network has evolved into the one shown in the following figure:

Figure 9: A sample network for a large organization

As we can see from this example, the organization and, hence, the network can grow over time from a handful of users to a couple of hundreds, or, perhaps, thousands of users. A number of branches or remote locations may then need to be integrated into the network. The business model of the company can change from in-house applications to a partly cloud-hosted model. A good network design should ensure that the fundamental network architecture does not change, when the organization expands, or the business models change. All this can happen, only if the network was designed and built, not as a monolithic whole, but a combination of various elements. One can relate this to the modular and flexible approach of the network design.

Building the network as an interconnection of various building blocks ensures that the network is simple with the various network functions clearly defined for each network block. This also ensures that there is a clear demarcation between the different blocks, and a problem in one of the blocks can be easily identified.

Building a network on this approach ensures that traffic flows can be visualized easily as the traffic moves from one block to another though the points of interconnection, leading to a predictable network behavior. Further, since the building blocks are independent entities, several blocks of this sort can be added to the overall network to ensure that the network scales to meet the growing business needs. Adding a backup data center, or multiple branches in the organization described previously are examples of how this can be done.

We have emphasized the need to build the network in a modular manner. Now, we will discuss the various building blocks of the network in the following sections. Each of these building blocks has to adhere to the fundamental design principles of scalability, flexibility, modularity, and individually.