With the trend of applying information systems for all production activities of enterprises, the problem of deploying a network system when building a business is indispensable.
So what is an enterprise network?
An enterprise network is considered as the backbone of communication between computer connections and related network devices (even: smartphones) across departments in an organization. An enterprise network can help reduce complexity by simplifying communication protocols.
Enterprise network structure model
As the network becomes more sophisticated, it uses a multi-module approach to design access layers, distribution layers and core WAN and LAN layers.
Modular design method is considered as an additional method for Hierarchical design. In a large-scale network, it will generally consist of multiple network areas for different activities and functions. Modular design for a large network infrastructure by separating network areas with different functions is also a design method that is widely used in designing network infrastructure for enterprises, companies, and large organizations (referred as Enterprise).
Modular design methods can be divided into three main areas, each created by smaller network modules:
– Enterprise campus: Includes the modules required to build a campus network that requires high availability and flexibility
– Enterprise edge: Converges connections from different components at the edge of Enterprise network. This functional area filters the traffic from the modules in Enterprise edge and sends them to Enterprise campus. Enterprise edge includes all device components to ensure effective communication and security between Enterprise campus and external systems, partners, mobile users, and the Internet.
– Service provider edge: The modules in this domain are deployed by service providers, not by enterprise. Modules in Service provider edge allow communication with other networks using different WAN technologies and ISPs.
Network components and functions in Cisco specialized architecture:
- Enterprise campus area
- Enterprise data center module
- Enterprise branch module
- Enterprise teleworker module
Cisco Enterprise Network Architecture Model
Cisco’s distinctive enterprise network architecture model retains the concepts of distribution, access, user connection components, WAN services, and server stations via high-speed networking. In smaller networks, layers can be integrated into a single layer, even a single device, but the functionality remains the same.
Within the enterprise infrastructure including core field, building distributed class and access layer with a data center module. The boundaries connected to service provider include going to the Internet, ecommerce, VPN, and WAN modules. The edge of Internet service provider, public switched telephone network (PSTN), and WAN services for enterprises.
- Enterprise Campus Module
The followings are sub modules:
- Campus core
- Building Ditribution
- Building Access
- Server farm / data center
Enterprise Campus model
The Core campus provides a high-speed switching backbone between buildings, server systems, and inter-enterprise connections. This segment includes redundant connectivity and fast convergence. The distribution layer is responsible for switching access and controlling access, QoS, redundant routes, and conveyor balancing. Building access switches allow access to VLANs, PoEs for IP phones and wireless access points, stop Broadcast and Spanning Tree access.
Server farm/data center enables high speed access and redundancy to servers. Enterprise servers such as File and Print Servers, Application Servers, Email Servers, Dynamic Host Configuration Protocol (DHCP) servers, and Domain Name System (DNS) servers are located in the Server farm. Cisco Unified Call Manager servers are located in server farms for IP telephone networks. The network management server is located at the server farm, but the link from the server to each module within an enterprise must provide network monitoring, logging and configuration management.
Infrastructure within the enterprise can be applied to small, medium and large locations. In most cases, the large scope has a three-tier design with a connection system (distributed deployment layer), distribution deployment layer, and a core layer. The smaller scope has a two-tier design with a connection system component (Ethernet access layer) and a core layer (integrated core layer and distribution layers). It also allows configuration of distribution functions in a multi-access device to maintain fast messaging on the main axis. Medium networks sometimes implement three-layer or two-layer designs depending on port availability, service requirements, management, performance, and adaptability requirements.
- Enterprise Edge Area
Include the following sub modules:
- e-commerce networks and servers
- Internet connectivity and demilitarized zone (DMZ)
- VPN and remote access
- Enterprise WAN
2.1. E-Commerce Module
The e-commerce submodule at the edge of the enterprise provides a high availability network for business services. It uses the highly adaptive design of Server farm modules with Internet connectivity features of Internet modules. The devices located in the e-commerce submodule include:
- Web servers and applications
- Database Servers: Store application information and information transaction.
- Firewall and firewall routers: manage the communication between users in the system.
- Network Intrusion Prevention (IPS): Provides the ability to monitor critical segments of network modules to detect and respond to network attacks.
- Multilayer switch with IPS modules: Provides traffic flow control and integrate security monitoring.
2.2. Internet Connectivity Module
Internet Submodule in business boundary provides services such as public servers, email, and DNS, connecting to one or several Internet Service Providers (ISPs). Components of this submodule include:
- Firewall and firewall routers: Provides network resource protection, output filtering, and VPN endpoints for end users and remote points.
- Internet edge routers: Provides basic filtering and multi-layer connectivity
- FTP and HTTP severs: Provides web applications that help businesses communicate with the outside world through the public Internet.
- SMTP transition server: Transition operation between the Internet and the internal mail server.
- DNS server: Domain name resolution and forward requests to the Internet.
The simplest form of connection is a single direct connection between business and SP, as shown in the figure below. The weakness of this connection is that there is no backup when there are network problems.
Multipath solutions can be used for redundancy, or convert to internet services.
The following figure shows four mutihoming Internet options:
Multihoming Internet options
- Option 1: Back up connection lines, but not back up local ISPs and routers.
- Option 2: Back up connection lines and ISP, but not back up local router when an error occurs.
- Option 3: Back up local routers and connection lines, but not back up ISP when your ISP is error.
- Option 4: Provide full redundancy of local routers, links, and ISPs.
2.3. VPN/Remote Access
Remote module or VNP of enterprise edges provide remote access prevention services, including remote user authentication. Components of this submodule include:
- Firewalls: Provide output filtering, reliable authentication of remote points, and provides connectivity using IPsec tunnel.
- Cisco Adaptive Security Appliances (ASA): authentication for remote users, provision of firewall and intrusion prevention services.
- Network intrusion prevention device (IPS): If using a remote terminal server, this module is connected to PSTN network. Network systems now typically deploy VPNs on remote access terminal servers and are dedicated to WAN links. VPN networks reduce communication costs by taking advantage of SP’s infrastructure. Remote offices, mobile phone users, and home offices access the Internet by using local SPs with IPsec tunnels and VPN / remote access submodules via the Internet submodule.
2.4. Enterprise WAN
WAN technology includes:
- Multiprotocol Label Switching (MPLS)
- Metro Ethernet
- Leased lines
- Synchronous Optical Network (SONET) and Synchronous Digital
- Hierarchy (SDH)
- Frame Relay
- Digital subscriber line (DSL)
Considering the followings when designing an enterprise edge:
- Identify the necessary connections to connect enterprise’s network to the Internet. The Internet connection module performs this connection task.
- Create e-commerce modules for customers and internet access partners serving business and database applications.
- Design remote access module or VPN for VPN access to internal network from the Internet. Implement security policy and authentication configuration.
Meet the challenges of a future network
To build a future-oriented business network, companies need to address some important challenges. They need to integrate and manage individual technologies and resources into a unified and efficient network that provides the ability to meet users’s demand. In addition to providing high performance and lower costs, next-generation enterprise networks need to be flexible, scalable, simple in management and security to support businesses in the future.
- 1. Flexibility is the key to the next generation of networks
Traditional networks are designed for speed instead of for flexibility, but they are no longer relevant when cloud services are becoming standard. To achieve greater flexibility, companies need to shift from planning, deploying and managing traditional network, static, and centralized networks to dynamic protocols that enable them to quickly broaden or change services to meet business needs.
- Scalability to meet new business needs
A future network needs to place users’s experience in the center of the network by developing and implementing user network and application management policies to address bottlenecks and performance issues.
Enterprise network ready in the future needs to expand to deploy rapidly IT services and applications to support business needs. At the same time, users want to connect network resources from both wired and wireless devices.
To meet these needs, enterprise networks must be scalable to meet the capacity needs of data centers, wide scale networks, mobile Internet, IoT, and other networks.
- Simplify management
With the growing convergence between enterprise networks, mobile Internet, and IoT networks, companies need to enhance intelligence at network edge to optimize data traffic and enforce policies without compromising on security or quality of service.
- Enhance network security
With the rapid evolution of modern attacks (APTs) and the change in network security architectures, network security management has become increasingly complex and important to protect businesses, There is no room for compromise.
Today’s businesses need to build a system that can monitor and respond to cyber-security threats in real-time to protect the network from increasingly sophisticated intrusion attacks.
In order to overcome the growing threatening situation, advanced and comprehensive network security approaches and technologies will be adopted such as sandbox-based APT, unknown threat analysis, and DDoS attack mode division.