Network Design
Network Design
1|Page
Prepared by Biruk.P (MSc)
Network Design Hand-out
Course Contents
This course is intended to teach students how to design and implement computer
networks. The course covers detailed networking concepts like transmission media
installation, switch and router selection and configuration, connecting to the internet, creating
wired and wireless networks, implementing sub netting techniques and others. Students
should be equipped with the latest networking technologies like WiFi and how to design an
efficient computer network.
2|Page
Prepared by Biruk.P (MSc)
Network Design Hand-out
Chapter One
Designing a network is a complex and structured process that requires careful planning,
implementation, and testing to ensure it meets the organization's requirements for
performance, security, scalability, and reliability. A systematic methodology helps in
creating an effective network design by guiding the network engineer through various steps,
considerations, and decision points. Below is a typical methodology for applying network
design.
Before diving into technical design, it is essential to clearly understand the business and
technical requirements of the network. This step helps to identify the goals and constraints
of the network.
In this phase, collect detailed data about the physical and logical environment where the
network will be implemented.
3|Page
Prepared by Biruk.P (MSc)
Network Design Hand-out
Site Survey: For wireless networks, conduct a site survey to assess the physical
environment, signal coverage, potential interference sources, and placement of access
points (APs).
Network Traffic Analysis: Determine the types of traffic (e.g., voice, video, data)
and the expected volume to help with bandwidth planning and Quality of Service
(QoS).
Hardware Inventory: Catalog the existing networking hardware (routers, switches,
firewalls, etc.) to decide what can be reused and what needs to be upgraded.
Security Considerations: Understand any regulatory or compliance requirements
(e.g., GDPR, HIPAA) and analyze potential security risks.
The network architecture forms the backbone of the network, ensuring that it meets the
technical and business needs identified in the previous steps.
Logical Design: Focus on the logical flow of data, including how devices will
connect to the network and the design of IP addressing, subnetting, and routing
protocols.
o IP Addressing Scheme: Design an IP address plan that accounts for all
devices, subnets, and IP ranges. Consider the use of private and public IPs,
subnet masks, and VLSM (Variable Length Subnet Masking).
o Routing Protocols: Choose appropriate routing protocols (e.g., RIP, OSPF,
BGP) based on factors like network size, complexity, and future scalability.
Physical Design: Outline the physical components and connections in the network,
including routers, switches, firewalls, wireless access points, and cabling.
o Redundancy and Failover: Plan for network reliability by including
redundant links, backup power supplies, and failover mechanisms (e.g.,
HSRP, VRRP for routers).
o Topologies: Choose a suitable network topology (e.g., star, mesh,
hierarchical, ring) that matches the needs for performance, redundancy, and
scalability.
Wireless Design: For wireless networks, select Wi-Fi standards (e.g., Wi-Fi 6),
design the placement of access points, and choose appropriate frequencies (2.4 GHz
vs 5 GHz) to maximize coverage and minimize interference.
4|Page
Prepared by Biruk.P (MSc)
Network Design Hand-out
Security Design: Design the security layer of the network to ensure confidentiality,
integrity, and availability of data.
o Firewall Placement: Decide where to place firewalls and intrusion detection
systems (IDS/IPS).
o Network Segmentation: Create VLANs to separate traffic for security and
performance reasons (e.g., separating guest traffic from internal employee
traffic).
o Encryption and Authentication: Plan for VPNs (for remote users),
encryption protocols (e.g., IPsec, SSL/TLS), and authentication
mechanisms (e.g., 802.1X, RADIUS).
Network capacity planning ensures that the network can handle the required load without
degradation of performance.
Bandwidth Calculation: Estimate the total bandwidth required based on the number
of users, devices, applications, and data traffic. This will inform decisions about the
types of links (e.g., fiber, Ethernet, wireless) and the speed of each link.
Traffic Flow Analysis: Analyze the flow of traffic between devices, switches, and
routers to ensure there are no bottlenecks or overburdened links.
Latency and QoS: Design the network with appropriate QoS policies to ensure that
latency-sensitive applications (e.g., VoIP, video conferencing) receive the necessary
priority.
Scalability: Ensure that the network design allows for future growth in terms of
additional users, devices, or traffic without needing a complete redesign.
Security is a crucial part of the network design methodology. The network should be
designed to prevent unauthorized access, data breaches, and potential vulnerabilities.
5|Page
Prepared by Biruk.P (MSc)
Network Design Hand-out
Firewalls: Plan for firewalls at critical junctions in the network to protect internal
systems from external threats. Consider the use of Next-Generation Firewalls
(NGFW) for deep packet inspection and advanced threat prevention.
Encryption: Use VPNs and encryption to secure communication channels,
especially for remote users.
Monitoring and Intrusion Detection: Incorporate IDS/IPS solutions to detect and
mitigate any unusual or malicious activity on the network.
Once the design is complete, develop an implementation plan that includes the following
steps:
Testing is critical to ensure that the network functions as expected under different conditions.
Once the network design is finalized and tested, proceed with deployment.
6|Page
Prepared by Biruk.P (MSc)
Network Design Hand-out
Phase Deployment: Roll out the network in phases, beginning with core components
and then moving to edge devices and remote locations.
Monitoring and Troubleshooting: Set up real-time monitoring systems to track
network health, identify issues early, and ensure smooth operation.
Conclusion
Applying a methodology to network design ensures that the network is efficient, secure, and
scalable to meet current and future business requirements. This structured approach covers
every aspect of network design, from understanding requirements to deployment and
maintenance, helping to build a reliable and high-performing network that aligns with
organizational goals. Each step should be carefully planned and executed to prevent issues
that could disrupt business operations and ensure a successful network implementation
7|Page
Prepared by Biruk.P (MSc)
Network Design Hand-out
Chapter Two
Purpose: Provides high-speed, reliable data transport across large areas (often
connecting different geographic locations, branches, or data centers). This is the
"backbone" of the network.
Key Characteristics:
8|Page
Prepared by Biruk.P (MSc)
Network Design Hand-out
o High Bandwidth: Designed for large volumes of traffic with low latency.
o Redundancy: Implements redundant paths to ensure reliability.
o Fault Tolerance: Ensures that if one link or device fails, traffic can be
rerouted seamlessly.
Devices: Core routers, switches (high-capacity, enterprise-grade).
Example: A high-speed fiber-optic connection linking branch offices to the main data
center.
Purpose: Aggregates data from the access layer and forwards it to the core layer. It often
handles routing, policy enforcement (QoS, security), and traffic filtering.
Key Characteristics:
o Traffic Management: Manages traffic between the access and core layers and
can enforce policies like Quality of Service (QoS).
o Routing: Provides routing between different subnets or VLANs (virtual
LANs).
o Security: Implements access control lists (ACLs), firewalls, or intrusion
detection systems (IDS).
Devices: Distribution routers, multilayer switches, firewalls.
Example: Switches that aggregate traffic from multiple access switches, or routers
that manage traffic between different network segments.
Purpose: The access layer is where end devices (computers, printers, IP phones)
connect to the network. It is responsible for providing access to the network for users.
Key Characteristics:
o Device Connectivity: Provides interfaces for connecting devices like
desktops, laptops, and other endpoints.
o VLAN Segmentation: Divides the network into smaller broadcast domains
using VLANs to reduce congestion and improve security.
o User Authentication: Can provide services like 802.1X (port-based network
access control) for secure access.
9|Page
Prepared by Biruk.P (MSc)
Network Design Hand-out
Devices: Access switches, wireless access points (APs), network interface cards
(NICs).
Example: Ethernet switches connecting workstations or wireless access points
providing Wi-Fi to users.
By breaking the network into modular components, network design becomes more flexible,
scalable, and easier to maintain. Here’s how modular design can benefit network architecture:
1. Scalability
A modular design allows for redundancy within each layer. For example, the core
layer can have redundant paths and devices, ensuring that if one device fails, the
network remains operational.
Redundancy can be implemented at every layer:
o Core Layer: Redundant core routers and paths.
o Distribution Layer: Multiple distribution switches.
o Access Layer: Redundant access switches and APs.
3. Maintainability
10 | P a g e
Prepared by Biruk.P (MSc)
Network Design Hand-out
4. Security
Each layer in the modular design can have its own security policies:
o Core Layer: Focus on protecting the integrity and availability of high-priority
services.
o Distribution Layer: Implement firewalls, intrusion detection/prevention, and
monitoring.
o Access Layer: Implement user-level security, VLANs for segmentation, and
port security.
5. Cost Efficiency
Here’s how a modular network might be implemented for a medium-sized business with
three office locations:
1. Core Layer:
2. Distribution Layer:
11 | P a g e
Prepared by Biruk.P (MSc)
Network Design Hand-out
3. Access Layer:
Core Layer:
o Two core routers provide high-speed connectivity between offices, each with
dual uplinks to ensure that a single failure won’t take down the entire network.
Distribution Layer:
o Two distribution switches at each location aggregate traffic. The switches are
connected to each other, and each distribution switch has a backup route to the
core router.
Access Layer:
o Multiple access switches per location, each connected to both distribution
switches, ensuring that if one access switch fails, the other can still provide
access.
1. Separation of Concerns:
o Ensure that each layer or module is responsible for specific tasks (e.g., routing,
access control, traffic management) and doesn’t overlap with other modules.
2. Use of Virtualization:
o Virtualize network functions where possible. For example, a virtualized
firewall or load balancer in the distribution layer can provide more flexibility
and scalability.
3. Security Zones:
o Implement different security zones at each layer. The access layer can
implement basic security measures, while the distribution layer can focus on
12 | P a g e
Prepared by Biruk.P (MSc)
Network Design Hand-out
deeper inspection and firewalls, and the core layer ensures overall network
integrity and availability.
4. Use of Standardized Devices:
o Select devices that are compatible across the layers and ensure they support
modular configurations. For example, using the same vendor for all switches
and routers can simplify management and integration.
Structuring and modularizing network design is essential for building scalable, reliable,
and maintainable networks. By dividing the network into clear layers and modules,
organizations can ensure that the network can grow with their needs, remain secure, and
minimize downtime. Additionally, modular design supports redundancy, fault tolerance, and
more efficient resource management, which are key to maintaining a high-performing
network.
13 | P a g e
Prepared by Biruk.P (MSc)
Network Design Hand-out
Chapter Three
When designing campus and data center networks, the goal is to create scalable, reliable,
and high-performance networks that meet the needs of users and applications. A campus
network connects devices and users within a single geographic location (e.g., a university,
enterprise office, or industrial complex), while a data center network supports data storage,
processing, and distribution.
Access Layer: This layer connects end devices (computers, phones, printers, etc.) to
the network. It includes access switches and wireless access points (APs) for Wi-Fi
connectivity.
Distribution Layer: This layer aggregates traffic from multiple access layer switches,
provides routing between different VLANs, and enforces security policies. It also
typically includes firewalls and other security devices.
Core Layer: The core layer is responsible for high-speed, reliable routing between
campus locations (e.g., between different buildings or floors). This layer handles
high-volume traffic, ensuring fast and secure data transfer.
14 | P a g e
Prepared by Biruk.P (MSc)
Network Design Hand-out
o Star Topology: The most common design for campus networks, where all
access points and devices are connected to a central distribution switch or
router.
o Mesh or Hybrid: Larger campus networks may require a mesh or hybrid
topology for more redundancy and fault tolerance.
3. Plan IP Addressing and Subnetting:
o Divide the campus network into smaller subnets to optimize routing and
reduce congestion.
o Use VLANs to separate different types of traffic (e.g., voice, data, and video).
4. Redundancy and Reliability:
o Implement redundant paths between layers (access, distribution, core) to
ensure network reliability in case of failure.
o Use protocols like Spanning Tree Protocol (STP) to prevent loops in
redundant links.
5. Security:
o Use Access Control Lists (ACLs), 802.1X Authentication for secure access
control, and firewalls to protect different network segments.
o Implement segmentation via VLANs for security, isolating sensitive systems
or users from the rest of the network.
6. Wireless Design:
o Deploy Wi-Fi Access Points (APs) strategically to ensure coverage across the
campus.
o Plan for capacity by considering the number of devices per AP and the type of
traffic (e.g., data, voice, video).
7. Management and Monitoring:
o Use network management systems (NMS) to monitor performance,
troubleshoot, and provide network analytics.
o Use Simple Network Management Protocol (SNMP) for monitoring
network devices like switches, routers, and access points.
15 | P a g e
Prepared by Biruk.P (MSc)
Network Design Hand-out
A Data Center Network is designed to support large-scale data processing, storage, and
distribution. The network must ensure high availability, low latency, and support for modern
technologies such as virtualization and cloud computing.
Top-of-Rack (ToR) Switches: These switches are placed in each rack to connect
servers and other devices within the same rack to the data center's network.
Aggregation Layer: Aggregates traffic from multiple ToR switches and connects to
the core layer. It handles routing, load balancing, and security policies.
Core Layer: Handles traffic across multiple aggregation switches and serves as the
backbone of the data center network.
16 | P a g e
Prepared by Biruk.P (MSc)
Network Design Hand-out
o Use modular design to easily add more servers, racks, and switches as the
data center grows.
o Ensure that network links are high-capacity (10GbE, 40GbE, or higher) to
handle large volumes of traffic.
4. Redundancy and Fault Tolerance:
o Implement redundant power supplies, dual network links, and multiple
network paths to avoid single points of failure.
o Use Spanning Tree Protocol (STP) for loop prevention and Equal-Cost
Multi-Path (ECMP) routing for load balancing.
5. Security:
o Implement segmentation using VLANs or Virtual Extensible LAN
(VXLAN) to isolate different parts of the network (e.g., management, storage,
application).
o Use firewalls, access control lists (ACLs), and Network Access Control
(NAC) for additional security.
6. Virtualization and Cloud Support:
o Design the network to support virtual machines (VMs) and containers by
using virtual switches and software-defined networking (SDN) technologies.
o Plan for multi-cloud integration if the data center is connected to external
cloud services.
7. Monitoring and Management:
o Use network performance monitoring (NPM) tools and data center
infrastructure management (DCIM) tools to monitor the health and
performance of the network.
o Implement automation using Network Configuration Protocol
(NETCONF) or Ansible to streamline management tasks.
17 | P a g e
Prepared by Biruk.P (MSc)
Network Design Hand-out
VPN (Virtual Private Network): Secures internet traffic and connects remote users
or branch offices to the corporate network.
Remote Desktop Services (RDS): Provides users with access to desktop
environments remotely, ensuring secure access to business-critical applications.
Direct Access: A Microsoft technology that allows seamless and secure remote
access for clients, often used in Windows environments.
1. VPN Solutions:
o Use site-to-site VPNs for connecting branch offices or remote data centers
securely.
o Use client-to-site VPNs for individual remote workers. Protocols like IPSec,
SSL VPN, or OpenVPN are commonly used for secure remote access.
2. Multi-Factor Authentication (MFA):
o Implement MFA to enhance security for remote workers. This could involve
something the user knows (password), something the user has (token or
mobile device), and something the user is (biometric data).
3. Secure Application Access:
o For SaaS applications or web-based services, ensure that users can securely
access them via SSL/TLS encryption and additional security layers such as
Web Application Firewalls (WAFs).
4. Bandwidth and Performance:
18 | P a g e
Prepared by Biruk.P (MSc)
Network Design Hand-out
o Ensure that VPN solutions can handle the expected volume of traffic from
remote workers.
o Consider QoS (Quality of Service) to prioritize critical applications over
others to ensure optimal performance.
5. Endpoint Security:
o Ensure that remote devices are secure through Endpoint Detection and
Response (EDR) solutions, antivirus, and encryption.
o Implement Zero Trust Network Access (ZTNA) to verify every user and
device before granting access to network resources.
Client-to-Site VPN: Remote workers connect using SSL VPN, requiring multi-factor
authentication.
Site-to-Site VPN: Branch offices are connected to the headquarters via IPSec VPN
tunnels, allowing secure communication between sites.
RDS: Remote users can access a secure desktop environment hosted in the data
center, ensuring secure access to applications without needing to store sensitive data
locally.
Designing campus and data center networks requires careful planning to ensure that the
network meets performance, security, and scalability requirements. By using a modular
approach with clear separation of layers and components, the network can handle growing
demands. Remote connectivity design is increasingly important as the workforce becomes
more distributed, requiring secure and reliable access to internal resources from anywhere.
Combining secure VPNs, endpoint protection, and high-performance design principles
ensures that the
19 | P a g e
Prepared by Biruk.P (MSc)
Network Design Hand-out
Chapter Four
In any network design, IP addressing and routing protocols are two fundamental components
that ensure efficient communication, scalability, and security. Proper design of these elements
is crucial for optimizing network performance, ease of management, and future growth.
Here’s an overview of how to approach IP Addressing Design and Routing Protocol
Selection.
1. Designing IP Addressing
Address Space: Choose between IPv4 and IPv6 addressing based on network size,
future growth, and existing infrastructure.
Subnetting: Divide your IP address space into subnets to optimize network
management and enhance security.
Network Scalability: Plan for future growth in terms of both IP address allocation
and addressing efficiency.
Security: Protect IP address spaces to avoid unauthorized access and ensure that IP
conflicts are minimized.
20 | P a g e
Prepared by Biruk.P (MSc)
Network Design Hand-out
21 | P a g e
Prepared by Biruk.P (MSc)
Network Design Hand-out
Routing protocols are used to direct data packets between devices and networks. They help
routers determine the best path for forwarding packets. The selection of routing protocols
depends on factors like network size, scalability, convergence time, and reliability.
1. Interior Gateway Protocols (IGPs): These protocols are used within a single
autonomous system (AS), such as within a campus or data center network.
o RIP (Routing Information Protocol):
Use Case: Suitable for small, simple networks.
Characteristics: Distance-vector protocol with a maximum hop count
of 15 (making it less suitable for larger networks).
Advantages: Simple and easy to configure.
Disadvantages: Slower convergence, limited scalability.
o OSPF (Open Shortest Path First):
Use Case: Ideal for medium to large-sized networks.
Characteristics: Link-state protocol that uses Dijkstra’s algorithm to
calculate the shortest path. It supports hierarchical routing with area
segmentation.
Advantages: Fast convergence, supports large networks.
Disadvantages: More complex to configure compared to RIP.
o EIGRP (Enhanced Interior Gateway Routing Protocol):
Use Case: Suitable for medium to large enterprise networks.
Characteristics: Hybrid protocol (combines features of distance-
vector and link-state protocols) developed by Cisco. It uses the
Diffusing Update Algorithm (DUAL) for routing decisions.
Advantages: Faster convergence than RIP, easier configuration than
OSPF, efficient bandwidth usage.
Disadvantages: Proprietary to Cisco, limiting interoperability with
other vendors.
2. Exterior Gateway Protocols (EGPs): These protocols are used to exchange routing
information between different autonomous systems, usually on the internet.
o BGP (Border Gateway Protocol):
22 | P a g e
Prepared by Biruk.P (MSc)
Network Design Hand-out
When choosing a routing protocol for your network, consider the following factors:
23 | P a g e
Prepared by Biruk.P (MSc)
Network Design Hand-out
o OSPF requires more detailed configuration but provides better scalability and
flexibility.
o BGP is complex to configure and troubleshoot but necessary for managing
routing across the internet.
Scenario: A company has a headquarters (HQ) and two remote branch offices. They need to
design the network addressing scheme and routing for this environment.
IP Addressing:
HQ:
o Use a 10.0.0.0/24 network for the headquarters.
o Use 10.0.1.0/24 for internal servers, 10.0.2.0/24 for user devices, and
10.0.3.0/24 for guest Wi-Fi.
Branch Office 1:
o Use 10.1.0.0/24 network.
o Create subnets for servers (e.g., 10.1.1.0/24) and users (e.g., 10.1.2.0/24).
Branch Office 2:
o Use 10.2.0.0/24 network, with similar internal segmentation.
Routing:
o Use OSPF for dynamic routing between the headquarters and remote offices,
as it scales well and offers fast convergence.
o Use VPN (e.g., site-to-site) to connect remote offices securely over the
internet.
OSPF: Used for internal routing between the HQ and remote offices (within the
organization’s network).
BGP: Used at the HQ to connect to the internet or external networks, as the company
may have a dedicated internet link and needs robust routing policies.
24 | P a g e
Prepared by Biruk.P (MSc)
Network Design Hand-out
Designing IP addressing and selecting routing protocols are critical steps in network design.
A well-organized IP addressing scheme ensures efficient network management
Before selecting security solutions, it’s crucial to understand the primary threats that a
network may face:
Malware: Includes viruses, worms, trojans, ransomware, etc., that can damage or
disrupt network operations.
Phishing and Social Engineering: Attacks that exploit human behavior to gain
unauthorized access to systems.
DDoS (Distributed Denial-of-Service): Overloading the network with traffic to
make it unavailable.
Man-in-the-Middle (MITM) Attacks: Intercepting and altering communication
between two parties.
Insider Threats: Attacks from within the organization, either malicious or accidental.
Unauthorized Access: Gaining access to a network without proper authorization,
potentially leading to data breaches or resource theft.
25 | P a g e
Prepared by Biruk.P (MSc)
Network Design Hand-out
Based on the network’s specific needs and threats, several security solutions can be
implemented. Below are the common security solutions and technologies to evaluate:
2.1 Firewalls
Purpose: Firewalls monitor and control incoming and outgoing network traffic based
on predetermined security rules, acting as a barrier between trusted internal networks
and untrusted external networks (e.g., the internet).
Types of Firewalls:
o Packet Filtering Firewalls: Basic firewalls that inspect packets and make
decisions based on IP addresses, ports, and protocols.
o Stateful Inspection Firewalls: Track the state of active connections and make
decisions based on the state of traffic.
o Next-Generation Firewalls (NGFWs): Combine traditional firewall features
with additional functionalities like application awareness, deep packet
inspection (DPI), intrusion prevention systems (IPS), and SSL/TLS inspection.
Evaluation Considerations:
o Scalability: Does the firewall solution scale with the growing network?
o Performance: How well does the firewall perform in terms of speed and
latency?
o Advanced Features: Does it include capabilities like deep packet inspection,
intrusion prevention, and application filtering?
o Ease of Management: Is the firewall solution easy to manage and configure,
and does it provide centralized management?
Purpose: IDS monitors network traffic for suspicious activity or policy violations,
while IPS actively blocks identified malicious traffic.
Types of IDS/IPS:
o Network-based IDS/IPS (NIDS/NIPS): Monitors network traffic for patterns
of known threats.
26 | P a g e
Prepared by Biruk.P (MSc)
Network Design Hand-out
Purpose: VPNs securely encrypt traffic between remote users or branch offices and
the corporate network, protecting data from interception during transmission.
Types of VPNs:
o Site-to-Site VPN: Connects entire networks, such as remote offices, securely
over the internet.
o Client-to-Site VPN: Allows individual users to securely connect to the
network from remote locations.
Evaluation Considerations:
o Encryption Strength: What encryption protocols (e.g., IPSec, SSL/TLS) are
supported, and how strong are they?
o Performance: Does the VPN impact network speed or latency, and is it
scalable for remote users?
o Authentication: Does the solution support strong authentication methods,
such as multi-factor authentication (MFA) or certificates?
o Reliability: Is the VPN reliable in maintaining a secure connection without
interruptions?
27 | P a g e
Prepared by Biruk.P (MSc)
Network Design Hand-out
Components:
o Antivirus/Antimalware Software: Provides basic protection against
malicious software.
o Endpoint Detection and Response (EDR): Provides advanced monitoring,
detection, and response capabilities for endpoints.
o Mobile Device Management (MDM): Manages and secures mobile devices
within an organization.
Evaluation Considerations:
o Protection: Does the solution effectively protect endpoints from a wide range
of threats, including advanced persistent threats (APTs)?
o Behavioral Analysis: Does it include AI/ML-driven behavioral analysis to
detect unknown threats?
o Centralized Management: Is it easy to manage and update all endpoints from
a central console?
o Compatibility: Does it support a wide range of operating systems and devices
(Windows, macOS, iOS, Android)?
Purpose: SIEM systems aggregate, analyze, and correlate data from various network
devices (e.g., firewalls, IDS/IPS, routers) to detect and respond to security incidents in
real-time.
Evaluation Considerations:
o Data Aggregation: Does the SIEM solution collect and normalize data from
various sources (firewalls, endpoints, servers)?
o Real-Time Analysis: Does it provide real-time alerting based on detected
security events or threats?
o Scalability: Can the solution scale as the network grows in terms of data
volume and device count?
o Integration: Can it integrate with other security tools such as IDS/IPS,
firewalls, and endpoint security?
28 | P a g e
Prepared by Biruk.P (MSc)
Network Design Hand-out
Purpose: These solutions manage who can access the network and its resources,
ensuring that only authorized users and devices are granted access.
Components:
o Network Access Control (NAC): Monitors and controls the devices that are
allowed to connect to the network based on predefined security policies.
o Identity and Access Management (IAM): Manages user identities and
ensures users are authenticated and authorized to access resources.
Evaluation Considerations:
o Authentication Methods: Does the solution support multi-factor
authentication (MFA), biometric authentication, or certificate-based
authentication?
o Granular Access Control: Can the system define specific policies for
different users, devices, and types of access?
o Scalability: Does the solution scale as the network and user base grow?
o Policy Enforcement: How effectively does the system enforce access policies
and prevent unauthorized access?
Purpose: DLP solutions prevent sensitive data from being leaked or accessed by
unauthorized users, whether intentionally or unintentionally.
Evaluation Considerations:
o Content Inspection: Does the DLP solution inspect data across different
channels (email, web traffic, cloud storage, etc.)?
o Policy Enforcement: Can policies be set to detect and prevent the movement
of sensitive data outside the network (e.g., USB drives, cloud applications)?
o Granularity: Can it distinguish between different types of sensitive data (e.g.,
PII, intellectual property, financial data)?
o User Training and Awareness: Does the solution provide feedback to users
to help them avoid accidental data leaks?
29 | P a g e
Prepared by Biruk.P (MSc)
Network Design Hand-out
When evaluating security solutions, it's important to understand the network's current and
future needs, the types of threats it may face, and the specific requirements of the business.
Here’s how to approach the evaluation process:
Scalability: Does the solution scale with the growth of the network and the increase
in users, devices, and data?
Compliance: Are there industry-specific compliance requirements (e.g., GDPR,
HIPAA, PCI-DSS) that the solution must meet?
Operational Impact: Will the solution have a minimal impact on network
performance and end-user experience?
Cost vs. Protection: Determine the balance between the level of security required and
the budget available.
Ease of Use: How easy is the solution to deploy and manage, especially for network
administrators with limited security expertise?
Real-Time Monitoring: Is real-time detection and response a priority for your
network, or can it be handled via periodic checks?
Pilot Testing: Before full deployment, test the solution in a small segment of the
network to identify potential issues and validate the security benefits.
Vendor Support: Evaluate the level of support provided by the vendor, including
technical support, documentation, and training.
Conclusion
Evaluating and selecting the right security solutions for a network is crucial for protecting
organizational assets and ensuring the network remains resilient to evolving cyber threats
30 | P a g e
Prepared by Biruk.P (MSc)
Network Design Hand-out
When planning a voice network, there are several important factors to consider to ensure
high-quality communication, reliability, scalability, and security. Below are the key voice
networking considerations:
Voice traffic is highly sensitive to delays, jitter, and packet loss. Ensuring high-quality voice
communication over a network requires the management of these factors.
QoS Implementation: QoS ensures that voice traffic receives higher priority over
other types of traffic (e.g., email, web browsing) on the network. Implementing QoS
can prioritize voice packets, reduce latency, and minimize jitter and packet loss.
o Differentiated Services (DiffServ): A widely used model to manage QoS in
IP networks. It prioritizes voice packets using a DSCP (Differentiated
Services Code Point) to mark voice traffic as high-priority.
o Traffic Shaping and Policing: Limits the bandwidth usage of non-critical
applications to ensure sufficient bandwidth is available for voice.
Bandwidth Requirements: Voice calls require consistent, low-latency connections
with a predictable amount of bandwidth. Typically, a VoIP call requires:
o 30-100 Kbps per call depending on the codec used.
o Sufficient bandwidth should be reserved for both uplink and downlink traffic.
Latency and Jitter:
o Latency should generally be kept under 150 ms (end-to-end) for good voice
quality. Higher latency can result in noticeable delays during conversations.
31 | P a g e
Prepared by Biruk.P (MSc)
Network Design Hand-out
o Jitter, the variation in packet arrival times, should be minimized to less than
30 ms to prevent voice distortion.
Packet Loss: VoIP requires minimal packet loss. Ideally, packet loss should be kept
under 1% for acceptable voice quality.
The architecture and topology of the network play a significant role in the performance,
scalability, and reliability of voice communications.
3. Codec Selection
32 | P a g e
Prepared by Biruk.P (MSc)
Network Design Hand-out
The choice of codec impacts the quality of the call, the bandwidth consumption, and the
overall network load.
Audio Codecs:
o G.711: Offers high-quality voice but consumes more bandwidth (64 kbps per
call).
o G.729: A compressed codec that uses less bandwidth (8 kbps per call) but
sacrifices some voice quality. Often used in low-bandwidth environments.
o Opus and G.722: High-definition audio codecs that provide better voice
clarity, particularly in wideband voice systems.
Selecting the Right Codec: The codec selected should balance between quality and
bandwidth efficiency based on the organization's needs.
o Wideband Codecs (HD Voice): Offer superior sound quality, suitable for
high-end communications.
o Narrowband Codecs: For environments where bandwidth is limited.
4. Security Considerations
Voice networks are vulnerable to many of the same threats that affect data networks, such as
hacking, eavesdropping, fraud, and denial-of-service (DoS) attacks. Protecting voice traffic is
critical.
33 | P a g e
Prepared by Biruk.P (MSc)
Network Design Hand-out
If your network needs to integrate with legacy communication systems, such as PSTN,
analog phones, or traditional PBX, ensure that the voice solution is compatible with these
systems.
VoIP Gateways: Use VoIP gateways to connect analog phones or PSTN lines with a
VoIP network. These gateways convert analog signals into digital signals that can
travel over the IP network.
SIP Trunking: Allows the integration of VoIP with traditional PBX systems by
providing direct connections to the PSTN via SIP (Session Initiation Protocol). This
reduces costs by eliminating the need for physical telephone lines.
As the number of users grows, the voice network should be able to scale without
compromising quality or reliability.
Capacity Planning: Estimate the number of simultaneous calls and the bandwidth
needed to support them. This includes planning for peak usage times.
o SIP Registrars and call routing should be able to scale as the number of
devices or users increases.
Cloud Integration: For expanding capacity quickly without significant infrastructure
changes, consider integrating cloud-based VoIP services to handle additional call
traffic dynamically.
Future Proofing: Ensure the voice network can evolve with emerging technologies
such as video conferencing, unified communications, or WebRTC (Web Real-
Time Communication), which allows voice, video, and data sharing over web
browsers.
34 | P a g e
Prepared by Biruk.P (MSc)
Network Design Hand-out
Ongoing monitoring of the voice network is critical to ensure quality and performance.
Troubleshooting tools help detect and resolve issues that can affect call quality or reliability.
Call Quality Monitoring: Use tools that measure metrics such as Mean Opinion
Score (MOS), jitter, latency, packet loss, and call drops.
Network Performance Monitoring: Monitor network traffic in real-time, focusing
on voice traffic to identify congestion or performance bottlenecks.
VoIP Diagnostic Tools: Tools like Wireshark, PingPlotter, or SolarWinds VoIP
Performance Monitor can help analyze VoIP traffic and identify issues such as
misconfigured codecs or QoS settings.
Automated Alerts: Configure the system to send alerts when thresholds (e.g., jitter,
latency, packet loss) are exceeded, allowing for rapid response and issue resolution.
Ensure that the voice network adheres to relevant regulations and industry standards.
Depending on the region or industry, there may be legal requirements for call recording, data
storage, and privacy.
Call Recording: Some organizations are required to record voice communications for
regulatory compliance (e.g., financial institutions must adhere to the Dodd-Frank
Act or MiFID II in Europe).
Data Retention: Ensure proper storage, retention, and destruction of voice data in
accordance with local laws (e.g., GDPR in the European Union).
35 | P a g e
Prepared by Biruk.P (MSc)
Network Design Hand-out
36 | P a g e
Prepared by Biruk.P (MSc)
Network Design Hand-out
Wireless networking is the technology that allows devices to communicate with each other
and connect to the internet or local networks without using physical cables. It provides
flexibility, mobility, and convenience, but it also introduces specific challenges that need to
be addressed to ensure robust performance, security, and reliability.
Here are key considerations when identifying wireless networking requirements and
challenges:
The first step in identifying wireless networking is understanding the various wireless
standards and their features. These standards determine how data is transmitted over the air
and impact the speed, range, and compatibility of wireless networks.
37 | P a g e
Prepared by Biruk.P (MSc)
Network Design Hand-out
5G: The next-generation cellular network standard that offers faster speeds, lower
latency, and enhanced connectivity, particularly for mobile devices and high-density
areas.
2. Frequency Bands
Wireless networks operate in specific frequency bands, and selecting the appropriate
frequency for the network design is crucial to avoid interference and optimize performance.
2.4 GHz Band: Commonly used for Wi-Fi, Bluetooth, and Zigbee. It provides better
range but is more prone to interference from other devices like microwaves, cordless
phones, and older Wi-Fi networks.
5 GHz Band: Provides faster speeds and less interference than 2.4 GHz, but with a
reduced range due to its higher frequency. This band is used in Wi-Fi standards like
802.11ac/ax and is better suited for high-density environments.
6 GHz Band (Wi-Fi 6E): With the introduction of Wi-Fi 6E, the 6 GHz band is now
available for Wi-Fi, providing additional spectrum to improve performance in
crowded environments.
Sub-1 GHz Bands (LoRa, Zigbee, etc.): These lower-frequency bands are ideal for
long-range communication with low data rates, often used in IoT devices.
Wireless networks have specific range limitations, and ensuring adequate coverage across a
building or outdoor area is crucial to maintain reliable performance.
Indoor Range: The range of a wireless network depends on factors like the frequency
band (2.4 GHz typically has a longer range than 5 GHz), physical obstructions (walls,
metal surfaces), and the power of the wireless access points (APs).
Outdoor Range: Outdoor wireless networks may require directional antennas to
focus signals in a specific direction, or point-to-point (P2P) links to connect remote
38 | P a g e
Prepared by Biruk.P (MSc)
Network Design Hand-out
5. Interference Management
Interference is a common issue in wireless networks, as signals from various devices can
overlap, causing reduced performance. Key considerations include:
39 | P a g e
Prepared by Biruk.P (MSc)
Network Design Hand-out
Co-channel Interference: Occurs when two APs on the same channel interfere with
each other. This can be minimized by performing a site survey and using non-
overlapping channels.
Adjacent-Channel Interference: Occurs when APs on adjacent channels interfere
due to the overlap of channel frequencies. This is particularly relevant in 2.4 GHz
networks, which only offer three non-overlapping channels.
Environmental Interference: Other devices operating in the same frequency bands
(microwaves, cordless phones, baby monitors) can interfere with wireless signals.
Proper channel planning and frequency selection can help reduce interference.
6. Security
Encryption: Use strong encryption protocols to secure data transmitted over the
wireless network:
o WPA3: The latest Wi-Fi security protocol, offering better protection against
brute-force attacks and improved encryption for public networks.
o WPA2: Still widely used, but considered less secure than WPA3.
o WEP: An outdated and insecure protocol, should be avoided.
Authentication: Ensure proper authentication methods, such as:
o 802.1X: An IEEE standard that provides port-based network access control,
typically used with WPA2/WPA3 for enterprise networks.
o RADIUS: Remote Authentication Dial-In User Service (RADIUS) is often
used with 802.1X to provide centralized authentication.
Network Segmentation: Isolate sensitive devices and traffic by using Virtual Local
Area Networks (VLANs) to segregate the network into different logical subnets for
better security and management.
Guest Networks: Implement separate networks for guests and employees, with
limited access to internal resources, to protect sensitive data.
40 | P a g e
Prepared by Biruk.P (MSc)
Network Design Hand-out
7. Power Considerations
Wireless networks often rely on Power over Ethernet (PoE) to supply power to access
points (APs) through the same Ethernet cable used for data transmission.
PoE Standards: Choose the appropriate PoE standard based on power requirements:
o IEEE 802.3af (PoE): Delivers up to 15.4 watts per port.
o IEEE 802.3at (PoE+): Delivers up to 25.5 watts per port.
o IEEE 802.3bt (PoE++): Delivers up to 60 watts or even 100 watts per port.
Battery Life for Mobile Devices: In areas where devices like smartphones and
laptops rely on wireless charging or have limited battery capacity, consider access
points that support Wireless Charging (WPT) or inductive charging for mobile
devices.
Wireless roaming refers to the ability of devices to move seamlessly between access points
without losing connectivity.
Seamless Roaming: For mobile users or devices, ensure that roaming is smooth, with
minimal delay when switching between APs. Technologies like 802.11r (Fast BSS
Transition) help devices quickly transition between access points, reducing the impact
of handover delays.
Load Balancing: To optimize the user experience, implement load balancing features
to evenly distribute client devices across multiple APs based on factors like signal
strength and traffic load.
Effective wireless network management helps ensure that the network operates efficiently
and securely.
41 | P a g e
Prepared by Biruk.P (MSc)
Network Design Hand-out
Cost is an important factor in designing a wireless network. The total cost includes the price
of wireless access points, controllers, management tools, cabling, and on-going maintenance.
42 | P a g e
Prepared by Biruk.P (MSc)