top of page
Search

Designing a Secure Campus Network

Updated: Jul 14, 2023


We are designing a Campus Area Network (CAN). The network is supposed to be secure, scalable, fast and fault tolerant. The campus has the following blocks:

  • Admin Block

  • Campus Block

  • Guest Block


Network Topology


The network topology will follow the industry best practice of the hierarchical model. The hierarchical network design model breaks the complex flat network into multiple smaller and more manageable networks.


Each level or tier in the hierarchy is focused on a specific set of roles. This will ensure a scalable, manageable, and efficient network. We will also use partial mesh to make the network fault tolerant but not inefficient (as it is partial).


The network topology will consist of three layers:

  • Access Layer -The Access layer will consist of switches that connect end-user devices such as PCs, laptops, and printers. This layer provides reliable connections for all the access devices. This layer is associated with the access switches.

  • Distribution Layer - The Distribution layer will connect the Access layer devices to the Core layer, which will provide network services such as routing, switching, and security. This layer provides policy based routing using switches. This is associated with the distribution switches.

  • Core Layer - The Core layer interconnects Distribution layer devices. This layer routes traffic between different subnets and they provide security features like Firewalls. This is associated with core switches.


The hierarchical model allows the network to scale as it grows. As new devices are added to the network, new Access layer switches can be added, and they can be connected to the existing Distribution and Core layer switches.


This also allows for efficient traffic flow as the Access layer switches only have to forward traffic to the Distribution layer switches, and the Distribution layer switches only have to forward traffic to the Core layer switches.


Fig 1: Hierarchical model of Campus Network


The topology of each module and submodule of a campus network design is determined by the Spanning Tree Protocol (STP). STP is documented in IEEE 802.1D, for dynamically "pruning" an arbitrary topology of connected Layer 2 switches into a spanning tree.


The topology that results spans the entire switched domain. The network designer physically connects switches in a meshed and redundant topology but STP creates a logical tree with no redundancy.



Network Design


We have 3 three blocks in the campus network - Admin Block, Campus Block and Guest Block. Each block has 3 three floors.


We also have a server room where all the distribution switches connect to a core switch which is further connected to the Internet. It also provides a centralized place to troubleshoot network issues.


As shown in the network design, every form of traffic is connected to the Access switch on every floor of every block. Access switch will be a 48 port Layer 2 switch. We have considered Cisco Catalyst 9200 (C9200) 48-port 1G switch.


Based on traffic size, we have allocated one Access switch to each floor of Admin, Guest block and two Access switches to each floor of campus block. We will not use up all the ports on the switch and keep some unutilized to improve scalability and fault tolerance. Also, the placement of the network racks (where switches are placed) should be away from electric cables and at a cool place.


Fig 2: Network Design



We will use STP (Shielded Twisted Pair) cross cables (Blue color in diagram) to connect traffic and Access switches directly (P2P). STP is a good option for Layer-2 LAN (80-100m) connections.


We need to connect all Access switches which is done by Distribution Switches. Distribution switch will be a 48 port Layer 3 switch (Multi-layer switch). We have considered Cisco Catalyst 9500 series 48-port 10G switch. We use uplink ports in Access switches to connect to Distribution switches. This provides better speed as an uplink port offers greater bandwidth than a normal port because it's used to aggregate traffic between different network layers. We will use Multi-mode Fiber optic cables (Red color in diagram) for connecting Access layer switches to Distribution layer switches as they work efficiently for shorter distances.


All the three distribution switches will connect to a Core switch in the server room. We will use Single-mode fiber optic cables (Green color in diagram) as they are more efficient for longer distances. Core switch will also be a 48 port Layer 3 switch (Multi-layer switch). We have considered Cisco Catalyst 9500 series 48-port 10G switch for Core switch as well.


To summarize:

  • The Access layer consists of multiple switches that connect end-user devices. Each switch will have ports assigned to different VLANs.

  • The Distribution layer switches will connect the Access layer switches to the Core layer switches. The Distribution layer switches will have ports assigned to VLANs, security policies, and access control mechanisms.

  • The Core layer switches will provide network services such as routing, switching, and security. The Core layer switches will have redundant links and redundant power supplies to ensure high availability.



Network Configuration:


Network Address Translation (NAT):


NAT operates on the router which connects the campus network to the Internet and translates the private addresses in the campus network into a valid address before packets are forwarded to other networks.

We will configure NAT to advertise only one address for the campus network to the Internet.

Provides additional security to the campus network by effectively hiding the entire campus network behind a single address and IP address conservation.


Virtual LAN (VLAN):


VLANs will be used to segment the network into smaller, secure groups. VLANs provide network segmentation which allows for better network management, improved performance and increased security. By adding VLANs, we increase the number of broadcast domains. Each department will have their own broadcast domain.


We will create the following VLANs on CS1 & CS2 (Core Switch 1 & 2):

  • VLAN 10: Admin and Management

  • VLAN 20: College (Students and Faculty)

  • VLAN 30: Guests

The Management VLAN will be used to manage the network devices. This VLAN will be used by the IT team to access network devices such as switches, routers, and firewalls. Also to provide internet access. All ports on DS1 (Distribution Switch 1) and corresponding AS (Access switches) i.e. AS1, AS2 & AS3 should connect to VLAN 10 and the port of Core Switch 1 & Core Switch 2 connecting to DS1 (Distribution Switch 1) should connect to VLAN 10.


The College VLAN will be used for students and faculty users. This VLAN will have access to the corporate network resources such as file servers, email servers, and also to provide internet access. All ports on DS2 & DS3 and corresponding AS i.e. AS4, AS5, AS6, AS7, AS8 & AS9 should connect to VLAN 20 and the port of Core Switch 1 & Core Switch 2 connecting to DS2 & DS3 should connect to VLAN 20.


The Guests VLAN will be used to provide internet access to guests. This VLAN will have limited access to network resources and will be isolated from the college network. All ports on DS4 and corresponding AS i.e. AS10, AS12 & AS11 should connect to VLAN 30 and the port of Core Switch 1 & Core Switch 2 connecting to DS3 should connect to VLAN 30.


VLANs will be configured on switches to allow for efficient communication between devices within the same VLAN.


IP Address Scheme:


We will use a hierarchical addressing scheme to reflect the network topology. The IP address range for the entire network will be 10.0.0.0/16. We will subnet this into smaller segments as follows:

  • Access layer: 10.0.1.0/24, 10.0.2.0/24, 10.0.3.0/24, etc.

  • Distribution layer: 10.0.10.0/24, 10.0.20.0/24, 10.0.30.0/24, etc.

  • Core layer: 10.0.100.0/24, 10.0.200.0/24, 10.0.300.0/24, etc.

The network will be assigned the private IP address range of 10.0.0.0/16. This range will be subnetted into smaller segments to provide efficient address allocation and to simplify network management as it will be easy to identify the location of a device based on its IP address.


The Access layer switches will be assigned IP addresses from 10.0.1.0/24, 10.0.2.0/24, 10.0.3.0/24, etc. subnets. This will allow for efficient communication between devices within the same Access layer switch.


The Distribution layer switches will be assigned IP addresses from 10.0.10.0/24, 10.0.20.0/24, 10.0.30.0/24, etc. subnets. This will allow for efficient communication between devices within the same Distribution layer switch.


The Core layer switches will be assigned IP addresses from 10.0.100.0/24, 10.0.200.0/24, 10.0.300.0/24, etc. subnets. This will allow for efficient communication between devices within the same Core layer switch.


DHCP:


The DHCP server is deployed on the core switch. The DHCP server maintains a pool of IP addresses and leases an address to any DHCP-enabled client when it starts up on the network. We configure the DHCP server based on the IP address scheme defined above.

  • DHCP makes it simple for an organization to change its IP address scheme from one range of addresses to another without disrupting the end users.

  • Addresses no longer in use are automatically returned to the pool for reallocation.


Access Control:


To ensure that only authorized users can access the network, we will use access control mechanisms such as firewalls and authentication protocols.


Firewall: Packet Filtering Firewall is deployed on the Filtering/Screening Router present between the internal network of the campus and the outside network.

  • It controls the movement of information/packets according to a set of rules defined by the user and protects the network from unwanted intrusion or attacks.

  • Packet filtering capacities are inbuilt in widely used hardware and software routing products so it is inexpensive to implement.

  • It works very fast and effectively accepts and rejects the packets quickly based on the destination and source ports and addresses.

Authentication Protocol: We'll use PAP and 2FA for user authentication on the network.

  • Password Authentication Protocol (PAP) - Users enter their username/password to access the campus network.

  • Two-Factor Authentication (2FA) - Admins enter their username/password and then must input the One Time Password (OTP) sent to their mobile number registered with the university to get privileged access to the campus network. 2FA significantly minimizes the risk of system or resource compromise as it’s unlikely for an invalid user to know or have access to both authentication factors.


Network Monitoring:


We will use network monitoring tools like Intrusion Detection System (IDS) to monitor network traffic and identify anomalies that may indicate a security breach.


A network-based IDS (NIDS) monitors traffic (packets) at selected points on a network using a number of sensors. An inline sensor is inserted into the network at the distribution layer switches so that all the traffic passing through the sensor is actively monitored.

  • No additional separate hardware devices are needed, only NIDS sensor software is required.

  • Blocks an attack as and when it is detected. So the device is performing both intrusion detection and intrusion prevention functions.

  • Can detect and prevent attacks internal to the campus network.


Port Security:


Port Security helps secure the network by preventing unknown devices from forwarding packets. When a link goes down, all dynamically locked addresses are freed. Using port security, we can limit the number of MAC addresses on a given port. It will be configured on a switch interface.


Redundancy:


We will use redundant switches, routers, and links to ensure that the network remains operational even in the event of a failure.


Conclusion


Designing a secure, scalable, fast, and fault-tolerant Campus Area Network (CAN) is essential for creating a robust and reliable network infrastructure. By prioritizing these key aspects, organizations can ensure the efficient flow of data and maintain a secure environment for their users.

And by considering the needs for security, scalability, speed, and fault tolerance in the design of a Campus Area Network, organizations can create a robust and dependable network infrastructure that supports the growing demands of the campus environment while providing a secure and seamless experience for its users.


Thanks for reading. Cheers!



Comments

bottom of page