Analysis and Redesign of the Existing Campus Network: A Case Study

Rab Nawaz Jadoon

(Assistant Professor)
Department of Computer Science, COMSATS IIT, Abbottabad, Pakistan
Email: rabnawaz@ciit.net.pk

1. Background Information for the Campus Network Design Project:

Wandering Valley Community College (WVCC) is a small college in the western United States that is
attended by about 600 full- and part-time students. The students do not live on campus. Approximately
50 professors teach courses in the fields of arts and humanities, business, social sciences, mathematics,
computer science, the physical sciences, and health sciences. Many of the professors also have other
jobs in the business community, and only about half of them have an office on campus. Approximately
25 administration personnel handle admissions, student records, and other operational functions.
Enrollment at WVCC has doubled in the past few years. The faculty and administration staff has also
doubled in size, with the exception of the IT department, which is still quite small. The IT department
consists of one manager, one server administrator, two network administrators, and two part-time
student assistants.
Because of the increase in enrollment and other factors covered in the next three sections, the current
network has performance and reliability problems. The administration has told the IT department that
both student and faculty complaints about the network have increased. Faculty members claim that,
due to network problems, they cannot efficiently submit grades, maintain contact with colleagues at
other colleges, or keep up with research. Students say they have handed in homework late due to
network problems. The late submissions have impacted their grades. Despite the complaints about the
network, faculty, staff, and student use of the network has doubled in the past few years.
Wireless access has become a point of contention between the IT department and other departments.
Students often place wireless access points in the Computing Center and the Math and Sciences building
without permission from the IT department. The IT manager is concerned about network security and
has assigned part-time students to roam the network to locate and remove unauthorized access points.
The part-time students resent this task because in many instances the rogue access points were installed
by peers and associates. Also, they think that wireless access should be allowed. Many students, faculty,
and staff members agree.

2. Business Goals
The college still wants to attract and retain more students. The college board of trustees believes that
the best way to remain fiscally sound is to continue to increase enrollment and reduce attrition. The
college administration and board of trustees identified the following business goals:
 Increase the enrollment from 600 to 1000 students in the next 3 years.
 Reduce the attrition rate from 30 to 15 percent in the next 3 years.
 Improve faculty efficiency and allow faculty to participate in more research projects with
colleagues at other colleges.
 Improve student efficiency and eliminate problems with homework submission.
 Allow students to access the campus network and the Internet wirelessly using their notebook
computers.
  Allow visitors to the campus to access the Internet wirelessly using their notebook computers.
 Protect the network from intruders.
 Spend a grant that the state government issued for upgrading the campus network.
 The money must be spent by the end of the fiscal year.

3. Technical Goals
The IT department developed the following list of technical goals, based on research about the causes of
network problems, which is covered in more detail in the “The Current Network at WVCC” section:
 Redesign the IP addressing scheme.
 Increase the bandwidth of the Internet connection to support new applications and the
expanded use of current applications.
 Provide a secure, private wireless network for students to access the campus network and the
Internet.
 Provide an open wireless network for visitors to the campus to access the Internet.
 Provide a network that offers a response time of approximately 1/10th of a second or less for
interactive applications.
 Provide a campus network that is available approximately 99.90 percent of the time and offers
an MTBF of 3000 hours (about 4 months) and an MTTR of 3 hours (with a low standard deviation
from these average numbers).
 Provide security to protect the Internet connection and internal network from intruders.
 Use network management tools that can increase the efficiency and effectiveness of the IT
department.
 Provide a network that can scale to support future expanded usage of multimedia applications.

4. Network Applications
Students, faculty, and staff use the WVCC network for the following purposes:
 Application 1, homework:Students use the network to write papers and other documents. They
save their work to file servers in the Computing Center and print their work on printers in the
Computing Center and other buildings.
 Application 2, email:Students, faculty, and administrative staff make extensive use of email.
 Application 3, web research:Students, faculty, and administrative staff use Mozilla Firefox or
Microsoft Internet Explorer to access information, participate in chat rooms, play games, and
use other typical web services.
 Application 4, library card catalog:Students and faculty access the online card catalog.
 Application 5, weather modeling: Meteorology students and faculty participate in a project to
model weather patterns in conjunction with other colleges and universities in the state.
 Application 6, telescope monitoring: Astronomy students and faculty continually download
graphical images from a telescope located at the state university.
 Application 7, graphics upload: The Art department uploads large graphics files to an off-campus
print shop that can print large-scale images on a high-speed laser printer. The print shop prints
artwork that is file-transferred to the shop via the Internet.
 Application 8, distance learning: The Computer Science department participates in a distance-
learning project with the state university. The state university lets WVCC students sign up to
receive streaming video of a computer science lecture course that is offered at the state
 university. The students can also participate in a real-time “chat room” while attending the
class.
 Application 9, college management system: The college administration personnel use the
college management system to keep track of class registrations and student records.

5. User Communities
Table 1, shows the user communities at WVCC. The expected growth of the communities is also
included. Growth is expected for two reasons:
 New PCs and Macintoshes will be purchased.
 Wireless access will allow more students and visitors to access the network with their personal
laptop computers.

6. Data Stores (Servers)

7. Current Network at WVCC
A few years ago, the college buildings were not even interconnected. Internet access was not
centralized, and each department handled its own network and server management. Much progress has
been made since that time, and today a Layer 2 switched, hierarchical network design is in place. A
single router that also acts as a firewall provides Internet access.
The logical topology of the current campus-backbone network at WVCC consists of a hierarchical, mesh
architecture with redundant links between buildings. Figure 1 shows the logical topology of the campus
backbone.
 Figure 1: current campus design (backbone design)

8. The campus network design has the following features:

 The network uses switched Ethernet. A high-end switch in each building is redundantly
connected to two high-end switches in the Computing Center. Figure 2 shows these switches.
 Within each building, a 24- or 48-port Ethernet switch on each floor connects end user systems.
Figure 3 shows the building network architecture.
 The switches run the IEEE 802.1D Spanning Tree Protocol.
 The switches support SNMP and RMON. A Windows-based network management software
package monitors the switches.
 The software runs on a server in the server farm module of the network design.
 All devices are part of the same broadcast domain. All devices (except two public servers) are
part of the 192.168.1.0 subnet using a subnet mask of 255.255.255.0.
 Addressing for end-user PCs and Macs is accomplished with DHCP. A Windows server in the
server farm acts as the DHCP server.
 The email and web servers use public addresses that the state community college network
system assigned to the college. The system also provides a DNS server that the college uses.
 The router acts as a firewall using packet filtering. The router also implements NAT. The router
has a default route to the Internet and does not run a routing protocol. The WAN link to the
Internet is a 1.544-Mbps T1 link.
 Figure 2: Building network design

The physical design of the current network has the following features:
 Buildings are connected via full-duplex 100BASE-FX Ethernet.
 Within buildings, 100-Mbps Ethernet switches are used.
 Every building is equipped with Category 5e cabling and wallplates in the various offices,
classrooms, and labs.
 The router in the Computing Center supports two 100BASE-TX ports and one T1 port with a
built-in CSU/DSU unit. The router has a redundant power supply.
 A centralized (star) physical topology is used for the campus cabling. Underground cable
conduits hold multimode fiber-optic cabling. The cabling is off-the-shelf cabling that consists of
30 strands of fiber with a 62.5-micron core and 125-micron cladding, protected by a plastic
sheath suitable for outdoor wear and tear.
 Figure 3 shows the cabling design of the campus network.
 Figure 3: Campus Cabling Design

9. Traffic Characteristics of Network Applications

The student assistants in the IT department conducted an analysis of the traffic characteristics of
applications. The analysis methods included capturing typical application sessions with a protocol
analyzer, interviewing users about their current and planned uses of applications, and estimating the
size of network objects transferred on the network.
The students determined that the homework, email, web research, library card catalog, and college
management system applications have nominal bandwidth requirements and are not delay sensitive.
The other applications, however, use a significant amount of bandwidth, in particular a high percentage
of the WAN bandwidth to the Internet. The distance-learning application is also delay sensitive.
The users of the weather-modeling and telescope-monitoring applications want to expand their use of
these applications, but are currently hindered by the amount of bandwidth available to the Internet. The
graphics-upload application users are also hindered from sending large files in a timely fashion by the
shortage of bandwidth to the Internet.
The distance-learning application is an asymmetric (one-way) streaming-video application. The state
university uses digital video equipment to film the class lectures in real time and send the video stream
over the Internet, using the Real-Time Streaming Protocol (RTSP) and the Real-Time Transport Protocol
(RTP). The remote students do not send any audio or video data; they simply have the ability to send
text questions while the class is happening, using a chat room web page.
A user subscribes to the distance-learning class by accessing a web server at the state university,
entering a username and password, and specifying how much bandwidth the user has available. The
web page currently does not let a user specify more than 56 Kbps of available bandwidth.
At this time, the distance-learning service is a point-to-point system. Each user receives a unique 56-
Kbps video stream from the video system at the state university. For this reason, WVCC limits the
number of users who can access the distance-learning system to ten students who are located in the
Math and Sciences building.
In the future, the distance-learning system will support IP multicast technologies. In the meantime,
however, students and IT staff agree that a solution must be found for allowing more than ten students
to use the distance-learning system at one time.

10. Summary of Traffic Flows

The student assistants used their research about user communities, data stores, and application traffic
characteristics to analyze traffic flows. They represented cross-campus traffic flows in a graphical form,
which Figure 4 shows.

Figure 4 : Cross Campus Traffic Flow on WVCC Networks

In addition to the cross-campus traffic flows, the students documented traffic flows inside the library
and Computing Center and traffic flows to and from the Internet. Inside the library and Computing
Center, traffic travels to and from the various servers at about the following rates:
Traffic travels to and from the router that connects the campus network to the Internet at about the
following rates:

11. Performance Characteristics of the Current Network

From the analysis conducted by the student assistants and from switch, router, and server logs, the IT
department determined that bandwidth on the Ethernet campus network is lightly used. However,
three major problems are likely the cause of the difficulties that users are experiencing:
 The IP addressing scheme supports just one IP subnet with a subnet mask of 255.255.255.0. In
other words, only 254 addresses are allowed. A few years ago, the IT department assumed that
only a small subset of students and faculty would use the network at one time. This is no longer
the case. As use of the network grows and students place wireless laptops on the network, the
number of addresses has become insufficient. Users who join the network midmorning after
many other users have joined often fail to receive an IP address from the DHCP server.
 The 1.544-Mbps connection to the Internet is overloaded. Average network utilization of the
serial WAN link, measured in a 10-minute window, is 95 percent. The router drops about 5
percent of packets due to utilization peaks of 100 percent.
 The router itself is overloaded. The student assistants wrote a script to periodically collect the
output of the show processes CPU command. The assistants discovered that the 5-minute CPU
utilization is often as high as 90 percent and the 5-second CPU utilization often peaks at 99
percent, with a large portion of the CPU power being consumed by CPU interrupts. Using a lab
network, the assistants simulated actual network traffic going through a similar router with and
without access lists and NAT enabled. The assistants determined that the Internet router CPU is
overused not just because of the large amount of traffic but also because of the access lists and
NAT tasks.

12. Network Redesign of WVCC

Using a modular approach, the network administrators and student assistants designed the following
enhancements to the campus network:
 Optimized routing and addressing for the campus backbone that interconnects buildings
provides access to the server farm and routes traffic to the Internet
 Wireless access in all buildings, both for visitors and users of the private campus network
(students, faculty, and administrative staff)
 Improved performance and security on the edge of the network where traffic is routed to and
from the Internet
13. Optimized IP Addressing and Routing for the Campus Backbone
The network administrators and student assistants decided to keep the hierarchical, mesh logical
topology that their predecessors so wisely chose. However, to fix the IP addressing problems, a routing
module was added to each of the building high-end switches, essentially turning the switches into fast
routers. With this new approach, the administrators were able to subdivide the network logically into
multiple subnets. The administrators decided to stay with private addresses. They assigned the following
address ranges to the campus network:
 Server farm:192.168.1.1–192.168.1.254
 Library:192.168.2.1–192.168.2.254
 Computing Center:192.168.3.1–192.168.3.254
 Administration:192.168.4.1–192.168.4.254
 Business and Social Sciences:192.168.5.1–192.168.5.254
 Math and Sciences:192.168.6.1–192.168.6.254
 Arts and Humanities:192.168.7.1–192.168.7.254
 Users of the secure, private wireless network: 192.168.8.1–192.168.8.254 (This is a campus wide
subnet that spans all buildings and outside grounds.)
 Users of the open, public wireless network: 192.168.9.1–192.168.9.254 (This is a campus wide
subnet that spans all buildings and outside grounds.)
 The email and web servers use public addresses that the state community college network
system assigned to the college.
Instead of relying on the Layer 2 Spanning Tree Protocol for loop avoidance, the designers chose a
Layer 3 routing protocol. They chose Open Shortest Path First (OSPF) because it is not proprietary
and runs on many vendors’ routers, converge ports load sharing, and is moderately easy to
configure and troubleshoot.

14. Wireless Network

The wireless enhancements to the network represented the biggest challenge due to biases and other
Layer 8 (nontechnical) issues. The IT department preferred a single solution that was extremely secure.
Many students and faculty wanted secure access to the campus network and support for visitors using
the wireless network to access the Internet.
The solution was to provide two access points in each building, with different security policies
implemented on them. An open access point in each building provides access for visitors, while a secure
access point in each building provides secure access for students, faculty, and staff. The open access
points are on a different channel from the other access points to avoid interference and boost
performance. The access points support IEEE 802.11n and each provides a nominal bandwidth of 600
Mbps.
From an IP addressing point of view, two separate subnets were used, as mentioned in the “Optimized
IP Addressing and Routing for the Campus Backbone” section—one for the secure, private wireless LAN
(WLAN) and one for the open, public WLAN. Each of these subnets is a campus-wide subnet. With this
solution, a wireless user can roam the entire campus and never require the lease of a new address from
the DHCP server.
In each building, a switch port on the routing switch connects the access point that supports the open
network. A different switch port connects the access point that supports the secure, private network.
Each of these switch ports is in its own VLAN. Another VLAN is used for the ports that connect wired
switches and users within the building.
The open access points are not configured for WEP or MAC address authentication, and the SSID is
announced in beacon frames so that users can easily associate with the WLAN. To protect the campus
network from users of the open WLAN, the routing switches are configured with access lists that
forward only a few protocols. Packets sent from users of the open WLAN to TCP ports 80 (HTTP), 25
(SMTP), and 110 (POP), and UDP ports 53 (DNS) and 67 (DHCP) are permitted. All other traffic is denied.
Some students and faculty wanted to support more protocols, but the IT department insisted that,
at least for now, these are the only supported protocols. This protects the network from security
problems and avoids visitors using too much bandwidth for other applications.
The private access points implement many more security features. The SSID is hidden and not
announced in beacon frames. Although a determined user could still discover the SSID, removing it from
beacon packets hides it from the casual user and avoids confusing visitors, who see only the public SSID.
Students, faculty, and staff who want to use the private WLAN must know the private SSID and type it
into the configuration tool for their wireless adapters.
To protect the privacy of data that travels across the private WLAN, access points and clients will use Wi-
Fi Protected Access (WPA) and the Temporal Key Integrity Protocol (TKIP). The private access points are
also configured to use 802.1X and Lightweight Extensible Authentication Protocol (LEAP). Users of the
private WLAN must have a valid user ID and password. To accomplish user authentication, the IT
department will purchase a dedicated one-rack-unit (one-RU) hardened appliance that operates as a
centralized Remote Authentication Dial-In User Service (RADIUS) server for user authentication. They
chose an appliance rather than software for a generic PC platform to avoid security vulnerabilities found
in typical industry-standard operating systems. The appliance must be reliable and easy to configure and
troubleshoot.

15. Improved Performance and Security for the Edge of the Network
To fix the problems with high CPU utilization on the Internet router, the designers chose to break apart
the network functions of security and traffic forwarding. The Internet router will now focus on traffic
forwarding. The administrators reconfigured the router with a simpler list of access filters that provide
initial protection from intruders, and they removed NAT functionality from the router. Instead, a
dedicated firewall was placed into the topology between the router and the campus network. The
firewall provides security and NAT.
The IT department chose a one-RU appliance firewall with a hardened operating system that supports
OSPF routing, NAT, URL filtering, and content filtering. For now, four interfaces on the firewall will be
used. The outside interface will connect the Internet router; two inside interfaces will connect the
campus network; and the demilitarized zone (DMZ) interface will connect the email and web servers.
To fix the problem of high utilization on the WAN link to the Internet and the high incidence of packet
dropping, the WAN link was replaced with a 10-Mbps Metro Ethernet link. The IT department
discovered that a few service providers in the area were willing to bring in a single-mode fiber-optic link
and support Ethernet rather than a WAN protocol. The IT department ordered a 10/100BASE-FX
interface for the router and chose a service provider that offers a reasonable monthly charge and has a
good reputation for reliability. In addition, the provider makes it easy for its customers to upgrade to
more bandwidth. For example, if the college decides it needs a 100-Mbps Ethernet link, the college can
make a single phone call to the provider and the provider guarantees to make the change that day.
The IT department also factored into the choice of provider the experience level and knowledge of the
installation and support staff. In particular, the provider’s network engineers had many practical ideas
for addressing redundancy for future network designs. Figure 5 shows the new design for the WVCC
campus network.
Although the network design in the example is simple, and some decisions were more obvious than they
would be for a more complex design, the example demonstrated the use of the following top-down
network design steps:
Step 1. Analyze requirements, including both business and technical goals, and any “workplace politics”
that are relevant to technology choices.
Step 2. Characterize the existing network.
Step 4. Analyze traffic flows.
Step 5. Choose a logical topology.
Step 6. Select building access technologies.
Step 7. Select campus-backbone technologies.
Step 8. Select Internet connectivity technologies.
Step 9. Select security solutions.

Figure 5: Enhanced Network Topology

16. References:
Pricilla Openheimer, “Top Down Network Design: a system analysis approach to design enterprise
networks”, CISCO system inc, third Edition, 2011.