ECE Lead

You are here:

Network design standards

Overview

An architecture based on hardware, software, and service components most commonly used by small-office/home-office (SOHO) networks is proposed throughout the Networking document. ECE Services proposing to establish client/server networks should refer to the Ministry’s Policy and Guidelines for Schools.  SOHO networks typically utilise a single device which combines broadband modem/router/firewall facilities with a few Fast Ethernet ports and with or without a wireless access point. To the SOHO user the advantages of such a device, which is often provided by the internet service provider, is that the setup is managed by a built-in software wizard, and services such as NAT, DHCP, SPI, and VPN, which need not be well understood by home users, are provided automatically.
Please refer to the downloadable diagram on this page to see Figure 1 - Simple Home Network.

Small offices or organisations with special requirements may construct networks with separate devices to provide the necessary facilities. This provides the flexibility for them to configure their systems to meet their particular needs.
Small offices or organisations with special requirements may construct networks with separate devices to provide the necessary facilities.  This provides the flexibility for them to configure their systems to meet their particular needs.
Please refer to the downloadable diagram on this page for Figure 2 - Simple Peer to Peer Network (showing component parts).

Network Access

Fixed (wired) Access

Wired networks, based on the Ethernet networking protocol, connect computers together to share services such as printers and an internet connection with an eight-wire cable.  Properly installed wired networks are highly reliable, very secure, and extremely fast.  They perform many times faster than wireless networks and should be used for desktop computers and may be used whenever possible for laptop computers.

Concealed wires are terminated in standard RJ45 wall sockets and standard work-area cords are used to connect computers to the wired network infrastructure.

Personal computers wanting to connect to the network by cable connection should use a Network Interface Card of the following minimum specification:

  • Full duplex 10BASE-T (10Mbps), and 100BASE-TX (100Mbps)
  • 10/100Mbps auto-sensing
  • 32-bit PCI bus master operation, Or equivalent 32-bit CardBus adapter for laptops without a built-in interface
  • Low Ethernet command processing overhead
  • Easy-to-view diagnostic LEDs
  • RJ45/UTP connector
  • Supports Windows XP driver

Wireless Network Interface

Laptops wanting to connect to the network will require a Wireless Network Interface Card.  Most laptops are supplied complete with an IEEE 802.11g (54Mbps) wireless network interface. For laptops without a built-in wireless interface card, two card configurations are available for purchase; select either USB or CardBus Type II Slot configuration. 

Cards with the following minimum specification should be used:

  • IEEE 802.11g (54Mbps) (backwards compatibility with 802.11b desirable)
  • USB 2.0 for USB adapters, 32-bit CardBus for Type II slot configuration
  • Supports 64/128-bit WEP, WPA/WPA2-PSK data encryption
  • Certified by FCC Class B, CE, C-Tick, IC, Wi-Fi Alliance
  • Support Windows XP
  • Integrated antenna (dual antenna with diversity switching desirable)

Both Apple Mac and Windows-based computers can share a common wireless access point because both types of computer use the IEEE 802.11b or 802.11g wireless standard to connect wirelessly at data rates up to a maximum 54Mbps.

Ethernet Switching

Combined network devices which include broadband modem, router/firewall, and a few (up to five) Fast Ethernet switch ports may provide a viable option for the smallest of installations. However, it is likely that a separate Fast Ethernet switch of about eight ports will be required in most ECE Services.

Basic Layer 2 models are typically of fixed configuration, non-blocking switches with from eight to 48 ports for creating cost-effective LANs with high performance and functionality. An Ethernet switch with 10/100Mbps auto-sensing and auto-negotiating ports which support QoS for prioritising different traffic streams is recommended.
Models with one modular or fixed uplink interface which supports Gigabit Ethernet transmission over Category 5 or higher copper cable for server connection may be considered.
The following minimum specification is recommended:

  • Plug and play installation for SOHO workgroups
  • 10/100Mbps auto-sensing, auto-negotiation for every port
  • Totally non-blocking switching backplane
  • Standards
  • IEEE 802.3 10BASE-T Ethernet
  • IEEE 802.3u 100BASE-TX Fast Ethernet
  • ANSI/IEEE 802.3 auto-negotiation
  • IEEE 802.3x Flow Control
  • IEEE 802.1P QoS with 4 queues (desirable)
  • Fast Ethernet: 100Mbps (half-duplex), 200Mbps (full-duplex)
  • Auto MDI/MDIX crossover per port
  • LED Link/Activity reporting per port
  • Broadcast storm protection.
  • Remote/local management by web-based interface
  • IGMP Snooping for Intelligent Multicast distribution (to reduce the load on the network and provide a sustainable service for video streaming).

Router/Firewall

No computer should be connected directly to a network, and particularly the internet, without a Firewall in place.  Connection to the internet requires strict security procedures to be implemented.  The heart of the security system in small networks is the Firewall-Router.  A device which provides:

  • Firewall services for Stateful Packet Inspection (SPI), and provides hacker attack loggi ng for Denial of Service (DoS) attack protection, and packet filtering based on port and source/destination MAC/IP addresses for access control; and
  • DHCP server to establish network addresses for users and NAT to permit safe and simultaneously access the internet,
  • is required.

A combined ADSL modem-router with firewall protection and a single Ethernet port to connect to an Ethernet switch will be sufficient for most SOHO networks.

The following minimum specification is recommended:

Interfaces:

  • RJ11 ADSL port
  • RJ45 10/100BASE-TX Fast Ethernet port with auto MDI/MDIX

ADSL Modem Standards (to meet ISP service delivery requirements):

  • ADSL1 over POTS (G.992.1 Annex A and ANSI T1.413 Issue 2)
  • ADSL2 over POTS – G.992.3 Annex A
  • READSL2 over POTS – G.992.3 Annex L (M1)
  • ADSL2plus over POTS – G.992.5 Annex A
  • 16Mbps downstream, 600kbps upstream
  • 24Mbps downstream, 1.2Mbps upstream (preferred)

ATM & PPP Protocols:

  • ATM Adaptation Layer Type 5 (AAL5)
  • Bridged or routed Ethernet encapsulation
  • VC and LLC based multiplexing
  • PPP over Ethernet (PPPoE)
  • PPP over ATM (RFC 2364)
  • Classical IP over ATM (RFC 1577)
  • OAM F4/F5

Router - Network Protocols and Features:

  • NAT
  • Static Routing
  • RIP v.1, v.2
  • Dynamic Domain Name System (DDNS)
  • Virtual Server & DMZ
  • SNTP, DNS relay and IGMP proxy

Firewall - Access Security:

  • Stateful Packet Inspection (SPI)
  • DoS attacks prevention
  • Packet filtering
  • VPN - PPTP/IPSec tunnel pass-through

Configuration /Management:

  • Installation setup wizard
  • Web-based GUI for local management
  • Telnet server for remote management
  • SNMP v.1, v.2c support with built-in MIB-II (RFC 1213)

DHCP client/server/relay

 

Peer to Peer Networking

Peer to peer (P2P) programs are applications that users run on personal computers with the intention of sharing files with other users connected to a network, and forming file-sharing communities. Members of the community can then search for and share files with the rest of the community.  P2P networking is commonly used for sharing music files, pictures, and other documents. Communities can span both private and public (internet) networks.

P2P networking across the internet is not without risk.  Exposure to inappropriate content, viruses, spyware, and breach of copyright, is commonplace and downloaded files are often not what they purport to be in the filename or file description. However, within a private network, the benefits far outweigh potential risks when properly managed.
To enable computers connected to a private P2P network to “talk to each other” and share files and peripheral devices such CD drives and printers, each computer must be given a unique network (IP) address – like a telephone number.  The IP addresses are automatically allocated by a server or other device running DHCP.  In ECE networks it is most likely that IP addresses are managed by the router.
The administrator, or owner, of each computer controls what files and peripheral devices other network users are able to see and access. This most important aspect of data security setup is covered in more detail in the companion document: ICT Infrastructure Security.

It is recommended that a centralised and physically secure computer be used as a repository for important and sensitive business information.  Such information will include but not necessarily be limited to:

  • Service administration and business information files
  • Children’s private details
  • Important learning materials
  • Children’s learning portfolios

The central computer could also be used to collect and distribute antivirus profiles and other security updates for connected computers to avoid each one having to download individual copies.

Network Operating System

The physical components of an Ethernet network are compatible with computers that use many different operating systems such as Microsoft Windows (XP, Vista), Mac OS X, and Linux.  It is possible to connect all of these computers to the same physical network, which may be wired or wireless.

Because most personal computers are sold with an installed operating system (Microsoft Windows or Apple Mac OS), and it is actually quite difficult to buy a personal computer without an Operating System, networking based on one of these most commonly used systems is recommended.  Peer to peer workgroups (no server) using either operating system, are likely to be adequate for most ECE Services.  Advances within Apple’s OS X operating system now simplify the process of connecting Windows XP and Macs on the same network allowing both types of personal computers to share files and storage devices.

Unless the network of computers is made up entirely of Apple Macs, it is likely that the file sharing community or workgroup will use Windows XP to establish the workgroup and determine access rights to each others files.  All users will be able to share central resources according to permissions afforded them and to access the internet via the internet gateway.

A “ready-made” workgroup operating system (Windows Home Server) which automatically configures a central computer and connected users is available in New Zealand.
A workgroup is best understood as a peer-to-peer network. That is, each computer is sustainable on its own. It has its own user list, its own access control and its own resources. In order for a user to access resources on another workgroup computer, that exact user must be setup on the other computer.

Workgroups offer little security outside of basic access control. Windows “share permissions” are very basic and offer little granularity for “who” can access “what”.
Workgroups are more than adequate, though, for most SOHO users.

Last updated: 31 May 2013