Last month, I talked about media network design, primarily from an architectural point of view. This month, we will look at hardware to support professional media networks.
Hardware for professional media networks
Let's start by looking at Figure 1, a more complete version of the diagram from last month's article.
As Figure 1 shows, the typical media facility has several distinct areas: the business office area, media production and on-air core. Typically, the majority of network traffic flows between computers in the same department, or between the computers and the Internet. But some traffic also flows between departments. Let's take a look at some of the key network components in this high-level diagram.
Three hardware devices are typically used to connect computers together: hubs, switches and routers. Hubs echo whatever comes in on one port to all the other ports on the device. The hub makes no attempt to read the source or destination addresses of the packets. Hubs have largely been replaced by switches and routers. Switches are used to connect computers together into a network. A switch looks at the destination address of a packet and switches that packet to the appropriate port. It does not send all incoming traffic to all ports as a hub does. Also, a switch can send traffic across several ports at the same time, making them faster than hubs.
You may recall that when using IP over Ethernet, packets contain two addresses. The first is the Ethernet network interface card (NIC) address, and the second is the computer's IP address. Switches that operate based on NIC addresses are called Layer 2 switches. Ethernet operates at Layer 2 of the Open Systems Interconnect (OSI) seven layer data model. Switches that operate based on IP addresses are called Layer 3 switches. (See Figure 2.)
Switches can direct packets to computers on the same logical network, but they cannot direct packets across networks. For example, if you have two computers connected to a single switch, and one computer has an IP address of 192.168.0.2 and the other has an IP address of 192.168.1.3 (given a netmask of 255.255.255.0), the two computers will not be able to communicate with each other. This is by design. The two computers are on separate logical networks, even if they are connected together through the switch. The only way to get two computers on different networks to communicate is to use a router.
Routers connect networks together. For example, a router allows a computer in the facility to access the Internet. In fact, that is exactly what the wide area network (WAN) router at the right of Figure 1 does.
Firewalls keep undesirable network traffic from passing through the device. Firewalls are frequently combined with routers in a single device. It is important to note that the default configuration for commercial firewalls is that all traffic is blocked, and that during configuration, the network engineer specifies exactly which type of traffic is allowed to cross.
Another device that figures prominently in the facility diagram is the virtual private network (VPN) gateway. The VPN gateway allows remote hosts to connect to the network, just as if they were physically present in the facility. In this case, there are two VPNs: one used for business office people operating remotely and another used by remote production houses to exchange content with the facility. In this drawing, the VPN gateways are shown to be connected to the switches in the respective departments, but in actuality, these VPNs would typically be configured as part of the WAN router.
Finally, Figure 1 shows two wireless routers. One provides wireless connectivity for guests, and one is used for in-house business network connectivity. Note that these are also combination devices, combining the functionality of a wireless access point (the radio-to-computer device) and a router.
Network configuration
There are a couple of guiding principles we covered in last month's article that will help explain the network design:
- Media networks and business networks should not be mixed.
- Careful attention should be paid to routers to ensure that network traffic goes where it should and does not go where it should not.
Moving from left to right in the network diagram, you go from the Internet, to the office environment, to the media environment. In the business environment, the network traffic is generated almost exclusively by conventional office applications. Web browsing, office document exchange and database lookups are encountered here. Moving to the production environment, you see still, motion video file transfers and audio file transfers predominate. By the time you move into on-air operations, playlist transfers, program logs, automation commands and video file transfers become the norm. Increasingly, real-time messaging from media services are traversing these networks. It is clear that the network traffic in on-air operations is vastly different from the office environment.
The network in Figure 1 is configured to segment network traffic, keeping office traffic in the office network and critical on-air network traffic in the on-air network. Core switches are in each operational area, providing fast switching speeds for departmental traffic. Firewall routers are configured at each departmental boundary, allowing connectivity between departments. However, security becomes more tightly controlled as you move to the right in the diagram. Having several firewall routers allows the network engineers to carefully control the traffic traversing each network boundary. In a worst-case scenario, the on-air network can be physically disconnected from all other networks in the facility.
The demilitarized zone (DMZ) shown at the lower right of Figure 1 is an area effectively outside of the corporate firewall. This provides Internet connectivity for Web and streaming servers that are likely to be attractive to hackers. Keeping these servers outside of the corporate firewall provides a degree of security in the event that these servers are compromised. In many cases, guests visiting a facility require unrestricted wireless access to the Internet. Having these unsecured computers inside the corporate firewall represents a security risk, so these wireless routers are typically located in a DMZ. Normally, a second secure in-house wireless router is provided for employee access to the local network. Also, typically a firewall would be incorporated between the WAN router and the DMZ, but this has been omitted to simplify the drawing.
Brad Gilmer is president of Gilmer & Associates, executive director of the Advanced Media Workflow Association and executive director of the Video Services Forum.
User applications (e.g. Web browser) Application protocols (e.g. HTTP) Layer 4 Transport control protocol (TCP) Layer 3 Internet protocol (IP) Layer 2 Data link services (Ethernet) Layer 1 Physical network (fiber or UTP)
Send questions and comments to: brad.gilmer@penton.com
