Top-Down Network Design Chapter Five Designing a Network Topology Original slides copyright by Cisco Press & Priscilla Oppenheimer
Network Topology Design Issues Hierarchy Redundancy Modularity Well-defined entries and exits Protected perimeters
Why Use a Hierarchical Model? Reduces workload on network devices Avoids devices having to communicate with too many other devices (reduces CPU adjacencies ) Constrains broadcast domains Enhances simplicity and understanding Facilitates changes Facilitates scaling to a larger size
Hierarchical Network Design Campus A Enterprise WAN Backbone Campus B Core Layer Campus C Campus C Backbone Distribution Layer Access Layer Building C-1 Building C-2
Hierarchical Design Model A core layer of high-end routers and switches that are optimized for availability and speed A distribution layer of routers and switches that implement policies and segment traffic An access layer that connects users via hubs, switches, and other devices In small and medium-sized organizations, the core and distribution layers can be combined
Why Use a Hierarchical Network Design Model Minimize the workload required of the CPUs on the devices, when devices communicate with many other devices (broadcast packets) Minimize CPU workload required for routers to communicate with many other routers and process numerous route advertisements Minimize costs by avoiding spending money on unnecessary features for a layer Accurate capacity planning within each layer of the hierarchy, thus reducing wasted bandwidth Network management systems can be distributed to the different layers of a modular network architecture to control management costs Modularity enables you to keep each design element simple and easy to understand Hierarchical design facilitates changes
Flat Versus Hierarchy Headquarters in Medford Headquarters in Medford Grants Pass Branch Office Klamath Falls Branch Office Ashland Branch Office Grants Pass Branch Office Klamath Falls Branch Office Ashland Branch Office White City Branch Office Flat Loop Topology Hierarchical Redundant Topology
Mesh Designs Partial-Mesh Topology Good reliability, but Expensive, hard to optimize, troubleshoot, upgrade Have scalability limits for groups of routers that broadcast routing updates or service advertisements Rule of thumb: broadcast traffic < 20% of traffic in each link=> limits the number of adjacent routers Full-Mesh Topology
A Partial-Mesh Hierarchical Design Headquarters (Core Layer) Regional Offices (Distribution Layer) Branch Offices (Access Layer)
A Hub-and-Spoke Hierarchical Topology Corporate Headquarters Branch Office Home Office Branch Office
Core layer Redundant components: for high reliability and quick adaptation to changes Low latency: avoid packet filtering that slows down the manipulation of packets Limited and consistent diameter: for predictable performance Core layer should include one or more links to external network (e.g. internet): avoid regional or branch office extranet links
Distribution layer Connects access and core layers Controls access to resources for security reasons Controls network traffic that traverses the core for performance reasons Allows the core layer to connect to sites that run different protocols (e.g. redistribute between bandwidth intensive routing protocols (IGRP) and optimized core routing protocols (EIGRP)) Summarize routes from the access layer and hide detailed topology information from the core layer Offers default routes to access layer routers and run dynamic routing protocols when communicating with core layer router
Access Layer Provides users on local segments access to the internetwork The access layer networks may include many different technologies (LAN, WLAN, WAN)
Avoid Chains and Backdoors Core Layer Distribution Layer Access Layer Chain 4 th layer by adding a branch office to a close branch office Backdoor Extra router to connect to same layer networks causing unexpected routing and switching problems
How Do You Know When You Have a Good Design? When you already know how to add a new building, floor, WAN link, remote site, e- commerce service, and so on When new additions cause only local change, to the directly-connected devices When your network can double or triple in size without major design changes When troubleshooting is easy because there are no complex protocol interactions to wrap your brain around
Campus Topology Design Use a hierarchical, modular approach Minimize the size of bandwidth domains Minimize the size of broadcast domains Provide redundancy to meet availability requirements and load sharing or load balancing could be a core router, a switch, a link between two switches, internet connectivity, WAN trunk, mirrored servers, Backup path issues how much capacity how quickly will the network begin to use it manual or automatic reconfiguration Load sharing across parallel links allows two or more interfaces to share traffic load
Campus Network Design Topology Server farm (application, email, print, file, DNS services) Network management module (monitoring, logging, troubleshooting) Edge distribution module for connectivity to the rest of the world Campus infrastructure module: Building access submodule consists of end-user hosts and IP-phones connected to switches or wireless AP Provides network access, protocol filtering, marking of packets for QoS features Building distribution submodule aggregates wiring and provides connectivity to campus backbone Provides routing, QoS, access control for meeting security and performance Redundancy and load sharing is recommended Campus backbone Interconnects building access and distribution submodules with the server farm, network management and edge-distribution modules Redundant and fast converging High speed routers, QoS and security features
A Simple Campus Redundant Design Host A LAN X Switch 1 Switch 2 LAN Y Host B
Bridges and Switches use Spanning- Tree Protocol (STP) to Avoid Loops Host A LAN X X Switch 1 Switch 2 LAN Y Host B
Bridges (Switches) Running STP Participate with other bridges in the election of a single bridge as the Root Bridge (Lowest Bridge ID only and/or definition of priorities to control the process) Calculate the distance of the shortest path to the Root Bridge and choose a port (known as the Root Port) that provides the shortest path to the Root Bridge. For each LAN segment, elect a Designated Bridge and a Designated Port on that bridge. The Designated Port is a port on the LAN segment that is closest to the Root Bridge. (All ports on the Root Bridge are Designated Ports.) Select bridge ports to be included in the spanning tree. The ports selected are the Root Ports and Designated Ports. These ports forward traffic. Other ports block traffic. Switch ports states during convergence process: blocking (receives BPDUs only), Listening (builds ST), Learning (builds the switching table), Forwarding (receives and sends data)
Default IEEE 802.1D costs Link Speed Recommended IEEE 802.1D Cost 4 Mbps 250 10 Mbps 100 16 Mbps 62 100 Mbps 19 1 Gbps 4 10 Gbps 2
Elect a Root Bridge A ID = 80.00.00.00.0C.AA.AA.AA Lowest Bridge ID Wins! Root Bridge A Port 1 Port 2 LAN Segment 1 100-Mbps Ethernet Cost = 19 LAN Segment 2 100-Mbps Ethernet Cost = 19 Port 1 Bridge B Port 1 Bridge C Port 2 Bridge B ID = 80.00.00.00.0C.BB.BB.BB Bridge C ID = 80.00.00.00.0C.CC.CC.CC Port 2 LAN Segment 3 100-Mbps Ethernet Cost = 19
Determine Root Ports Bridge A ID = 80.00.00.00.0C.AA.AA.AA Root Bridge A Port 1 Port 2 Lowest Cost Wins! LAN Segment 1 100-Mbps Ethernet Cost = 19 LAN Segment 2 100-Mbps Ethernet Cost = 19 Root Port Root Port Port 1 Bridge B Port 1 Bridge C Port 2 Bridge B ID = 80.00.00.00.0C.BB.BB.BB Bridge C ID = 80.00.00.00.0C.CC.CC.CC Port 2 LAN Segment 3 100-Mbps Ethernet Cost = 19
Determine Designated Ports Bridge A ID = 80.00.00.00.0C.AA.AA.AA Designated Port Root Bridge A Port 1 Port 2 Designated Port LAN Segment 1 100-Mbps Ethernet Cost = 19 LAN Segment 2 100-Mbps Ethernet Cost = 19 Root Port Root Port Port 1 Bridge B Port 1 Bridge C Port 2 Bridge B ID = 80.00.00.00.0C.BB.BB.BB Bridge C ID = 80.00.00.00.0C.CC.CC.CC Port 2 Designated Port Lowest Bridge ID Wins! LAN Segment 3 100-Mbps Ethernet Cost = 19
Prune Topology into a Tree! Bridge A ID = 80.00.00.00.0C.AA.AA.AA Designated Port Root Bridge A Port 1 Port 2 Designated Port LAN Segment 1 100-Mbps Ethernet Cost = 19 LAN Segment 2 100-Mbps Ethernet Cost = 19 Root Port Root Port Port 1 Bridge B Port 1 Bridge C Port 2 Bridge B ID = 80.00.00.00.0C.BB.BB.BB Bridge C ID = 80.00.00.00.0C.CC.CC.CC Port 2 X Designated Port LAN Segment 3 100-Mbps Ethernet Cost = 19 Blocked Port
React to Changes Bridge A ID = 80.00.00.00.0C.AA.AA.AA Designated Port Root Bridge A Port 1 Port 2 Designated Port LAN Segment 1 LAN Segment 2 Port 1 Bridge B Root Port Root Port Port 1 Bridge C Port 2 Bridge B ID = 80.00.00.00.0C.BB.BB.BB Bridge C ID = 80.00.00.00.0C.CC.CC.CC Port 2 Designated Port Becomes Disabled LAN Segment 3 Blocked Port Transitions to Forwarding State
Scaling the Spanning Tree Protocol Keep the switched network small It shouldn t span more than seven switches Use IEEE 802.1w Provides rapid reconfiguration of the spanning tree Also known as RSTP
Bandwidth domain Bandwidth domain is a set of devices that share traffic and compete for access to the bandwidth e.g. a traditional bus topology or a hub-base ethernet is a single bandwidth domain A switch divides up bandwidth domains and is used to connect each device so that the network consists of many small bandwidth domains With switches as opposed to hubs, the bw domain consists of the switch port and the device that connects it If full duplex transmission mode is used, a bw domain becomes even smaller and consists of just the port or the device
Broadcast domain Broadcast domain is a set of devices that can all hear each other s broadcast frames A broadcast frame is a frame that is sent to the MAC address FF:FF:FF:FF:FF:FF e.g.: an ARP request is encapsulated in a broadcast frame Routers divide broadcast domains Switches by default do not divide Providing broadcast traffic control with switches requires the use of Virtual LANs
Virtual LANs (VLANs) An emulation of a standard LAN that allows data transfer to take place without the traditional physical restraints placed on a network A set of devices that belong to an administrative group regardless of their actual location which may span across different switches VLAN assignment can be based on applications, protocols, performance and security requirements, traffic loading characteristics Their initial purpose was to simplify moves, adds, and changes in a campus network
Virtual LANs (VLANs) The current usage of VLANs is the subdivision of physical switch-based LANs in many logical LANs VLANs allow a large, flat switch-based network to be divided into separate broadcast domains Instead of flooding all broadcasts out every port a VLAN-enabled switch floods only the ports that are part of the same VLAN as the sending station In IP-based networks a VLAN is usually its own subnet: thus VLANs are implemented as separate IP subnets A router or a routing model within a switch provide intersubnet communication as it would for non virtual LANs
VLANs versus Real LANs Switch A Switch B Station A1 Station A2 Station A3 Station B1 Station B2 Station B3 Network A Network B
A Switch with VLANs VLAN A Station A1 Station A2 Station A3 Station B1 Station B2 Station B3 VLAN B
VLANs Span Switches VLAN A Station A1 Station A2 Station A3 VLAN A Station A4 Station A5 Station A6 Switch A Switch B Station B1 Station B2 Station B3 VLAN B Station B4 Station B5 Station B6 VLAN B As a frame leaves Switch A, a special header is added to the frame, called the VLAN tag. The VLAN tag contains a VLAN identifier (ID) that specifies to which VLAN the frame belongs. Because both switches have been configured to recognize VLAN A and VLAN B, they can exchange frames across the interconnection link, and the recipient switch can determine the VLAN into which those frames should be sent by examining the VLAN tag.
WLANs and VLANs A wireless LAN (WLAN) is often implemented as a VLAN Facilitates roaming Users remain in the same VLAN and IP subnet as they roam, so there s no need to change addressing information Also makes it easier to set up filters (access control lists) to protect the wired network from wireless users
EDWCampus Hierarchical Redundant Topology
Router Redundancy Hot Standby Router Protocol (HSRP) or IETF Virtual Router Redundancy Protocol (VRRP) for redundancy Active Router Virtual Router Enterprise Internetwork Workstation Standby Router
Hot Standby Router Protocol (HSRP) HSRP works by creating a virtual router, also called a phantom router The virtual router has its own IP and MAC addresses Each workstation is configured to use the virtual router as its default gateway When a workstation broadcasts an ARP frame to find its default gateway, the active HSRP router responds with the virtual router's MAC address If the active router goes offline, a standby router takes over as active router, continuing the delivery of the workstation's packets The change is transparent to the workstation.
Hot Standby Router Protocol (HSRP) HSRP routers on a LAN communicate among themselves to designate an active and standby router The active router sends periodic Hello messages The other HSRP routers listen for the Hello messages If the active router fails, causing the other HSRP routers to stop receiving Hello messages, the standby router takes over and becomes the active router Because the new active router assumes both the IP and MAC addresses of the phantom, workstations see no change They continue to send packets to the virtual router's MAC address, and the new active router delivers those packets The Hello timer should be configured to be short enough so that workstation applications and protocols do not drop connections before the standby router becomes active.
Multihoming the Internet Connection ISP 1 ISP 1 Enterprise Option A Paris Enterprise NY Option C ISP 1 ISP 2 ISP 1 ISP 2 Enterprise Paris Enterprise NY Option B Option D
Security Topologies Enterprise Network DMZ Internet Web, File, DNS, Mail Servers
Security Topologies Internet Firewall DMZ Enterprise Network Web, File, DNS, Mail Servers