Search This Blog

Monday, January 21, 2013

CCDA Notes: Network Structure Models

Network Structure Models

Hierarchical Network Models

Hierarchical models use layers to simplify tasks for internetworking, with each layer focusing on specific functionality. This allows choosing correct features for each layers. This model applies to LAN and WAN designs.


  1. Cost Savings: Not trying to do it all on one routing/switching platform. Reduces need for advance bandwidth provisioning
  2. Ease of Understanding: Layered model easier to understand, different reporting/management can be distributed to different layers to help control management costs
  3. Modular Network Growth: Modularity allows replication as network grows and only small subsets require upgrade/replacement at a time
  4. Improved Fault Isolation: Transition points in network are easier to troubleshoot because network is segmented
Modern routing protocols were designed with hierarchical model in mind. Route summarization is facilitated by this model and more difficult if there are not clear boundaries

Hierarchical Network Design

  • Core: Fast transport between distribution devices within enterprise campus network
  • Distribution: Provides policy-based / Layer 3 connectivity
  • Access: Provides workgroup/users access to network
Core Layer

Fast-switching, backbone for network. Requires:
  • Fast transport
  • Redundancy
  • Reliability
  • Manageability
  • No CPU-intensive processes
  • QoS (if implemented)
  • Limited number of hops from edge to edge (workstation to server, etc)
Distribution Layer

Isolation point between access layer and core, implements many features:
  • Policy-based connections (ACLs, traffic policy)
  • Redundancy/load balancing
  • Aggregate access layer devices
  • Aggregate WAN connections (if connected here)
  • QoS
  • Security filters
  • Route summarization
  • Layer 3 interface/Inter-Vlan routing
  • Media translation (if needed between ethernet/token ring, etc)
  • Routing protocol redistribution
  • Demarcation between static/route protocols
Using Cisco IOS software features further policies can be applied:
  • Route filtering, static routing, QoS mechanisms like queueing

Access Layer

User access to local segments of network via switches. Other features of this layer:
  • High availability
  • Port security
  • Broadcast suppression (via vlan segmentation)
  • QoS Marking/Trust boundary classification
  • Rate limiting/policing
  • ARP inspection
  • VACLs (Vlan ACLs)
  • Spanning tree
  • PoE and auxiliary vlans for VOIP
  • Other auxiliary vlans
Hierarchical Model Examples

Traditional Model

Routed Hierarchical Design

As above, but the layer 3 switching is pushed to the access layer instead of the distribution layer. Route summarization is configured on interfaces pointed toward the core, while route filtering is configured toward access layer. Since links to distribution layer are routed, load balancing can occur versus spanning tree where one link is disabled.

If Cisco 6500 switches with VSS (Virtual Switching System) Supervisor 720-10G are available, two redundant distribution switches can be configured as one logical switch. The two distribution switches are connected by a 10Gig link called Virtual Switch Link. Benefits are as follows:
  • Layer 3 switching can be used toward access layer
  • Scales bandwidth to 1.44TBPS
  • Simplifies management of single configuration on VSS
  • Increased bandwidth between access/distribution layer gives better return on investment
  • No new chassis required (assuming you have 2 6500 chassis with these supervisor modules)

Cisco Enterprise Architecture Model

Modular approach to design, divides network into functional areas/modules. These areas/modules are:
  •  Enterprise Campus Module
  •  Enterprise Data Center module
  •  Enterprise Branch module
  •  Enterprise Teleworker module
Enterprise Architecture model maintains concepts of access/distribution components connecting users utilizing high-speed core

Enterprise Campus Module

  • Campus Core
  • Server Farm/Data Center
  • Building Distribution
  • Building Access
Campus core provides high-speed backbone between buildings, server farm towards enterprise edge, has redundant/fast-converging connectivity

Building distribution aggregates access and performs QoS, access control, route redundancy and load balancing

Building access provides user access, vlan control, auxiliary vlans and PoE for VOIP, spanning tree

Server Farm/Data Center provides high speed access and high availability of services

Enterprise Edge Area
  • E-commerce networks/servers
  • Internet/DMZ
  • VPN/Remote access
  • Enterprise WAN
E-commerce module describes highly available networks for business services, uses high availability design of server farm with Internet connectivity module. Devices within this submodule include:
  • Web/App servers - Primary user interface for e-commerce
  • Database servers - Application/transaction information
  • Firewall/Firewall routers - Governs communications between users
  • IPS - Monitor key network segments for attacks
  • Multilayer switch utilizing IPS module - Traffic transport/integrated security monitoring

Internet/DMZ Module provides public servers, email, DNS. Connectivity to ISP included in this module. Other components include:
  • Firewall/Firewall routers - Protect resources, stateful filtering, VPN termination for remote sites/users
  • Internet edge routers - Provide WAN connectivity, basic filtering
  • FTP/HTTP servers - Provides web applications that interface enterprise with Internet
  • SMTP relay servers - Relays mail to/from Internet to/from local email servers
  • DNS servers - Authoritative external DNS server for enterprise, relay internal requests to Internet
Multihoming provides for Internet connectivity redundancy
  1. Single router/dual links to one ISP
  2. Single router/dual links to two ISPs
  3. Dual routers/dual links to one ISP
  4. Dual routers/dual links to two ISPs

VPN/Remote access provides RA termination services, including authentication for remote users/sites. Components include:
  • Firewalls - Stateful filtering of traffic, authenticate remote users, provide tunnel connectivity
  • Dial-in access concentrators - Terminate legacy dialup and authenticate those users
  • Cisco ASA - Terminate IPSec tunnels and authenticate individual users, also firewall/IPS services
  • Network IPS - Proactively monitor network for attacks

Enterprise WAN is the edge module that connects to ISPs/WAN. AN technologies include:
  • MPLS (Multiprotocol Label Switching)
  • Metro Ethernet
  • Leased Lines
  • SONET and SDH
  • PPP/Frame Relay
  • ATM
  • Cable/DSL
  • Wireless
Guidelines for designing Enterprise edge:
  • Determine connection needed to connect Enterprise to Internet, this is assigned to Internet module
  • Create e-commerce module for customers and partners that require Internet access to business/database applications
  • Design Remote Access/VPN module for VPN access to internal network. Implement security and authentication, authorization parameters
  • Assign edge sections with permanent connections to remote branch offices to WAN/VPN module

Service Provider Edge Module consists of SP edge services such as:

  • Internet service
  • PSTN (Telephone)
  • WAN services

Remote Module consists of:
  •  Enterprise branch
  •  Enterprise Data Center
  •  Enterprise Teleworker
Enterprise Branch module consists of remote offices that rely on the WAN to connect back to main office for services. Commonly uses MPLS/WAN or IPSEC VPN tunneling to connect

Enterprise Data Center module uses network to leverage services, storage, applications. Components of data center include:
  • Network infrastructure - Gigabit/10GE, Infiniband, optical transport, storage switching
  • Interactive services - Computer infrastructure, storage services, application optimization
  • DC management - Cisco Fabric manager, Cisco VFrame for server/service management
Enterprise Teleworker module involves small office or mobile user who needs access to main campus, often utilizing VPN client. Cisco Virtual Office offers solution that is centrally managed using small integrated service routers (ISR). VOIP capability included in Virtual Office for teleworkers

Borderless Network Services

Cisco next-generation network architecture solution which enables connectivity to anyone/anything from anywhere at any time. Connectivity needs to be secure, reliable, seamless.
  • Mobility: Cisco Motion delivers anywhere/anytime access to information for mobile users from any device. Also provides detection, location, classification mitigation of sources of wireless interference
  • Security: Cisco TrustSec provides foundation for identity-directed and policy-based access. Uses Cisco ASA, Cisco Virtualization Security, and Cisco AnyConnect for endpoints/users. Cisco SAFE blueprint provides design/implementation guidelines for building secure/reliable architecture
  • Application Performance: Application Velocity optimizes speed/performance of any application by using Wide Area Application Services (WAAS)
  • Voice/Video (IP Communication): Medianet for Enterprise optimizes multimedia through automatic endpoints and optimized network configuration. Reduces video deployment time and provides multicast video

High Availability Network Services

Design redundancy for critical systems/services wherever possible. Consider following types of redundancy:
  • Workstation to router redundancy in building access layer
  • Server redundancy in server farm module
  • Route redundancy within/between network components
  • Link media redundancy in access layer

Workstation to Router Redundancy and LAN High Availability Protocols

  • ARP: Proxy ARP allows routers to respond to ARP requests it knows how to reach with its own MAC
  • Explicit Configuration: Configure workstation with IP of default gateway
  • ICMP Router Discovery Protocol (RDP): RFC 1256 specifies extension to ICMP to allow a workstation to learn a router's address
  • RIP: IP workstation can run RIP to learn about routers, should be set to passive if used at all
  • HSRP: Workstation can be configured with default gateway IP, two routers can share that virtual IP which provides default gateway that is fault tolerant
  • VRRP: Router redundancy protocol dynamically assigns responsibility for router to a VRRP router participating. Master router assigns forwarding router, but any VRRP-participating router can forward if failover is needed
  • GLBP: Provides first-hop redundancy and also load balancing between redundant routers, uses single virtual IP and multiple MAC addresses, as requests come in the MAC address of a GLBP router is given for that request. GLBP has several benefits:
  1. Load Sharing
  2. Multiple virtual routers
  3. Preemption
  4. Authentication

Server Redundancy

Servers may be mirrored for redundancy and replicate data between them. Can also deploy Cisco Unified Communications Manager servers for redundancy. These servers should be on different networks and utilize redundant power supplies. Options for server implementation in the server farm include:
  • Single attachment - Not recommended as it requires alternate mechanisms (HSRP, VRRP, GLBP) to find alternate router
  • Dual attachment - Solution increases availability by utilizing redundant NICs
  • Fast Etherchannel and Gigabit Etherchannel  port bundles

Route Redundancy

Redundant routes have two purposes: Load balancing and increasing availability

Load Balancing

Most routing protocols will load balance across parallel links with equal cost, can do unequal with configuration, or use more links to balance. To support load balancing keep bandwidth consistent within layer of hierarchical model.

Hop-based routing protocol will load balance across unequal bandwidth links so long as hop count is equal. After slower link is saturated, packet loss prevents traffic and router will not automatically utilize only high-speed link. This is called pinhole congestion, can be avoided by provisioning equal-bandwidth links or using a protocol that takes bandwidth into account

IP load balancing on a Cisco router depends on whether it is process switching or fast/netflow based switching. Process switching inspects each packet, whereas hardware/fast/netflow switching uses destination basis because it is cached

Increasing Availability

Bandwidth should be kept consistent to ease load balancing, but redundant routes also increase availability because more paths to a destination exist. Routing protocols converge faster on equal-cost links. Mesh network designs are fault-tolerant because multiple links connect network devices. If a single link fails connectivity is minimally (or not at all) impacted.

Number of links in a full mesh is n(n-1)/2 where n is the number of devices

Full mesh is very expensive to implement in WANs because of the cost of circuit links. Also with more mesh links, the CPU/bandwidth overhead for routing protocols and broadcast traffic increases. Since broadcast traffic should consume no more than 20 percent of a link, number of routers exchanging routing information should be limited. 80 percent of link bandwidth should be reserved for data, voice, video traffic. Planning redundancy should take into account hierarchical design for partial mesh, meshing access to distribution and distribution to core

Link Media Redundancy

In mission-critical applications it may be necessary to provide redundant media. Switches can be connected to each other, but need spanning tree to bound broadcast traffic. WAN links can be made redundant with redundant links to WAN providers or to backup WAN providers. May provision backup route as a floating static route (static route with very high administrative distance that will only be installed into routing table if primary link fails).

Cisco also supports Multilink Point-to-Point Protocol (MPPP) which aggregates multiple WAN links into single logical channel. This increases bandwidth and provides link redundancy.

No comments:

Post a Comment