CCDA Notes: Enterprise LAN Design (Best Practice)

Campus LAN design factors in following categories:

1. Network Application Characteristics: Different types of applications
2. Infrastructure Device Characteristics: Layer 2/3 switching and hierarchy
3. Environmental Characteristics: Geography, wiring, space, distance, etc

Application Characteristics

Application requirements drive design due to usability constraints. Time and drop-sensitive applications need special consideration as far as allowable latency/packet loss.

Peer-to-Peer: Instant messaging, file sharing, IP/video calls. Requires medium/high throughput, can allow low/high availability depending on application and has low to medium network cost

Client-local servers: Servers are located in same segment as clients or close by, normally on same LAN. With 80/20 workgroup rule, 80% of traffic is local and 20% is routed elsewhere. Requires medium throughput, medium availability and incurs medium network cost.

Client-server farm: Mail, database, etc servers. Access to servers is fast, reliable and controlled. Requires high throughput, high availability and a high network cost.

Client-enterprise edge servers: External servers such as smtp relay, web, DMZ. e-commerce. Requires medium throughput. high availability and medium network cost.

Hierarchical Layer Best Practice

Access Layer Best Practice

• Limit vlans to single switch/closet when possible to provide deterministic and highly available network topology
• Use Rapid Per-Vlan Spanning Tree+ (RPVST+) if STP is needed
• Set trunks to on/on and nonegotiate
• Manually prune unused vlans from trunks to avoid unnecessary broadcast traffic propagating between switches
• Use Vlan Trunking Protocol (VTP) in Transparent mode because common vlan propagation in hierarchical network is not needed
•  Disable dynamic trunking on host ports, enable Portfast
• Consider routing in access layer to speed up convergence and provide Layer 3 load balancing
• Use switchport host command on server/host ports to enable Portfast and disable channelling
• Use Cisco STP toolkit (Portfast, Loop Guard, Root Guard, BPDU Guard) to prevent loops and protect deterministic Spanning Tree topology

Distribution Layer Best Practice

• Links to core must support aggregated bandwidth of access layer links
• Redundant links to access/core layers
• QoS/security/policy enforcement should occur at this layer
• Use first-hop redundancy protocols such as Hot Standby Router Protocol (HSRP) or Gateway Load Balancing Protocol (GLBP) if layer 2 trunks are used between access and distribution layers
• Use Layer 3 routing protocols between distribution and core to allow fast convergence and load balancing to occur
• Only peer with other routers on links intended to be used as transit links
• Build Layer 3 triangle links,  not squares:

• Use distribution switches to connect Layer 2 vlans that span multiple access switches
• Summarize routes from distribution layer to core to reduce routing overhead
• Use Virtual Switching System (if possible) to eliminate need for STP and first-hop redundancy

Core Layer Best Practice

• Must support fast switching, redundant paths and and high availability to distribution points
• Reduce switch peering by using redundant triangle connections between switches (as above)
• Use routing topology that allows no Layer 2 loops seen in Layer 2 links utilizing STP
• Use Layer 3 switches in core which provide intelligent services Layer 2 switches do not support
• Use equal-cost dual paths to each destination network

Large-Building LANs

• Tend to be separated by floors or departments
• Access component serves one or more floors/departments
• Distribution component aggregates multiple floors/departments
• Core components connects data center, building distribution components, and enterprise edge distribution component
• Access layer typically uses Layer 2 switches to save costs
• Distribution layer typically uses Layer 3 switches for access control, QoS and policy enforcement
• Core layer utilizes Layer 3 switches for fast switching and fast convergence/load balancing
• FastEthernet at access layer, GigabitEthernet for distribution/core links

Enterprise Campus LAN

• Typically connects two or more buildings within local geographic area using high-bandwidth LAN backbone
• GigabitEthernet backbones connecting campus buildings are new standard
• Requires hierarchical composite design with network-level addressing to control broadcasts
• Each building should have network addressing leveraged to facilitate summarization
• Use Layer 3 switches with fast-switching capabilities in core
• In smaller campuses, distribution layer can be collapsed and core can connect directly to access layer
• Can also collapse distribution layer by utilizing Layer 3 switching in access layer to provide access/distribution services

Edge Distribution

• On large LANs, provides additional security between campus LAN and enterprise edge
• Can help defend campus LAN against IP spoofing, unauthorized access, network reconnaissance, and packet sniffing

Medium-Size LANs

• Typically utilizes collapsed core hierarchy
• 200 - 1000 devices

Small/Remote Site LANs

• Typically connect to corporate network via small router which filters broadcasts to WAN and forwards packets requiring services from corporate network
• Local servers tend to be small and provide minimal services for network connectivity such as DHCP and backup domain controller
• If local servers are not used then router must forward broadcast and other types of traffic to corporate network

Server Farm

• Most servers connect to access switches via GigEthernet, 10GigEthernet or Etherchannels
• Server farm switches connect via redundant links to core, larger farms may need distribution layer which utilizes QoS, policies and access control 
• Servers typically connected to switch by:

1. Single network interface card (NIC)
2. Dual NIC with Etherchannel
3. Dual NIC to separate access switches
4. Content Switching (advanced content switches that front end user requests and provide redundancy/load balancing)

Enterprise Data Center Architecture

Data centers have different server technologies including standalone servers, blades, mainframes, clustered servers and virtual servers.

• Data center access layer must provide port density to support server connections, high performance/low latency Layer 2 switching, and support single/dual connected servers
• Preferred design contains Layer 2 switching to access layer and moves Layer 3 to distribution layer, though some designs can push Layer 3 to access layer
• Cisco Data Center 3.0 architecture provides next evolution of data center
• Distribution layer aggregates access links to core
• Load balancers are implemented at distribution layer
• SSL offloading devices terminate Secure Socket Layer sessions
• Firewalls control/filter access
• Intrusion Detection/Intrusion Prevention devices used to detect/prevent attacks

Campus LAN QoS Consideration

• Access layer marks frames/packets for QoS policies in distribution layer
• Classification is done via ISL or 802.1q tagging by setting Class of Service (CoS) bits
• Traffic should be marked as close as possible to source

Multicast Traffic Consideration

• Internet Group Management Protocol (IGMP) is used between hosts and local Layer 3 switch, IGMP is also protocol used between hosts and local router
• IGMP messages uses IP protocol number 2, and messages are limited to local interface and not routed
• Hosts report multicast membership to local routers to receive multicast traffic
• End hosts in campus LAN may be flooded with unwanted multicast traffic if measures are not taken to prune/bound traffic.
• Cisco Group Management Protocol (CGMP) and IGMP Snooping are solutions to unwanted multicast traffic issue

CGMP is Cisco proprietary protocol used to control multicast traffic at Layer 2. Because Layer 2 switches are unaware of Layer 3 IGMP messages it can't stop multicast traffic from going to all ports. CGMP allows Layer 2 switch to receive MAC addresses of hosts who subscribe to multicast from local router. Router must also be configured to use CGMP to pass info to Layer 2 switches

IGMP Snooping also allows multicast traffic to be controlled at Layer 2, and is now the preferred method. With IGMP switches listen to IGMP messages between hosts and routers. If hosts sends multicast query message to router, the switch will add the host to the multicast group and permits that port to receive the multicast. If the host sends an IGMP leave message the traffic is no longer forwarded. In order to use IGMP snooping the switch must listen to all IGMP messages which may negatively impact CPU usage.