On the design of campus networks for High Availability

21/06/2021

1

GC2020-2021

On the design of campus networks for High Availability

1

GC2020-2021

Top-Down Network Design Steps

Analyze requirements

Develop logical design

Develop physical design

Test, optimize, and document

design

Monitor and optimize network

performance

Implement and test network

Network Design and Implementation Cycle2

21/06/2021

2

GC2020-2021

Network Design Steps

� Phase 1- Analyze Requirements

� Analyze business goals and constraints

� Analyze technical goals and tradeoffs

� Characterize the existing network

� Characterize (current and future) network traffic

3

GC2020-2021


� Phase 2 – Logical Network Design

� Design a network topology

� Design models for addressing and naming

� Select routing protocols

� Develop network security strategies

� Develop network management strategies

4

21/06/2021

3

GC2020-2021


� Phase 3 – Physical Network Design

� Select technologies and devices for campus networks

� Select technologies and devices for enterprise WAN networks

5

GC2020-2021Network Design Steps

� Phase 4 – Testing, Optimizing, and Documenting the Network Design

� Test the network design

� Optimize the network design

� Document the network design

6

21/06/2021

4

GC2020-2021Network requirements

� Most businesses actually have only a few requirements for their network:

� The network should stay up all the time, even in the event of failed links, and equipment failures

� The network should reliably deliver applications and provide reasonable response times

� Mobile users must be supported

� The network should be secure

� The network should be easy to modify to adapt to network growth and general business changes

� Manageability and troubleshooting should be easy. Finding and fixing a problem should not be too time-consuming

7

GC2020-2021Design for fault-tolerance

� Backbone redundancy

� Device redundancy

� In-the-box redundancy

� Network Interface redundancy

� Dual Station (tandem) and Cluster Systems

The fault-tolerant solution must be as simple as possible and should contain the minimum redundancy such that an alternative path for data is ensured

8

21/06/2021

5

GC2020-2021

First hop redundancy: HSRP

� Hot Standby Router Protocol (HSRP) is proprietary (Cisco)� HSRP works by creating a virtual router

� The virtual router has its own IP and MAC addresses

� Each hosts is configured to use the virtual router as its default router (also named default gateway)

� A set of routers (HSRP group) that run HSRP works in concert topresent the illusion of a single default router to the hosts

� A single router is elected as the active router

� It is responsible for the forwarding ofthe packets that hosts send to the default router (the virtual router)

� It responds with the virtual router’s MAC address when a host sends an ARP request to find its default router’s physical address

9

GC2020-2021

� Another router is elected as the standby router

� Only the active router and the standby router send periodic hellosafter the protocol has completed the election process

� Additional routers in the HSRP group listen for the hello messages

� If the active router fails, causing the other HSRP routers to stop receiving hello messages, the standby router takes over and becomes the active router (transparently to hosts)

� If the standby router fails or becomes the active router, anotherrouter is elected as the standby router

� HSRP messages are sent to the destination IP multicast address 224.0.0.2(224.0.0.102for version 2) on UDP port 1985

� If appropriately tuned, HSRP can converge in less than one second

� The virtual router’s MAC address can be manually configured or routers can create a well-known HSRP MAC address:

� 00-00-0C-07-AC-(HSRP group)

First hop redundancy: HSRP (cont.)

10

21/06/2021

6

GC2020-2021

Configuration of HSRP

Router YActive

Router XStandby

WAN(dynamic routing)

Host 10.1.1.10/24Def. GTW 10.1.1.5

Host 10.1.1.24/24Def. GTW 10.1.1.5

10.1.1.1/24 10.1.1.2/24

Router-X> interface ethernet 0Router-X> ip address 10.1.1.1 255.255.255.0Router-X> standby 24 ip 10.1.1.5

HSRP Group 24(10.1.1.5)

Router-Y> interface ethernet 0Router-Y> ip address 10.1.1.2 255.255.255.0Router-Y> standby 24 ip 10.1.1.5

multihoming

11

GC2020-2021Election process and enhancements to

HSRP� At the start, the interface with the highest priority value

becomes the active interface (default priority: 100)� If a tie occurs, the interface with the highest IP address is elected

� The active interface holds its role even if other interfaceswith higher priority values become operative

� By the preempt feature, a router is forced to hand over its“active” role to an interface with a higher priority

� Track feature monitors one or more WAN interfaces on a router that has HSRP enabled on a given LAN interface

� If the software senses a problem with the WAN circuitconnected to one of the tracked WAN interfaces, the interface priority for the corresponding HSRP group is lowered (bydefault, the decrement is equal to 10) 12

21/06/2021

7

GC2020-2021

� Problem: the standby router and the other routers in a HSRP group are superfluous until the active router fails(bandwidth is wasted)

� Multi HSRP: it allows to achieve load sharing overmultiple routers along with redundancy

� Multiple HSRP groups can be configured for the same set ofrouters and overlap on the LAN

� Individual routers participate in multiple groups

� Example: two HSRP groups are configured on two routers

• Priority values have to be set so that a router is active for a group and standby for the other one

• Around half of hosts must be configured to use the virtual router IP address assigned to a group, the remaining hosts to use the virtualrouter IP address assigned to the other group

Election process and enhancements toHSRP(cont.)

13

GC2020-2021Preempt feature

Router YStandby

Router XActive


Host 10.1.1.10Def. GTW 10.1.1.5

Host 10.1.1.24Def. GTW 10.1.1.5

10.1.1.110.1.1.5

10.1.1.2

Router-X> interface ethernet 0Router-X> ip address 10.1.1.1 255.255.255.0Router-X> standby 24 ip 10.1.1.5 Router-X> standby 24 priority 105Router-X> standby 24 preempt

HSRP Group 24

Router-Y> interface ethernet 0Router-Y> ip address 10.1.1.2 255.255.255.0Router-Y> standby 24 ip 10.1.1.5 Router-Y> standby 24 preempt

14

21/06/2021

8

GC2020-2021Track feature

Router YStandby

Host 10.1.1.28Def. GTW 10.1.1.10

Host 10.1.1.24Def. GTW 10.1.1.10

10.1.1.510.1.1.10 10.1.1.6

R-X>interface ethernet 0R-X-if>ip address 10.1.1.5 255.255.255.0R-X-if>standby 1 ip 10.1.1.10R-X-if>standby 1 priority 105R-X-if>standby 1 preemptR-X-if>standby 1 track Serial 0R-X-if>no shutdownR-X-if>exitR-X> interface serial 0R-X-if>ip address 10.6.2.5 255.255.255.0

HSRP Group 1

Host 10.1.1.25Def. GTW 10.1.1.10

Host 10.1.1.31Def. GTW 10.1.1.10

R-Y>interface ethernet 0R-Y-if>ip address 10.1.1.6 255.255.255.0R-Y-if>standby 1 ip 10.1.1.10R-Y-if>standby 1 preemptR-Y-if>standby 1 track Serial 0R-Y-if>no shutdownR-Y-if>exitR-Y> interface serial 0R-Y-if>ip address 10.6.7.6 255.255.255.0

Router Z

S0=10.6.2.5 S0=10.6.7.6

Router XActive

GC2020-2021Multi HSRP

Router YActive 2

Standby 1

Host 10.1.1.28Def. GTW 10.1.1.10

Host 10.1.1.24Def. GTW 10.1.1.10

10.1.1.510.1.1.10

10.1.1.610.1.1.20

R-X>interface ethernet 0R-X-if>ip address 10.1.1.5 255.255.255.0R-X-if>standby 1 ip 10.1.1.10R-X-if>standby 1 preemptR-X-if>standby 1 track Serial 0R-X-if>standby 2 ip 10.1.1.20R-X-if>standby 2 preemptR-X-if>standby 2 track serial 0R-X-if>standby 2 priority 95

HSRP Group 1HSRP Group 2

Host 10.1.1.205Def. GTW 10.1.1.20

Host 10.1.1.206Def. GTW 10.1.1.20

R-Y>interface ethernet 0R-Y-if>ip address 10.1.1.6 255.255.255.0R-Y-if>standby 1 ip 10.1.1.10R-Y-if>standby 1 preemptR-Y-if>standby 1 track Serial 0R-Y-if>standby 1 priority 95R-Y-if>standby 2 ip 10.1.1.20R-Y-if>standby 2 preemptR-Y-if>standby 2 track serial 0

Router Z

S0=10.6.2.5 S0=10.6.7.6

Router XActive 1

Standby 2

21/06/2021

9

GC2020-2021Multi HSRP (cont.)

� Using DHCP service, hosts within each VLAN learn the corresponding default router: 192.168.0.5for VLAN10(192.168.0.0/24) and 192.168.1.7 for VLAN20(192.168.1.0/24)


Router XActive 1

Standby 2

Router YActive 2

Standby 1

DHCP server

VLAN 10192.168.0.0/24 VLAN 20

192.168.1.0/24

Router-X> interface FastEthernet 0/0.10Router-X-if> ip address ...Router-X-if> standby 1 ip 192.168.0.5...Router-X> interface FastEthernet 0/0.20Router-X-if> ip address ...Router-X-if> standby 2 ip 192.168.1.7Router-X-if> standby 2 priority 95...

Router-Y> interface FastEthernet 0/0.10Router-Y-if> ip address ...Router-Y-if> standby 1 ip 192.168.0.5Router-Y-if> standby 1 priority 95...Router-Y> interface FastEthernet 0/0.20Router-Y-if> ip address ...Router-Y-if> standby 2 ip 192.168.1.7...

Fa0/0 Fa0/0

17. . . . . .

GC2020-2021

� HSRP has two authentication schemes (unauthenticated messages are ignored):

� Plain text authentication (default scheme)

− standby [group number] authentication text string

� MD5 authentication (enhancement)

− standby [group number] authentication md5 key-string string

HSRP security issues


Router XActive

Router YStandby

The attacker sends false HSRP hello packets withPriority 255 to becomethe active router

� HSRP is susceptible to denial-of-service attacks

The default string is cisco

18

21/06/2021

10

GC2020-2021

First hop redundancy: VRRP

� Virtual Router Redundancy Protocol

� Defined in RFC 2338

� VRRP implements the same functions of HSRP

� The Master state corresponds to the HSRP Active state, the Backup state corresponds to the HSRP Standby state

19

GC2020-2021

First hop redundancy: GLBP� The Gateway Load Balancing Protocol is a proprietary protocol

(Cisco) similar (not identical) to HSRP and VRRP

� GLBP provides load balancing over multiple routers using a single virtual IP address and multiple virtual MAC addresses

� Each host is configured with the same virtual IP address as itsdefault gateway, and all routers in the virtual router groupparticipate in forwarding packets

� Members of a GLBP group elect one router to be the ActiveVirtual Gateway (AVG) for that group� The election criteria are identical to those of HSRP

� The AVG assigns a virtual MAC address to each member of the GLBP group� These gateways are known as Active Virtual Forwarders (AVF)

� The AVG is responsible for answering ARP requests for the virtual IP address

� Load balancing is achieved by the AVG replying to the ARP requests with different virtual MAC addresses 20

21/06/2021

11

GC2020-2021Backbone redundancy

Secondary backbone

Primary backbone

4o

5o

6o

7o

1o

2o

3o

S1-P S1-S

S2

S3

S4

S5

S6

S7Telecommunication Closet

Distribution L2 switches (switch1Primary and switch 2Secondary with regard to STP) in the Equipment Room (see the next slide)

AccessL2 switches

� Intra-building backbone

21

GC2020-2021Distribution switch redundancy

S1-PBridge-Prio

24576

S1-SBridge-Prio

28672

S232768

S332768

S432768

S532768

S632768

S732768

Root Bridge2

1

Server

c

Legend

Root port

Designated port

Blocking port

� Setting of STP parameters

Fault-tolerant interface

22

21/06/2021

12

GC2020-2021Distribution switch redundancy (cont.)

S1-SBridge-Prio

28672

S232768

S332768

S432768

S532768

S632768

S732768

Root Bridgefailure

Server

c

Legend

Root port

Designated port

Blocking port

23

GC2020-2021Distribution switch redundancy (cont.)

� The spanning tree might be not optimal if the bridge priority is left at the default value (32768)

24

21/06/2021

13

GC2020-2021

A router for the VLANs to communicate

Internet

S1-PBridge-Prio

24576

S1-SBridge-Prio

28672

S532768

S632768

S732768

Root Bridge

S232768

S332768

S432768

2

1

VLA

N2

VLA

N3

VLA

N4

Router

VLAN3VLAN2

VLAN4

VLAN2VLAN4

VLAN3VLAN2

VLAN4

VLAN3VLAN4

VLAN3VLAN2

VLAN3VLAN2

VLAN4

c

Legend

Root port

Designated port

Blocking port

GC2020-2021Multihoming the Internet connection

Internet

S1-PBridge-Prio

24576

S1-SBridge-Prio

28672

S532768

S632768

S732768

Root Bridge

S232768

S332768

S432768

2

1

VLA

N2

VLA

N3

VLA

N4

Router

VLAN3VLAN2

VLAN4

VLAN2VLAN4

VLAN3VLAN2

VLAN4

VLAN3VLAN4

VLAN3VLAN2

VLAN3VLAN2

VLAN4

VLA

N2

VLA

N3

VLA

N4

RouterHSRP, VRRP,GLBP

c

Legend

Root port

Designated port

Blocking port

dynamic routing

26

21/06/2021

14

GC2020-2021

Network design with multi-layer switches

� Network devices able to support layer-2 and layer-3forwarding in hardware and to filter packets based on ACLs

27

GC2020-2021

A network with no fault-tolerance requirements

� A different organizational entity on each floor

SW-1Router

WAN

192.168.10.0/24

192.168.11.0/24

192.168.12.0/24

192.168.13.0/24

192.168.14.0/24

192.168.9.0/24

Server

1 5 6The switches, the router and the server are connected to access ports

SW

Layer-2 Switch

Multi-layer Switch

LEGEND

192.168.16.1

192.168.16.2

192.168.15.1 192.168.15.2 28

8

7

21/06/2021

15

GC2020-2021

SW(config)#vlan 2SW(config-vlan)#name AdminSW(config-vlan)#exitSW(config)#vlan 3Sw(config-vlan)#name SalesSW(config-vlan)#exitSW(config)#vlan 4Sw(config-vlan)#name Group-1SW(config-vlan)#exitSW(config)#vlan 5Sw(config-vlan)#name Group-2SW(config-vlan)#exitSW(config)#vlan 6Sw(config-vlan)#name Group-3SW(config-vlan)#exitSW(config)#vlan 7Sw(config-vlan)#name Group-4SW(config-vlan)#exitSW(config)#vlan 8Sw(config-vlan)#name SW-ServerSW(config-vlan)#exitSW(config)#vlan 9Sw(config-vlan)#name SW-RouterSW(config-vlan)#exitSW#

Sw(config)#int GigabitEthernet 0/1Sw(config-if)#switchport access vlan 2Sw(config-if)#exit……..Sw(config)#int GigabitEthernet 0/2Sw(config-if)#switchport access vlan 3Sw(config-if)#exit……..Sw(config)#int GigabitEthernet 0/3Sw(config-if)#switchport access vlan 4Sw(config-if)#exit…….Sw(config)#int GigabitEthernet 0/4Sw(config-if)#switchport access vlan 5Sw(config-if)#exit……..Sw(config)#int GigabitEthernet 0/5Sw(config-if)#switchport access vlan 6Sw(config-if)#exit…….Sw(config)#int GigabitEthernet 0/6Sw(config-if)#switchport access vlan 7Sw(config-if)#exit...

Phase 1: creation of VLANs Phase 2: definition of Access ports

SW-1

GC2020-2021

Sw(config)#interface vlan 2Sw(config-if)#ip address 192.168.9.1 255.255.255.0Sw(config-if)#no shutdownSw(config-if)#exitSw(config)#interface vlan 3Sw(config-if)#ip address 192.168.10.1 255.255.255.0Sw(config-if)#no shutdownSw(config-if)#exitSw(config)#interface vlan 4Sw(config-if)#ip address 192.168.11.1 255.255.255.0Sw(config-if)#no shutdownSw(config-if)#exitSw(config)#interface vlan 5Sw(config-if)#ip address 192.168.12.1 255.255.255.0Sw(config-if)#no shutdownSw(config-if)#exitSw(config)#interface vlan 6Sw(config-if)#ip address 192.168.13.1 255.255.255.0Sw(config-if)#no shutdownSw(config-if)#exitSw(config)#interface vlan 7Sw(config-if)#ip address 192.168.14.1 255.255.255.0Sw(config-if)#no shutdownSw(config-if)#exit...

Phase 3: IP address assignment to the virtual interfaces (VLANs)

� An IP address is assigned to a VLAN as if it were a physical interface

SW-1

30

21/06/2021

16

GC2020-2021A network with no fault-tolerance requirements

SW-1Router R1

WAN

Server

VLAN3VLAN2

VLAN4VLAN5

VLAN4VLAN2

VLAN5VLAN6

VLAN3VLAN2

VLAN7

VLAN3VLAN2

VLAN5VLAN6

VLAN4VLAN2

VLAN5VLAN7

VLAN4VLAN5

The L2 switches are connected totrunk ports, the router R1 and the server to access ports

1 56

192.168.15.2192.168.16.1 192.168.15.1

192.168.16.2

VLAN 3 - 192.168.10.0/24VLAN 4 - 192.168.11.0/24VLAN 5 - 192.168.12.0/24VLAN 6 - 192.168.13.0/24VLAN 7 - 192.168.14.0/24

VLAN 2 - 192.168.9.0/24

VLANs – IP subnets

VLAN 8 - 192.168.15.0/24VLAN 9 - 192.168.16.0/24

VLAN 1 - 192.168.8.0/24Default VLAN

� VLANs span multiple switches on different floors

31

7

8

GC2020-2021

SW-1

1 56

Router R1

Server

Logical view of the multi-layer switch in the previous slide

192.168.12.1

192.168.11.1

192.168.10.1192.168.9.1

192.168.13.1

192.168.14.1

Router R1

Server

1 56 trunk

trunks

Router

192.168.15.1

192.168.15.2

192.168.16.1

192.168.16.2

multi-la

yer

switch

SW

-1

192.168.8.1

access

access

IP addresses assigned to the virtual interfaces (VLANs)

8

8

7

7

21/06/2021

17

GC2020-2021

Sw(config)#interface GigabitEthernet 0/1Sw(config-if)#switchport mode trunkSw(config-if)#switchport trunk allowed vlan add 1,4,5Sw(config-if)#exitSw(config)#interface GigabitEthernet 0/2Sw(config-if)#switchport mode trunkSw(config-if)#switchport trunk allowed vlan add 1,2,4,5,7Sw(config-if)#exitSw(config)#interface GigabitEthernet 0/3Sw(config-if)#switchport mode trunkSw(config-if)#switchport trunk allowed vlan add 1,2,3,5,6Sw(config-if)#exitSw(config)#interface GigabitEthernet 0/4Sw(config-if)#switchport mode trunkSw(config-if)#switchport trunk allowed vlan add 1,2,3,7Sw(config-if)#exitSw(config)#interface GigabitEthernet 0/5Sw(config-if)#switchport mode trunkSw(config-if)#switchport trunk allowed vlan add 1,2,4,5,6Sw(config-if)#exitSw(config)#interface GigabitEthernet 0/6Sw(config-if)#switchport mode trunkSw(config-if)#switchport trunk allowed vlan add 1,2,3,4,5

Phase 2: Definition of Trunk portsDefault VLAN

SW-1

33

GC2020-2021A fault-tolerant network

10.1.9.1 10.1.9.2

Router

10.1.10.1

10.1.10.2

10.1

.1.1

(10.

1.1.

3)

10.1

.1.2

10.1

.2.1

10.1

.2.2

(10.

1.2.

3)

10.1

.3.1

(10.

1.3.

3)

10.1

.3.2

HSRP/VRRP

SW-1 SW-2

SW

Layer 2 Switch

Multi-layer Switch

LEGEND

1 2 34

3 2 14

5

SW-1 port 1 Access (VLAN 4)SW-1 port 2 Access (VLAN 3)SW-1 port 3 Access (VLAN 2)SW-1 port 4 Access (VLAN 5)SW-1 port 8 Access (VLAN 7)

SW-2 port 1 Access (VLAN 4)SW-2 port 2 Access (VLAN 3)SW-2 port 3 Access (VLAN 2)SW-2 port 4 Access (VLAN 5)SW-2 port 5 Access (VLAN 6)

810.1.20.1

A

B

C

The Spanning Tree Protocolis not needed!

WAN10.1.20.3

� A different organizational entity on each floor10.1.3.0/24

10.1.2.0/24

10.1.1.0/24

34

21/06/2021

18

GC2020-2021

RouterRouter 10.1.9.1 10.1.9.2

RouterWAN

10.1.10.1

10.1.10.2

10.1

.1.1

(10.

1.1.

3)

10.1

.1.2

10.1

.2.1

10.1

.2.2

(10.

1.2.

3)

10.1

.3.1

(10.

1.3.

3)

10.1

.3.2

HSRP/VRRP

1 2 34

3 2 14

5810.1.20.1

A

B

C

Logical view of the network in the previous slide

10.1.20.3

35

GC2020-2021SW-1(config)#interface vlan 2

SW-1(config-if)#ip address 10.1.1.1 255.255.255.0SW-1(config-if)#standby 8 preemptSW-1(config-if)#standby 8 priority 105SW-1(config-if)#standby 8 ip 10.1.1.3SW-1(config-if)#no shutdownSW-1(config-if)#exitSW-1(config)#interface vlan 3SW-1(config-if)#ip address 10.1.2.1 255.255.255.0SW-1(config-if)#standby 9 preemptSW-1(config-if)#standby 9 ip 10.1.2.3SW-1(config-if)#no shutdownSW-1(config-if)#exitSW-1(config)#interface vlan 4SW-1(config-if)#ip address 10.1.3.1 255.255.255.0SW-1(config-if)#standby 10 preemptSW-1(config-if)#standby 10 priority 105SW-1(config-if)#standby 10 ip 10.1.3.3SW-1(config-if)#no shutdownSW-1(config-if)#exitSW-1(config)#interface vlan 5SW-1(config-if)#ip address 10.1.9.1 255.255.255.252SW-1(config-if)#no shutdownSW-1(config-if)#exitSW-1(config)#interface vlan 7SW-1(config-if)#ip address 10.1.20.1 255.255.255.252

SW-1: IP address assignment and HSRP configuration

Candidate to become the Active router


Candidate to become the Standby router

36

21/06/2021

19

GC2020-2021SW-2(config)#interface vlan 2

SW-2(config-if)#ip address 10.1.1.2 255.255.255.0SW-2(config-if)#standby 8 preemptSW-2(config-if)#standby 8 ip 10.1.1.3SW-2(config-if)#no shutdownSW-2(config-if)#exitSW-2(config)#interface vlan 3SW-2(config-if)#ip address 10.1.2.2 255.255.255.0SW-2(config-if)#standby 9 preemptSW-2(config-if)#standby 9 ip 10.1.2.3SW-2(config-if)#standby 9 priority 105SW-2(config-if)#no shutdownSW-2(config-if)#exitSW-2(config)#interface vlan 4SW-2(config-if)#ip address 10.1.3.2 255.255.255.0SW-2(config-if)#standby 10 preemptSW-2(config-if)#standby 10 ip 10.1.3.3SW-2(config-if)#no shutdownSW-2(config-if)#exitSW-2(config)#interface vlan 5SW-2(config-if)#ip address 10.1.9.2 255.255.255.252SW-2(config-if)#no shutdownSW-2(config-if)#exitSW-2(config)#interface vlan 6SW-2(config-if)#ip address 10.1.10.1 255.255.255.252





37

GC2020-2021

A fault-tolerant network

Router

WAN

10.1.10.1

10.1.10.2

Spanning Tree Protocol

HSRP/ VRRP

SW-1 SW-2

1 2 34

3 2 14

5810.1.20.1

A

B

C

B.P

245

76

B.P

286

72

6 6

Trun

k

Trun

k

Trun

k

Trun

k

Trun

k

Trun

k

TrunkTrunk

VLANs 2,3,4span switches A,B,C

10.1.20.3

� VLANs span multiple switches on different floors

Layer 2 Switch

Multi-layer Switch

LEGEND

SW-1 ports 1,2,3,4,6 TrunkSW-1 port 8 Access (VLAN7)

SW-2 ports 1,2,3,4,6 TrunkSW-2 port 5 Access (VLAN6)

SW-1 VLAN 2 IP addr 10.1.1.1 ( 10.1.1.3)SW-1 VLAN 3 IP addr 10.1.2.1 ( 10.1.2.3)SW-1 VLAN 4 IP addr 10.1.3.1 ( 10.1.3.3)SW-1 VLAN 7 IP addr 10.1.20.1

SW-2 VLAN 2 IP addr 10.1.1.2SW-2 VLAN 3 IP addr 10.1.2.2SW-2 VLAN 4 IP addr 10.1.3.2SW-2 VLAN 6 IP addr 10.1.10.1

SW

c

Root port

Designated port

Blocking port

HSRP/VRRP

38

21/06/2021

20

GC2020-2021

Router

WAN 10.1.10.2

Spanning Tree Protocol

HSRP/ VRRP

1 2 34

3 2 1

4

5810.1.20.1

A

B

C

Router 10.1.3.1

10.1.2.110.1.1.1

10.1.10.1

Router10.1.3.2

10.1.2.2

10.1.1.2

6 6

Trun

k

Trun

k

Trun

k

Trun

k

Trun

k

Trun

k

Trunk

Trunk

c

Legend

Root port

Designated port

Blocking port

Logical view of the network in the previous slide

10.1.20.3

39

GC2020-2021

Router

WAN

10.1.10.2

10.1.20.1

Router(SW-1)

10.1.3.1

10.1.2.1

10.1.1.1

10.1.10.1

Router(SW-2)

10.1.3.2

10.1.2.2

10.1.1.2

VLAN 3

VLAN 4

VLAN 210.1.1.0/24

10.1.2.0/24

10.1.3.0/24

Logical view at the IP level

10.1.20.3

40

21/06/2021

21

GC2020-2021

SW-1(config)#interface vlan 2SW-1(config-if)#ip address 10.1.1.1 255.255.255.0SW-1(config-if)#standby 8 preemptSW-1(config-if)#standby 8 priority 105SW-1(config-if)#standby 8 ip 10.1.1.3SW-1(config-if)#no shutdownSW-1(config-if)#exitSW-1(config)#interface vlan 3SW-1(config-if)#ip address 10.1.2.1 255.255.255.0SW-1(config-if)#standby 9 preemptSW-1(config-if)#standby 9 priority 105SW-1(config-if)#standby 9 ip 10.1.2.3SW-1(config-if)#no shutdownSW-1(config-if)#exitSW-1(config)#interface vlan 4SW-1(config-if)#ip address 10.1.3.1 255.255.255.0SW-1(config-if)#standby 10 preemptSW-1(config-if)#standby 10 priority 105SW-1(config-if)#standby 10 ip 10.1.3.3SW-1(config-if)#no shutdownSW-1(config-if)#exitSW-1(config)#interface vlan 7SW-1(config-if)#ip address 10.1.20.1 255.255.255.252SW-1(config-if)#no shutdownSW-1(config-if)#exit

Candidate to be the Active router




41

GC2020-2021

SW-2(config)#interface vlan 2SW-2(config-if)#ip address 10.1.1.2 255.255.255.0SW-2(config-if)#standby 8 preemptSW-2(config-if)#standby 8 ip 10.1.1.3SW-2(config-if)#no shutdownSW-2(config-if)#exitSW-2(config)#interface vlan 3SW-2(config-if)#ip address 10.1.2.2 255.255.255.0SW-2(config-if)#standby 9 preemptSW-2(config-if)#standby 9 ip 10.1.2.3SW-2(config-if)#no shutdownSW-2(config-if)#exitSW-2(config)#interface vlan 4SW-2(config-if)#ip address 10.1.3.2 255.255.255.0SW-2(config-if)#standby 10 preemptSW-2(config-if)#standby 10 ip 10.1.3.3SW-2(config-if)#no shutdownSW-2(config-if)#exitSW-2(config)#interface vlan 6SW-2(config-if)#ip address 10.1.10.1 255.255.255.252SW-2(config-if)#no shutdownSW-2(config-if)#exit

SW-2: Assegnazione indirizzi IP e configurazione HS RP

Candidate to be the Standby router



42

21/06/2021

22

GC2020-2021Hierarchical network design

� The capacity, features and functionality of a specific device are optimized for its position in the network and the role it plays

� Costs are minimized

� It allows to design a modular topology

� Changes are facilitated because they impact a small number of systems

� The modular design makes the network easy to scale, understand and troubleshoot by promoting deterministic traffic patterns

� It reduces the number of CPU adjacencies

� When network devices communicate with many other devices, the workload of the CPUs on the devices can be burdensome

• In a large flat switched network broadcast packets are burdensome

• Routers process numerous route advertisements

� Classic three-layer model: core, distribution, access

� In small and medium-sized organizations, the core and distribution layers can be combined

43

GC2020-2021Hierarchical network design (cont.)

� An example of a flat network design

� An example of a hierarchical network design

Multilayer switch

L2 switch

44

21/06/2021

23

GC2020-2021

High Availability: downtime

High Availability

Very high Availability

Ultra high Availability

45

GC2020-2021

High Availability Campus Network Design

� Hierarchical campus network design

Source: Campus Network for High Availability Design Guide (Cisco Systems)

multilayerswitch

Firewall

L2switch

Router

Building BuildingBuilding

MAN/WAN

46

21/06/2021

24

GC2020-2021Core layer

� The core serves as the backbone for the network and connects distribution layer devices

� The core needs to be fast and extremely resilient because every building block depends on it for connectivity

� In the core a “less is more” approach should be taken

� A minimal configuration in the core reduces configuration complexity limiting the possibility for operational errors

47

GC2020-2021

Core layer (cont.)� Design the core layer as a high-speed, Layer 3 (L3) switching

environment

� Use redundant point-to-point L3 interconnections in the core building triangles, not squares

� Topologies with redundant equal-cost paths are the most deterministic and optimized for routing convergence, measured in milliseconds

� With topologies that rely on indirect notification and timer-based detection, convergence is non-deterministic and measured in seconds

� Most implementations of Internet routing protocols support load sharing across parallel paths with equal cost

� Equal-Cost MultiPath (ECMP) routing

� Fast, deterministic convergence in the event of a link or node failure

• Failover depends primarily on hardware link failure detection

• routing table with multiple entries for the destination 192.168.25.0/24

48

21/06/2021

25

GC2020-2021Distribution layer

� It aggregates switches from the access layer

� Typically deployed by a pair of multi-layer switches, that operate at layer-3 and, in case VLANs span multiple access switches, also as layer-2 switches

� Load sharing and Quality of Service (QoS) are key considerations at this layer

49

GC2020-2021Distribution layer (cont.)

� High availability in the distribution layer is provided through dual equal-cost paths from the distribution layer to the core and from the access layer to the distribution layer

� The distribution layer provides default gateway redundancy using a first-hop redundancy protocol (e.g., HSRP, VRRP, GLBP)

50

21/06/2021

26

GC2020-2021Access layer

� The first point of entry into the network for edge devices, such as hosts, IP phones, wireless access points

� The switches in the access layer are connected to two separate distribution layer switches for redundancy

� If there are no L2 loops, all uplinks can actively carry traffic

link aggregation

51

GC2020-2021Access layer (cont.)

� Key features:

� High availability (HA) supported by many hardware and software attributes

• Component redundancy using redundant supervisor engines, redundant power supplies and redundant fans

• Default gateway redundancy using dual connections to redundant distribution layer switches that use GLBP, HSRP or VRRP

• Prioritization of mission-critical network traffic using QoS

• Security services against unauthorized access to the network (e.g., IEEE 802.1x Access Control, MAC filters, DHCP snooping)

• Efficient network and bandwidth management using software features such as IGMP snooping

� Power Over Ethernet (PoE, PoE+, PoE++) for IP telephony, IP cameras, and for wireless access points

52

21/06/2021

27

GC2020-2021

Some “Best Practices”

53

GC2020-2021Network and In-the-Box Redundancy

� The hierarchical network model consists of � two core nodes with sufficient

bandwidth and switching capacity to service the entire network in the event of a failure of one of the nodes

� a distribution layer engineered with sufficient bandwidth and switching capacity so that the complete failure of one of the distribution nodes does not impact the performance of the network

� Network devices can provide high-availability by “in-the-box”redundancy, that involves doubling key components, such as the power supply, the fans, the supervisor engine.

� However, adding redundant supervisors to redundant core and distribution layers can increase the convergence time in the event of a supervisor failure (network outage of 1-3 seconds)� Instead, the network above converges in 100-200milliseconds for routing

protocols

Building BuildingBuilding

MAN/WAN

54

21/06/2021

28

GC2020-2021

Network and In-the-Box Redundancy (cont.)� So, campus topologies with redundant network paths can

converge faster than topologies that depend on redundant supervisors for convergence

� In-the-box redundancy provides the most benefit in environments where single points of failure exist

� The access layer of the network is typically a single point of failure� It is not typical for hosts to be dual connected to access layer

switches (except in the data center)� Then, the access layer is candidate for in-the-box redundancy

55

GC2020-2021

Core

Distribution

Access

Build triangles NOT squares� Squares

� Link failures require routing protocol convergence, which may vary since the route is non-deterministic.

� The result of this deployment is dropped sessions and/or lost packets, delivering suboptimal performance.

� Triangles� Any link failure results in a fast failover time since the route is deterministic.

A path is (simply) marked as unusable and all traffic is rerouted to the alternate equal-cost path (ECMP).

� The result is optimal performance with minimal packet loss.

56

21/06/2021

29

GC2020-2021

10.1.1.0/24 10.1.2.0/24

Link between the distribution nodes� Distribution layer designed as a L3 switching environment

� A L3 link is required between the distribution nodes

� The distribution node that loses connectivity to a given VLAN or subnet can reroute traffic across the distribution-to-distribution link

Layer 3

57

GC2020-2021Link between distribution nodes (cont.)

� In a design where VLANs are configured and span multiple access layer switches, the distribution nodes must be linked by an L2connection

� otherwise, multiple convergence events can occur for a single failure and undesirable traffic paths are taken after the spanning tree protocol converges

VLAN 2 VLAN 2

switch A switch B

Hellos

Core

Legend

Root port

Designated port

Blocking port

58

21/06/2021

30


� In case of a failure of the link from the access switch-A to the STP Root and HSRP Active multi-layer switch, the standby HSRP peer takes over as the default router

� Eventually, Access switch-B removes blocking on the link to the standby HSRP peer (with standard STP, this can take as long as 50 seconds)

� When STP/RSTP converges, the distribution nodes re-establish their HSRP relationships and the primary HSRP peer preempts

� yet another convergence event

59


� The unexpected side effect is that the Access switch-A traffic goes through the Access switch-B to reach its default gateway

VLAN 2 VLAN 2

switch A switch B

Hellos

Core

Legend

Root port

Designated port

Blocking port

60

21/06/2021

31


� Best Practice Topology for Spanning VLANs Across Access Layer Switches: a L2 link between the distribution multilayer switches

Core

VLAN 20 VLAN 30

VLAN 20VLAN 30

VLAN 20VLAN 30

VLAN 20VLAN 30

VLAN 20VLAN 30

Dual connected serversData Center

Legend

Root port

Designated port

Blocking port

61

GC2020-2021Daisy chaining dangers

� Black holes occur in the event of a link or device failure

� The standby HSRP peer can go active as it loses connectivity to its primary peer, forwarding traffic outbound for the devices that still have connectivity to it

� The primary HSRP peer remains active and also forwards outbound traffic for its half of the stack

Telecommunication Closet

62

21/06/2021

32

GC2020-2021Daisy Chaining dangers (cont.)

� A problem: return path traffic has a 50/50chance of arriving on a distribution switch that does not have physical connectivity to the half of the stack where the traffic is destined

� Traffic is dropped when it arrives on the wrong distribution switch

63

GC2020-2021Daisy Chaining dangers (cont.)

� provide alternate connectivity across the stack in the form of a loopback cable running from the top to the bottom of the stack

Telecommunication Closet

64

21/06/2021

33

GC2020-2021

Link Aggregation: IEEE 802.1AX� Link Aggregation Control Protocol (LACP)� It allows to aggregate the bandwidth of redundant links and

prevent a single point of failure� Without this logical grouping, if there are L2 loops, STP/RTSP

would place the redundant interface into blocking state to maintain a loop-free topology

LACP

65

GC2020-2021

Oversubscription and QoS

� Typical campus networks are engineered with oversubscription

� The rule-of-thumb recommendation for oversubscription is 20:1 ratio for access ports on the access-to-distribution uplink, 4:1 ratio for the distribution-to-core links, 1:1 ratio in the data center

66

21/06/2021

34

GC2020-2021

Oversubscription and QoS (cont.)� Using these oversubscription ratios, congestion on the uplinks

occurs by design

� When congestion occurs, QoS is required to protect important traffic such as mission-critical data applications, voice, and video

� Additionally, you can use QoS to reduce the priority of unwanted traffic (Scavenger-traffic class)

67

GC2020-2021References:

� Baldi, Nicoletti, SWITCHED LAN, McGraw-Hill

� Campus Network for High Availability Design Guide (Cisco Systems)

68

21/06/2021

35

GC2020-2021

An example of a high availability academic network design

69

GC2020-2021

Faculty of Engineering

Faculty of Science

Faculty of Law

Administration Office Internet

Scenario

70

21/06/2021

36

GC2020-2021

DMZ

MPLSMAN

Data Center

Internet

CAMPUS 3 CAMPUS 2

CAMPUS 1

CE router

CE router CE router

General architecture

� Simplified architecture (the redundancy is not shown)

71

GC2020-2021

INTERNET(GARR)

VPNCONCENTRATOR

Core

Access

Distribution

DMZData Center

Building 1 Building 2 Building 3 Building 4

Internet Edge

MPLS MAN

MANEdge

CErouter

Other campuses

Logical architecture of the main campus

72

21/06/2021

37

GC2020-2021

INTERNET(GARR)

STREAMINGDNS MAIL WEB

NIDS

Data Center

APPLICATIONDHCP

RADIUS

SIPGATEWAY

NIDS

DMZ

Other buildings in the

campus

PSTN

VPNCONCENTRATOR

MAN Edge

Internet Edge

MAIL

MANAGEMENT

MAIL FILTER

DB

MPLS MAN

CErouter

Other campuses

Logical architecture in the building 1 of the campus 1

73

GC2020-2021

INTERNET(GARR)

Data Center

MANEdge

Building 1

Building 2 Building 3 Building 4

WLAN Controller

AP

Internet Edge

AP AP

MPLS MAN

Other campuses

Wireless network architecture

74

21/06/2021

38

GC2020-2021

75

Data center evolution

GC2020-2021

76

Traditional three-tier data center (DC) design

� Servers are segmented into pods and virtualized into sets of virtual machines (VMs)

� VLANs are configured within each pod (multitenancy), and virtual machines (VMs) can move freely within the pod without the need to change IP address and default gateway configurations

� STP is used in the L2 part of the network, so that parallel forwarding path cannot be used

21/06/2021

39

GC2020-2021

77

DC design with extended layer 2 domain

� With layer 2 segments extended across all the pods, the DC administrator can create a more flexible resource pool that can be reallocated based on needs (elasticity of cloud computing)

� Virtual link-aggregation techniques allow to overcome the limitations of STP, providing active-active uplinks

vPC (virtual-Port-Channel) can provide only two activeparallel links

GC2020-2021

78

Limitations of a three-tier DC architecture

� With virtualized servers, applications are increasingly deployed in a distributed fashion, which leads to large and ever increasing “machine-to-machine” traffic (east-west traffic)

� In a modern DC this type of traffic is several orders of magnitude larger than what goes out to the Internet

� The job of a DC network (DCN) is to interconnect servers in a way that maximizes the bandwidth between any two servers (bisection bandwidth), while minimizing the latency between them

� In a three-tier DCN

� bisection bandwidth becomes a bottleneck

� server-to-server latency depends on the traffic path used

21/06/2021

40

GC2020-2021

79

Spine and leaf topology

� A Clos network-based spine-and-leaf architecture delivers high-bandwidth, low and predictable latency, nonblocking server-to-server connectivity

� Expanding capacity is straightforward: an additional spine switch can be added

� If device port capacity becomes a concern, a new leaf switch can be added

Fully connected

GC2020-2021

80

VXLAN tunneling technology (RFC 7348)� VXLAN (Virtual eXtensible LAN) is an extension to VLAN and has

become the mainstream technology for constructing DC networks

� VXLAN can meet the requirements of dynamic VM migration and multi-tenancy in DC networks

� VXLAN encapsulates layer-2Ethernet frames into UDP packets and transports the encapsulated packets over an IP network using the normal IP routing and forwarding mechanisms (thus, VXLAN builds a logical L2 overlay network over a L3 underlay network)

21/06/2021

41

GC2020-2021

Layer 2 virtualswitch

DCN

81

VXLAN tunneling technology (cont.)� VXLAN virtualizes the DC network into a large layer 2 virtual

switch, that isolates traffic between the VXLAN segments

� When a VM is migrated within the same VXLAN segment, its IP address does not need to be changed

� Each VXLAN segment is identified by a 24-bit VXLAN network identifier (VNI), that is similar to a VLAN ID

� A maximum of 16M VXLAN segments are supported (and so, 16M tenants)

GC2020-2021

82

VXLAN packet format� A VXLAN tunnel endpoint (VTEP) encapsulates the original

Ethernet frame

� The VNI is added to a VXLAN header

� Outer Src.IP is the IP address of the VTEP connected to the source VM

� Outer Dst. IP is the IP address of the VTEP connected to the destination VM

21/06/2021

42

GC2020-2021

83

VXLAN packet format (cont.)

� In figure, a tunnel is established between two top of rack (TOR) switches

GC2020-2021

84

MP-BGP-EVPN (RFC 7432)� MP-BGP-EVPN: Multiprotocol BGP Ethernet VPN

� RFC 7348did not define any control plane for VXLAN

� VXLAN tunnels are manually configured

� host addresses are learned through multicast-based traffic flooding (each VNI is mapped to an IP multicast group)

� Ingress replication feature (introduced for organizations that do not want enable multicast in their data centers or WANs): the VTEP uses a list of IP addresses of other VTEPs to send broadcast, unknown, and multicast traffic (BUM traffic)

� RFC 7432 specifies MP-BGP-EVPN as the control plane of VXLAN

� VTEPs can be automatically discovered and VXLAN tunnels can be automatically established

� Each VTEP performs local learning to obtain MAC addresses (traditional MAC address learning) and IP address information from its locally attached hosts

� The VTEP then distributes this information to other VTEPs through MP-BGP-EVPN

� Flooding traffic is reduced on the network

21/06/2021

43

GC2020-2021

85

� When traffic need to be routed, the Layer 3 gateway function needs to be enabled on some VTEPs

� The common designs used are internal and external routing on the spine layer, and internal and external routing on the leaf layer

� Both designs provide centralized routing: the internal and external routing functions are centralized on specific switches of the DCN

� In case MP-BGP-EVPN is used, internal routing can be distributed: any VTEP in a VNI can be the distributed anycast gateway for hosts in its IP subnet, by supporting the same virtual gateway IP address and the virtual gateway MAC address.

Layer 3 routing function with VXLAN

GC2020-2021Reference white papers for the topic “data center

evolution”:

� “Cisco Data Center Spine-and-Leaf architecture: Design Overview”, https://www.cisco.com/c/en/us/products/collateral/switches/nexus-7000-series-switches/white-paper-c11-737022.html

� “What is VXLAN” , HUAWEI Technologies, https://support.huawei.com/enterprise/it/doc/EDOC1100086966

� “ EVPN-VXLAN CAMPUS FABRICS ”, JUNIPER Networks

86

21/06/2021

44

GC2020-2021

A bit of future

GC2020-2021

� The explosion of mobile devices, the server virtualization and the advent of cloud services are driving the networking industry to re-examine network architectures

� Modern traffic pattern are incredibly dynamic and, therefore, unpredictable

� To implement a network-wide policy (access, security, QoS, .. ), IT operators may have to configure thousands of devices

• Policies may be inconsistent

� Due to complexity, today’s networks are relatively static as many IT operators seek to minimize the risk of service disruption

� Software Defined Networking (SDN) is an emerging network architecture where network’s control plane (brain) is decoupled from forwarding plane (muscle)

Software Defined Networking

88

21/06/2021

45

GC2020-2021Software Defined Networking (cont.)

� SDN provides for the implementation of control plane to be open (and standard-based)

� The Open Networking Foundation (ONF) is the groupthat is most associated with the standardization and development of SDN

� Some important SDN use cases:

� Dynamic QoS

� Traffic engineering

� Role based access

� Load balancing services

� Security services

89

GC2020-2021Traditional approach: per-router control plane

RoutingAlgorithm

dataplane

controlplane

1

2

0111

values in arriving packet header

3

� Individual routing algorithm components in each and every router interact with each other in control plane to compute forwarding tables

90

21/06/2021

46

GC2020-2021Control plane and data plane separation

� A logically centralized software program (Remote Controller) controls the behaviour of an entire network

� IT operators can program -and reprogram- the network in real time to meet specific business and user needs as they arise

dataplane

controlplane

Remote Controller

CA

CA CA CA CA

routingaccess control

loadbalance

… control plane functions external to data-plane of packet switches

Packet switch

Controller Agent

local flow table

headers counters actions

91

GC2020-2021The Openflow protocol

� The Controller interacts with control agents (CAs) in packet switches to compute and distribute forwarding tables (called flow tables in SDN)

� Examples of open source SDN controllers: Opendaylight, ONOS

� OpenFlow structures communication between the Controller and the CAs

� The concept of flow is used to identify network traffic based on match rules programmed by the SDN control software

� The match-action paradigm

� “Match” can be done on multiple header fields (up to 41) associated to different protocol layers

� “Action” allows to define how traffic should be forwarded by the packet switch 92

21/06/2021

47

GC2020-2021OpenFlow: Flow Table Entries

Ingress

PortMAC

src

MAC

dst

Eth

typeVLAN

ID

IP

Src

IP

Dst

IP

Prot

TCP/UDP

Src port

Match rule Action Stats

1. Forward packet to port(s)

2. Encapsulate and forward to controller

3. Drop packet

4. Modify Fields

Packet + byte counters

Link layer Network layer Transport layer

VLAN

Pri

IP

TOS

TCP/UDP

Dst port

93

GC2020-2021

IP Src = 10.3.*.*IP Dst = 10.2.*.*

forward(3)

match action

ingress port = 2IP Dst = 10.2.0.3ingress port = 2IP Dst = 10.2.0.4

forward(3)

match action

forward(4)

ingress port = 1IP Src = 10.3.*.*IP Dst = 10.2.*.*

forward(4)

match action

OpenFlow example

Host h110.1.0.1

Host h210.1.0.2

Host h410.2.0.4

Host h310.2.0.3

Host h510.3.0.5

s1 s2

s31

2

3 4

1

2

34

1

2

3

4

Host h610.3.0.6

Example: IP datagrams from hosts h5 and h6 should be sent to h3 or h4, via s1 and from there to s2

94

controller

21/06/2021

48

GC2020-2021References for the topic “SDN”:

� J. Kurose e K.W. Ross, “Computer Networking. A Top-Down Approach”, seventh edition, Pearson

95

GC2020-2021Intent-based networking

� Future networks will operate as a system withincreasing levels of autonomy

� The key to achieve this more autonomous state will beartificial intelligence

� An Intent-based network (IBN) will be able to take a business requirement communicated in natural language

� A human operator defines “what” is expected

� The IBN will automatically translate business requirements into network requirements and, then, compute a solution meeting the requirements

� So, an IBN will be able to align the network continuously and dynamically to changing business needs

96

21/06/2021

49

GC2020-2021Learning outcomes

After the course the student should

� understand the main issues regarding the operation of a modern computer network and how they could be addressed in order to ensure appropriate delivery of the application services

� know the technologies to be considered in designing a modern computer network and, particularly, understand how they address the aforementioned issues

� know what techniques can be adopted to model and analytically evaluate performance, reliability and availability of network systems

97

Documents

On the design of campus networks for High Availability