Campus NetworkBest Practices:

Core and Edge NetworksCore and Edge NetworksDale Smith

University of Oregon/NSRCdsmith@uoregon.edu

This document is a result of work by the Network Startup Resource Center (NSRC at http://www.nsrc.org). This document may be freely copied, modified, and otherwise re-used on the condition that any re-use acknowledge the NSRC as the original source.

Campus Network Rules Minimize number of network devices in any path Use standard solutions for common situations Build Separate Core and Edge Networks Provide services near the core Separate border routers from core Provide opportunities to firewall and shape

network traffic

Core versus Edge Core network is the core of your network

Needs to have reliable power and air conditioning

May have multiple cores Always route in the core

Edge is toward the edges of your network Provide service inside of individual buildings

to individual computers Always switch at the edge

Minimize Number of Network Devices in the Path

Build star networks

Not daisy chained networks

Edge Networks (Layer 2 LANs) Provides Service to end users Each of these networks will be an IP

subnet Plan for no more than 250 Computers at

maximum maximum Should be one of these for every

reasonable sized building This network should only be switched Always buy switches that are managed

no unmanaged switches!

Edge Networks

Make every network look like this:

Fiber link to core router

Edge Networks Continued Build Edge network incrementally as you

have demand and money Start Small:

Fiber link to core router

Edge Networks Continued Then as you need to add machines to the

network, add a switch to get this:Fiber link to core router

Edge Networks Continued And keep adding switches to get to the

final configurationFiber link to core router

Edge Networks Continued And keep adding switches to get to the

final configurationFiber link to core router

Edge Networks Continued Resist the urge to save money by breaking this

model and daisy chaining networks or buildings together

Try hard not to do this:Fiber link to core router

Link to

Link to adjacent building

Link to another building

Edge Networks Continued There are cases where you can serve multiple

small buildings with one subnet. Do it carefully. Two basic models:

Switch in core location

Fiber link to core router

Copper or fiber link to core router

location

Cat5e or fiber

core router

Cat5e or fiber

Fiber circuits to small buildings

Selected Layer 2 Topics Collision versus Broadcast Domain VLANs ARP how it works DHCP - How it works DHCP - How it works Spanning Tree Link Aggregation Failure modes

100 Mbs and Gigabit Duplex mismatch

Collision vs. Broadcast Domain Similar issues affects performance of

LAN Hubs (Repeaters)

Every packet goes to every port, irrespective Every packet goes to every port, irrespective of destination of packet

Every port is half duplex Can only be one packet in transit two

transmitters = Collision

Collision vs. Broadcast Domain

Hub Hub

Hubs/Repeaters

Only One Packet at a time Every packet (even unicast) goes to every port

Collision vs. Broadcast Domain

Hub Hub Collision

Hubs/Repeaters

Two Transmitters = Collision

Collision vs. Broadcast Domain Switches

Switches learn where hosts are eavesdropping on traffic and building a forwarding table

Switches forward packets to correct port Switches forward packets to correct port Can only be many packets in transit Broadcasts must go to all ports

Collision vs. Broadcast Domain

Switch Switch

Switches

Many packets can be in flight store and forward Unicast Packets go to intended destination

Collision vs. Broadcast Domain

Switch Switch

Switches

Broadcasts go to all ports (notice this looks like the hubs picture some slides ago)

Collision vs. Broadcast Domain

Switch Switch

Switches

Switches need to know about multicast

VLANs Virtual LANs reduce scope of broadcast

domain and separate traffic Tagging identifying the VLAN

associated with a packet. Ports are associated with a packet. Ports are configured as Tagged or untagged.

Trunking Carrying traffic for multiple VLANs on a single link. Must use tagging.

VLANs Tagging on Trunks must tag

Single link carrying 3 VLANS

ARP Address Resolution Protocol Builds a mapping of IP address to

Ethernet Address ARP Protocol ARP Protocol

Broadcast ARP Request (who has this IP?) Owner of IP address in ARP Request issues

ARP reply Pathology: anyone can issue an ARP

reply at any time

ARP

10.0.0.100:00:11:00:00:aa

10.0.0.200:00:11:00:00:bb

10.0.0.300:00:11:00:00:cc

DHCP Dynamic Host Configuration Protocol Used to assign IP address and provide basic

IP configuration to a host. Simple protocol

Client broadcasts a DHCP DISCOVER Client broadcasts a DHCP DISCOVER Server(s) unicast back a DHCP OFFER Client selects an offer and sends a REQUEST Server sends back a DHCP ACK to client

Managed switches can block rogue DHCP

Spanning Tree Eliminates loops in Layer 2 networks Several flavors

Original Spanning Tree 802.1D Rapid Spanning Tree (RSTP) 802.1w Rapid Spanning Tree (RSTP) 802.1w Multiple Spanning Tree (MSTP) 802.1s and

802.1Q-2003 Modern managed switches can do all of

the above Lots of discussion about this Tuesday

Link Aggregation Bonds multiple channels together to

provide more bandwidth Issues:

Compatibility Compatibility How traffic is scheduled

3 separate links aggregated as one

Failure Modes ARP spoofing Loops in your network Rogue DHCP servers Duplex mis-match Duplex mis-match

100Mbs late collisions and CRC 1000Mbs cant establish link

Need managed switches to correct these

Core Network

Routing versus SwitchingLayer 2 versus Layer 3

Routers provide more isolation between devices (they stop broadcasts)

Routing is more complicated, but also more sophisticated and can make more more sophisticated and can make more efficient use of the network, particularly if there are redundancy elements such as loops

Switching versus RoutingThese links must be routed, not switched

Core Network Reliability is the key

remember many users and possibly your whole network relies on the core May have one or more network core locations Core location must have reliable power

UPS battery backup (redundant UPS as your network evolves) Generator

Core location must have reliable air conditioning As your network evolves, core equipment should be equipped with As your network evolves, core equipment should be equipped with

dual power supplies, each powered from separate UPS Border routers separate from Core Firewalls and Traffic Shaping Devices Intrusion Detection Intrusion Prevention Network Address Translation

Core Network At the core of your network should be routers you must

route, not switch. Routers give isolation between subnets A simple core:

Border Router Firewall/ Traffic Shaper Core Router All router interfaces on a interfaces on a separate subnet

Central Servers for campus

Fiber optic links to remote buildings

Where to put Servers? Servers should be on a high speed interface off of your

core router Servers should be at your core location where there is

good power and air conditioningBorder Router Firewall/ Traffic Shaper Core Router All router

interfaces on a interfaces on a separate subnet

Fiber optic links to remote buildings

Serversin core

Border Router Connects to outside world RENs and Peering are the reason you need

them Must get Provider Independent IP address

space to really make this work rightspace to really make this work right

CampusNetwork

RENInternet

Exchange

Putting it all TogetherBorder Router

Core Router

REN switch

Firewall/Traffic Shaper

Fiber Optic Links Fiber Optic Links

Core Servers

Notes on IP Addressing Get your own Public IP address space (get

your V6 block when you get your V4 one) Make subnet IP space large enough for

growthgrowth Use DHCP to assign addresses to

individual PCs Use static addressing for switches,

printers, and servers

More Complex Core Designs One Armed Router for Core

Core Router

VLAN Trunk carrying all subnets

Core Switch

Fiber Optic Links Fiber Optic Links

Core Servers

Complex Core Designs

Border Router Firewall/Traffic Shaper

Multiple Core Routers

Core RouterCore Router Fiber Links to remote buildings

Local Internet exchange switch

Core Switch

Alternative Core Designs Wireless Links versus Fiber

Border Router

Core REN switch

Firewall/Traffic Shaper

Core Router

Fiber Optic Links

Wireless Links

Core Servers

Layer 2 and 3 Summary Route in the core Switch at the edge Build star networks dont daisy chain Buy only managed switches re-purpose Buy only managed switches re-purpose

your old unmanaged switches for labs

Questions?Questions?

This document is a result of work by the Network Startup Resource Center (NSRC at http://www.nsrc.org). This document may be freely copied, modified, and otherwise re-used on the condition that any re-use acknowledge the

NSRC as the original source.

Symbols to use for diagrams