Campus Network Herarchical Design

Over time, the hierarchical approach in designing a network has proven as the most effective. The goal in designing a Campus network is to divide buildings, floors, workgroups, and server farms into different layer 3 groups to prevent network faults from effecting a large scale of the network. The layers in a hierarchical design are:



  • Core: The core is the central thoroughfare for corporate traffic. All other parts of the network eventually feed into the core. You should design the core to switch packets as quickly as possible. This level should not include operations that might slow the switching of the packet: The distribution layer should handle any packet manipulation or filtering that needs to occur.


  • Distribution: The distribution layer should provide policy-based connectivity between the access layers and the core layer. It is at this layer that packets should be filtered or manipulated. Therefore as the packets are routed to the core, the core just simply needs to switch them quickly to the destination distribution location.


  • Access: The access layer provides user access to the network. It is at this point that users are permitted (or denied) access into the corporate network. Typically, each person sitting at a desk has a cable that runs to a wiring closet and connects to a switch; hence, this level is where the user accesses the network.






When correctly designed, a campus network can enhance business efficiency and lower operational cost. Additionally, a properly designed network can position a business for future growth. A modular or hierarchal network is made from building blocks that are easier to replicate, redesign, and grow. Each time a module is added or removed, there shouldn’t be a need to redesign the whole network. Distinct blocks can be put into and out of service without impacting other blocks

or the network core. This greatly enhances troubleshooting, isolating problems, and network management.




Campus Design Best Practices




  • Redundancy, redundancy is a key of a highly available network. However, too much redundancy can actually be a bad network. It causes the network to hard to reach convergence, and also it is hard to troubleshoot and manage the network.



  • High availability, this refer to the ability of the network to recover from failures. High availibility should be design at many layers.

    • Layer 1: Redundant links and hardware providealternative physical paths through the network.

    • Layers 2 and 3: Protocols such as spanning tree,HSRP, and others provide alternative path awareness and fast convergence.

    • Application availability: The application server and client processes must support failover for maximum availability.





  • Oversubscription, Oversubscription occurs when there are more trafficgenerating endpoints than the network can accommodate at a single time. QoS

    should be used to ensure that real-time traffic such as voice and video, or critical data such as SAP traffic, is not dropped or delayed.





Read more...

OSPF Packet Types

There are five types of OSPF packet types. The following figure describe the different types of OSPF





  1. Hello - Hello packets are used to establish and maintain adjacency with other OSPF routers. The hello protocol is discussed in detail in the next topic.


  2. DBD - The Database Description (DBD) packet contains an abbreviated list of the sending router's link-state database and is used by receiving routers to check against the local link-state database.


  3. LSR - Receiving routers can then request more information about any entry in the DBD by sending a Link-State Request (LSR).


  4. LSU - Link-State Update (LSU) packets are used to reply to LSRs as well as to announce new information. LSUs contain seven different types of Link-State Advertisements (LSAs).


  5. LSAck - When an LSU is received, the router sends a Link-State Acknowledgement (LSAck) to confirm receipt of the LSU.



OSPF packet Type 1 is the OSPF Hello packet. Hello packets are used to:

  • Discover OSPF neighbors and establish neighbor adjacencies.

  • Advertise parameters on which two routers must agree to become neighbors.

  • Elect the Designated Router (DR) and Backup Designated Router (BDR) on multiaccess networks like Ethernet and Frame Relay.



Read more...

Inside a Router

a router is a computer. like a PC, a router also includes CPU, RAM and ROM. the components in a router are:

  • Central Processing Unit (CPU). the CPU executes operating system instructions, such as system initialization, routing fuinctions and switching functions.

  • Random-Access Memory (RAM). RAM is volatile memory and it loses its content when the router is powered down or restarted. RAM stores the instructions and data needed to be executed by the CPU. RAM is used to store these components:

    • Operating System: the Cisco IOS is copied into RAM during bootup.

    • Running Configuration File: this is the file that stores the configuration commands that the router is currently using. with few exceptions, configuration commands are directly stored to the running configuration, known as running-config.

    • IP Routing Table: this file stores information about directly connected and remote networks. it is used to determine the best path to forward the packet.

    • ARP Cache: this is similar to the ARP cache on a PC, this contains the IPv4 address to MAC address mappings. this is used on routers that have LAN interfaces such as Ethernet.

    • Packet Buffer: packets are temporarily stored in a buffer when received on an interface or before they exit an interface.


  • Read-Only Memory (ROM). ROM does not lose its content when the router is powered down or restarted. cisco devices use ROM to store the bootstrap instructions, basic diagnostic software and scaled-down version of IOS. ROM uses firmware (firmware includes software that does not normally need to be modified or upgraded, such as the bootup instructions), which is software that is embedded inside the integrated circuit.

  • Flash Memory. Flash is a nonvolatile computer memory that can be electrically stored or erased. flash is used to store the router operating system, Cisco IOS. the IOS is copied to the RAM during bootup process, where it can be executed by the CPU (some old routers run the IOS directly from flash). flash consists of SIMMs and PCMCIAs cards, which can be upgraded to increase the amount of flash memory.

  • Nonvolatile RAM (NVRAM). unlike most kind of RAMs, NVRAM does not lose its content when power is turned off. Cisco IOS use this permanent storage to store the startup configuration file (startup-config). to save the changes implemented to the router in case the router is powered down or restarted, the running-config must be copied to NVRAM as the startup-config.


Router boot-up process
there are four major phases to the bootup process:

  • performing the Power-On Self Test (POST). POST is a common process done by almost every computer during bootup. when the router is powered on, the software on the ROM chip perform POST to test the router hardware. during this process, the router executes diagnostics from ROM on several hardware components including the CPU, RAM and NVRAM. after the process is done, the router executes the bootstrap program.

  • loading the bootstrap program. after the POST process, the router copies the bootstrap program from ROM into RAM. once in RAM, the CPU executes the instructions in the bootstrap program. the main purpose of the bootstrap program is to locate the Cisco IOS and load it into RAM. (at this point, if you have a console connection to the router, you will begin to see output).

  • locating and loading Cisco IOS. usually, the IOS is located in the flash memory, but can also be stored remotely, such as a TFTP server (a TFTP server can be used as a central storage for IOS images or as a backup server for IOS). if a full IOS image can not be located, a scaled-down version of the IOS is copied from ROM into RAM. this version of IOS is used to help diagnose any problems and can be used to load a complete version of the IOS into RAM. once the IOS begins to load, you may see a string of pounds signs (#), while the image decompresses.

  • locating and loading the configuration file. after the IOS is loaded, the bootstrap program searches for the startup configuration file (startup-config) in the NVRAM. if the file exists, it is copied into RAM as the running configuration file (running-config). if the file does not exists, the router may serach for a TFTP server. if the router detects that it has an active link to another configured router, it sends a broadcast searching for a configuration file across the active link. this condition will cause the router to pause. if the startup configuration file can not be located, the router prompts the user to enter setup mode. setup mode is a series of questions prompting the user for basic configurations information (setup mode is not to be used to enter complex configuration and is not commonly used by network administrators). you can terminate the setup process by pressing the Ctrl-C at any time. if the setup mode is not used, the IOS creates a default running-config. this file is a basic configuration file (this file does not contain any interface addresses, routing information, passwords or other specific configuration information).



Read more...

PIX

some PIX series 501, 515, 535, 506e
Firewall Services Module (FWSM)
PIX firewall doesn't run IOS

most PIX come with only two interface, but some could be expanded to have more interfaces. interfaces in PIX must have physical name, logilcal name and priority (security level). priority can be set to a value between 0-100. an interface from lower priority cannot send packets to interface with higher priority.

default physical name:
E0
E1
default logical name:
E0 -> outside
E1 -> inside
default priority
E0 -> 0
E1 -> 100


DMZ (demilitiarized zone) is a concept that is an area/segment in your network that is accessible through your inner network and also the internet (usually server that should be accessible from the internet reside in this area). but the DMZ couldn't access your inner network (DMZ's priority is set lower than inside interface).
DMZ priority can be set to be higher than the outside interface. to make the server in the DMZ be accessible from outside you can use NAT.

Failover, a pair of PIX can work together to give a redundancy. How this work is as much the same with HSRP. each PIX in a failover pair must have the exact same configuration. changes you make to the active PIX will be synchronized to the standby PIX. while changes to the standby PIX will not be synchronized to the active PIX. however you won't be prevented from making any changes to the standby PIX.
on a hardware PIX, there will be a failover port for connecting this device with its failover pair.

PIX also support logging. in configuring the logging process you may want to configure the destination of the log (the monitor, sys server) and the level of the logging (each level give different level of detail)

Read more...

EtherChannel

EtherChannel is a way to combine some phsycal link to be one logical link.


EtherChannel cisco, layer 2 (switch)

EtherChannel doesn't really aggregate the max speed of the link. if a logical link consists of four 100mps link, the max speed for a single communication is not 400mbps. it is still 100mbps. cisco has an algorithm for determining which path a traffic will use, it could be configure to depends on:

  • soure MAC address

  • destination MAC address

  • source and destination MAC address

  • source IP

  • destination IP

  • source and destination IP

  • source port

  • destination port

  • source and destination port


how we configure this usually depends on what the other end of the EtherChannel is.


every link participating in an EtherChannel must have the same configuration (same vlan / trunk, etc)


there are two EtherChannel protocols,

  • Link Aggregation Control Protocol (LACP), defined by IEEE. used when connecting to non cisco devices

  • Port Aggregation Control Protocol (PAgP), cisco-proprietary. used when connecting to cisco devices.


each of the protocol have 2 modes, LACP -> passive, active. PAgP -> auto, desirable. each of the mode show how the configured interface will negotiating the EtherChannel (you may think of these modes as the modes in trunk negotiation)



configuring etherchannel is different in CatOS and in IOS. to establish EtherChannel in IOS first you create a virtual etherChannel interface (interface Port-channel number) and configure this interface (vlan/trunk, etc). then you configure the physical interface that will be part of the virtual etherchannel interface ('channel-group number mode desirable|auto' enter this command at interface configuration level). remember that all of the physical interface must have identical configuration.

configuration in IOS


while in CatOS

set port name 3/1 Link #1 in Channel
set port name 3/2 Link #2 in Channel
set port name 3/3 Link #3 in Channel
set port name 3/4 Link #4 in Channel

set vlan 20 3/1-4

set port channel 3/1-4 mode desirable


Read more...

VTP

advantages of VTP:
  • dynamic trunk configuration when vlans are added to the network

  • vlan configuration consistency

  • dynamic reporting of added vlans across a network



VTP only learns about normal-range VLANs (VLAN IDs 1 to 1005). Extended-range VLANs (IDs greater than 1005) are not supported by VTP.

Terminology
vtp domain : switches in the same vtp domain share the same vlan configuration details using vtp advertisements. a router or layer 3 switch defines the boundary of a domain.

vtp modes : a switch can be configured in one of the three modes:
  • Server : vtp servers advertise vlan configuration to other vtp-enabled switches in the same domain. VTP SERVERS STORE THE VLAN CONFIGURATION IN NVRAM. at the server is where the vlan can be created, deleted or renamed.

  • Client : function the same way as servers, but clients could not create, delete or rename vlans. clients also only store the vlan configuration while the switch on.

  • Transparent : transparent switches don't participate in vtp. transparent switches don't store vlans advertised by servers. however, they do advertise/forward vtp advertisement that they receive. vlans can be created, renamed or deleted and local only to that switch. In transparent mode, VLAN configurations are saved in NVRAM (but not advertised to other switches), so the configuration is available after a switch reload. This means that when a VTP transparent mode switch reboots, it does not revert to a default VTP server mode, but remains in VTP transparent mode.




VTP pruning : VTP-pruning restricts packets from passing to an interfce to a switch that doesn't have the same vlan as the packets come from. this can save some bandwidth
VTP revision number : each switch running VTP keep track of a revision number. the revision number is a 32-bit and starts from 0. the revision number will determine wether the information received is more recent than the current one or not. everytime a change (a VLAN is added or removed) occur, the revision number is incremented. (a domain name change doesn't increment the revision number but reset it to 0)
VTP Advertisements : VTP uses a hierarchy of advertisements to distribute and synchronize VLAN configurations across the network.


VTP Default Settings

version = 1 (vtp has 3 version 1, 2, 3. only one version allowed in a domain)
domain name = null (means no domain)
mode = server
config revision = 0
vlans = 1


when a VTP first starts, by default there are 5 vlans created in a switch (1, 1002-1005).

when a VTP server switch is given a domain name, it will propagate the domain name to all switches for us.

you can reset the revision number of a switch by changing its domain name.

the command "show vtp status" will give you information about the running vtp in the switch. such as the domain name, version number, vtp mode, revision number, vlans information, etc.

the command "show vtp counters" will show you information about how many each information is sent or received.

VTP ONLY COMMUNICATES ON TRUNK PORT

VTP ONLY LEARNS ABOUT NORMAL-RANGE VLANs (vlan ids of 1 to 1005)

VTP DOMAIN NAMES ARE CASE SENSITIVE

VLAN CREATED BEFOTE ENABLING VTP WILL BE REMOVED

A SWITCH CAN BE A MEMBER OF ONLY ONE VTP DOMAIN AT A TIME



************
VTP messages
************

VTP messages are encapsulated within an ethernet frame which then encapsulated in trunking protocol (either 802.1Q or ISL). the vtp message (header and message) is at the data portion of the frame. VTP ADVERTISEMENTS ARE SENT PERIODICALLY. VTP sends advertisement to a reserved multicast address which is 01-00-0C-CC-CC-CC.

VTP header - fields and size varies but always contains domain name, domain name length, version, message type, revision number.

VTP message - VTP domain name, md5 digest, updater identity and timestamp message was sent.
for each vlan, the message contains:

  • VLAN ID

  • VLAN name

  • VLAN type

  • VLAN state

  • additional VLAN configuration information


Type of advertisements
Inside each message there's a field that tells which type the message is.

Summary advertisments :

  • are sent every 5 minutes by VTP server or client to inform other switches in the domain of the current revision number, the domain name and other VTP configuration details.

  • sent immediately after a change occur.


there is a followers field that indicates that this summary is followed by subset advertisement. code for this type is 0x01.

Subset advertisements :
contain vlan information. triggered by:

  • creating / deleting a vlan

  • suspending / activating a vlan

  • changing the name of a vlan

  • changing the MTU of the vlan

it may take some subset advertisements to fully update the vlan configuration. there is a seq-number field that tells the sequence of packets, starts with 1. the code for this type is 0x02.

Request advertisements :
a request is sent to a VTP server if:

  • domain name has been changed.

  • the switch received a summary with revision number higher than its own.

  • a subset advertisement is missed for some reasons.

  • the switch has been reset.


when a VTP server received a request, it reponds by sending a summary advertisement and then a subset advertisement. the type for this message is 0x03.



***********
VTP pruning
***********

when vtp pruning is enabled on a switch, it reconfigures the trunk link based on which ports are configured with which vlans.

essentialy, if you want to enable pruning in your network, configuring the vtp pruning at the vtp servers is enough.

vtp pruning only prunes vlan pruning-eligle. vlans 2 - 1001 are pruning-eligible by default. vlan pruning-eligibles can be changed.

pruning cannot be done to vlans which pruning-ineligible. those vlans are 1 and 1002-1005


*****************
VTP configuration
*****************

to be noticed when configuriing VTP servers:

  • confirm that default settings are present.

  • always reset the configuration revision number.

  • configure at least 2 vtp servers in the network. because only on servers we can configure vlans, if one down we still have the other one.

  • if you set a password for vtp information, ensure that all switches is configured with the same password. switches without password or wrong password reject VTP advertisements.
    BY DEFAULT A CISCO SWITCH DOESN'T IMPLEMENT ANY PASSWORD.

  • create vlan after you've enabled VTP on the vtp server, because vlan created before vtp enabled, are removed.

  • ensure all switches run the same vtp protocol version.



to be noticed when configuring vtp clients:

  • confirm that default settings are present.

  • verify vtp status. confirm that vlans has been updated and revision number is changed.

  • configure access port, you still need to assign ports to existing VLANs.



(at global configuration)
Configure VTP Domain
vtp domain word


Configure VTP mode
vtp mode word


Configure password
vtp password password


Configure version
vtp version number



*********
Common error in configuring VTP
-protocol version mismatch. vtp version is incompatbile with different version.
-password mismatch / not set on every switch.
-different domain name. to solve this only configure domain name on VTP servers, because VTP servers will propagate the domain name to all other switches.


REMEMBER, BECAUSE BOTH VTP SERVERS AND CLIENTS SEND SUMMARY ADVERTISEMENT, BOTH CAN HAVE ITS VLAN CONFIGURATION RUINED WHEN A SERVER / CLIENT RECEIVED A SUMMARY ADVERTISEMENT WITH HIGHER REVISION NUMBER, IT WILL REQUEST FOR VLAN INFORMATION (SUBSET ADVERTISEMENTS) AND CONFIGURE ITS OWN VLAN CONFIGURATION (NO MATTER IF THE SENDING SWITCHES IS A CLEINT AND THE REQUESTING IS A SERVER). ALWAYS RESET THE REVISION NUMBER OF A SWITCH BEFORE ADDING IT TO THE NETWORK.

Read more...
top