Orhan Ergun 27 Comments

In this post I will give you a campus network design scenario and as always will wait your answers.

You need to specify what are the mistakes, you need to recommend a technical solutions to Superent which is a fictitious company and don’t forget to give your answers based on customer requirements rather than industry best practices whenever if it is applicable.

If requirement is not given, you should follow the standards/best practices.

Background Information : 

Superent is an Enterprise company which has a highly critical campus network.

Suppressant has 100 remote locations which are connect to their datacenter over MPLS Layer 3 VPN.

MPLS Layer 3 VPN service is received from same ISP even for the dual homed locations.

Superent wants to optimise their campus network design and asking your recommendations.

If your recommendations solve their current issues and if you can provide an optimal solution to their business requirements, Superent will continue to design their datacenter with you.

Company has 30 Voice, 30 Data Vlan and only one WLAN for their wireless clients.

They don’t require multi tenancy for now and stackable switches at the access layer.Switches have one link to the distribution layer switch.

Superent is using Cisco VSS at the distribution layer so they can use both uplink from their stackable switches at the access layer to distribution layer switches thanks to Multi Chassis Link Aggregation Group.

Superent is using EIGRP as a PE-CE routing protocol for the remote offices and the datacenter MPLS Layer 3 VPN connection. Network engineers of Superent don’t have an experience with OSPF.

Superent’s network manager complains about the convergence time when network outage occurs in the Campus.

Recently Supernet had an attack in the Campus and they decided to improve their network security in the campus.Their network engineer implemented first hop security features on the distribution layer switches.

Suppressant has many IP Phones in the campus which are registered to Call Manager in the datacenter. They want to implement end to end QoS to protect voice traffic.

 

campus network design

Blue links depicts layer 2, red link depicts layer 3 connections.

Based on above topology and given requirements:

Questions : 

  1. What are the problems with the physical topology

UPDATE : Obvious problems with the Physical topology;access layer stack switches are not dual connected. In the requirements you are told that campus network is highly critical. There is only one WAN router in the campus which creates a single point of failure.

We need to add second router and connect it to the two 6500 VSS chassis.

We could connect one router to only one 6500 chassis and run routing protocol over it but control plane packets would still pass between the VSL link. Also I always recommend you to create a triangle topology not the square.( Did you read and watch physical topology matter article ? )

Although it is not listed in the requirements, in real life for the critical part of your network, having an MPLS L3 VPN service from two different service providers provide extra availability. Complexity for the customer site increases due to dealing with the two providers.(Did you read Network complexity Article ? )

  1. What is the problem with the left 6500 and the router 802.1q trunk ?

UPDATE : We will run a routing protocol, so that layer 2 link should to be replaced with Layer 3.

You can run a routing protocol by creating a trunk interface on the router but ideally you would want to same configurations in design.

Having a different configuration on 10 interfaces on a router is more complex than having a same configuration on 100 interfaces on that router.

Also, you need to have an SVI on the distribution layer switches to run a routing protocol. Ideally you want to run routing protocol over point to point IP links not over  SVI, it is good practice for fast convergence as well. Check this. 

  1.  Based on Superent VLAN requirements, Does Superent have a problem with the physical topology ?

UPDATE : Superent has only one shared WLAN which should be used on the access layer switches.

Based on a given topology, we need to add a layer 2 link between distribution layer switches.

  1.  Superent has two OSPF process between Router and their ISP. What is the problem with their routing design ?

UPDATE : Doesn’t matter one or two  OSPF processes, the networking team of Superent doesn’t have an expertise on OSPF. Also on the remote offices Superent is using EIGRP.

Although nothing is said about training for the networking team (They can learn ospf), if remote offices run an EIGRP, you want to continue with the same routing protocol.

This can give you an IP Traffic Engineering capability if you need in the feature.

If you use different protocols on both side, because of redistribution on your side( not the service provider, service provider carries the metric attributes for the protocols in mpls l3  vpn) you loose the metric which is used in IP Traffic engineering.

  1.  What would be your suggestion to Superent for their QoS design in the CAMPUS ?

UPDATE : If you want to have end to end QoS and QoS policy is critical on every place in the network, it should be started from the access layer.

Also you want to classify and mark the packets as close as possible to the source.

in the topology Classification is showed on router. Switches can do this operation much faster and efficient. You shouldn’t do it on the routers.

Even though you can think that you have plenty of bandwidth in the campus and WAN links will be bottleneck (in this topology nothing is said about link capacity but in real life it is true most of the time ), because of Micro Burst you want to have QoS in the campus. MicroBurst will be a topic of another article.

Suppressant wants to use all their links between access-distribution-core.

  1.  Based on the above topology, is there a problem with the Spanning tree and HSRP design ? If yes, what would be your design recommendations ?

UPDATE : In Cisco VSS environment, control plane packets always handled by the active chassis. So you don’t need to configure HSRP in VSS. It is true for the spanning Tree as well.

But if you don’t have it in your network, best practices would be, align your spanning tree root with the HSRP active node, if you have a service (firewall, load balancer etc), also align active service node with those. I mean if left 6500 chassis will be spanning tree root, make it HSRP active and Active Firewall chassis/context etc.

  1.  Based on the above topology,  is there a problem with the Security design ? If yes, what would be your design recommendations ?

UPDATE : You want to place security policy ideally as close as possible to the source as well. The reason behind it is optimality. Of course there are disadvantages of it as well. I will cover high level and obvious one.

If you put your security policy in the second hop devices ( in this topology 6500 switches)

you need to configure much less amount of devices. This is good, but first hop devices (stackable access switches in this topology) stay un protected. So Man in the Middle attack let’s say would be successful. All layer 2 based attack would be successful.

If you would place a firewall/access list etc to control reachability between the VLANs, having it on the access layer gives an optimality. If you will filter already some traffic between VLANS you won’t carry the traffic between access and distribution if policy is deployed at the access layer. But definitely you need to configure and maintain much more devices. This is management vs optimality design tradeoff and it is common security design decision in the datacenter.

 
0.00 avg. rating (0% score) - 0 votes
  • You are using only a single PE router. Even though there are multiple links, if you lose the PE you are down. Rehome one of the circuits to a second PE.

    There should be either both L2 or L3 links between the router and the 6500s. This would be a more consistent standard. L3 would be preferred.

    There should be connections from both switch stacks to both 6500s

    The stack switches should be stacked and cabled in a better manner, meaning SW3 in a stack should not go down if SW2 does.

    VLANs should be load balanced in a odd or even fashion. Since you are using HSRP.

    HRSP Active and Spanning tree root should be the same switch. If you aren’t load balancing the VLANs. It would be better to have L2 traffic flow the same path as L3. If we load balance the VLANs, then the 6500-1 should be root and HSRP active for say the odd VLANs and 6500-2 should be root and HSRP active for the even VLANs.

    First Hop security should be on both 6500s

    EIGRP or OSPF should be used for all links if possible. This would eliminate the need for redistribution. Also, it should be the same process ID. EIGRP would be preferred over OSPF from a simplicity perspective.

    Breaking the wireless up into multiple VLANs would be good from a availability perspective. This depends more on how may clients you have in the current wireless VLAN.

    Great scenario! Thanks Orhan!!!

    • Thanks for the answers Jason, as you know, I will give my answers next week Thursday, but if you want to discuss specific part of the scenario we can do it for sure.

  • driss jabbar

    What are the problems with the physical topology ?
    1- the access switchs should be dual attached to the VSS using links from different switch in the stack.
    2-the router need to be redundant to avoid a single point of failure then both routers shoud be cross connected to the VSS.
    3-the routers need to be dual homed
    What is the problem with the left 6500 and the router 802.1q trunk ?
    this link sould be a layer 3 link instead of being layer 2. Based on Superent VLAN requirements, Does Superent have a problem with the physical topology ?
    the VSL link must be a layer 2 link but in the topology above is layer 3,as the WLAN vlan is extended to different switchs then i will say yes there is a problem.move this Layer 3 link to layer 2. Suppressant has two OSPF process between Router and their ISP. What is the problem with their routing design ?
    the customer is not comfortable with OSPF to begin with then we should replace it with EIGRP,the fact of using to process is only adding complexity to the topology.
    adding a new router and cross connect the routers to the VSS will improve convergence time (fesible successor.
    summarization from the VSS to the core routers and from the core routers to VSS is recommanded. What would be your suggestion to Superent for their QoS design in the CAMPUS ?
    classification and marking should be applied at the access layer and we can applie shaping at facing service provider router interface. voice trafic should be marked with DSCP EF value and signalisation with CS3 and at the router the voice trafic should be prioritized using LLQ and CBWFQ for CS3.
    Based on the above topology, is there a problem with the Spanning tree and HSRP design ? If yes, what would be your design recommendations ?
    The VSS is considered as one virtual switch so both switchs will have the same STP root priority and use 802.1 w instead of 802.1 d for fast convergence.
    there is no need for HSRP in the VSS.
    Based on the above topology, is there a problem with the Security design ? If yes, what would be your design recommendations ?
    yes the first hop security should be applied at the access layer,configurinf dhcp snooping,arp
    inspection,source guard,and broadcast control are recommanded in this campus designs.

    nice job 🙂

    • Thanks Driss, I liked the answers , I like your answers in general 🙂 Don’t forget to check them next week and if you have confusion after my answers, we discuss

  • 1.What are the problems with the physical topology

    I will suggest a dual router / access at the DC with multihoming.
    Remove the trunk from 6500 to the edge router and replace with L3 from Distro switches till the edge/core
    Stack switches are missing additional L2 links to their neighbor 6500s
    Port channeling needs to be done on the links between the 6500 and on the links from the access switches to the 6500s.

    2.What is the problem with the left 6500 and the router 802.1q trunk ?

    Trunking should be removed along with HSRP.
    Replace L3 with L2 link to each core/edge routers (suggested 2 CE routers)
    Use EIGRP from Distro till the Core/edge CERs on a full IP domain.

    3.Based on Superent VLAN requirements, Does Superent have a problem with the physical topology ?

    Yes, we will have to remove 802.1d and use 802.1w.

    4.Suppressant has two OSPF process between Router and their ISP. What is the problem with their routing design ?

    Ospf needs to be replaced with EIGRP and all the devices between the distrubution and the Edge routers should support this design.
    A full fledged EIGRP will give better results than any other IGP.

    5.What would be your suggestion to Superent for their QoS design in the CAMPUS ?

    Converge Data and Voice into all IP and use markings which are supported by the
    ISP. Would recommend a 4 COS model with CBWFQ with LLQ for the Voice.
    Say, EF for Voice, AF31 for Critical Data, AF21 for Standard apps and best effort for the bulk. 802.1P can be thought of in the campus to prioritize the Voice traffic.

    6.Based on the above topology, is there a problem with the Spanning tree and HSRP design ? If yes, what would be your design recommendations ?

    HSRP can be avoided and VSS technology can be utilized to the full.
    Replace 802.1d with 802.1w.
    Use port channels from access to Distribution and enable hashing.

    7.Based on the above topology, is there a problem with the Security design ? If yes, what would be your design recommendations

    Integrated firewall service module missing on one 6500 and needs to be present on both the boxes. WLAN users must pass through secuirty block before they get their access to the VLAN 100.
    If there is a separate internet breakout, additional firewalls might be required as well.

    • Hi Abraham,
      Thanks for the comment. I update the mini design scenario posts one week later.
      This is the format I follow. Thus please check my updates next week, if you have a problem after my answers,we discuss

  • Najib

    q1.

    a)stack switches need conexion all to VSS dualhomed 65001 + 65002
    b) span VLAN (wireless WLAN) the link backto back in VSS
    should be some sort of special link VSL, not a level 3 link.
    c)we will no worried for STP triangles since VSS is logically single device.
    d) with VSS you don’t need HSRP at all. the server default gateway will be
    VSS address for each SVI.

    if HSRP
    HRSP Active and Spanning tree root should be the same sw

    q2.

    a) you need L3 links /30 and exchange routing information
    with router, adjacencies loopback/P2p and advertise SVI passive
    interface.

    q3.

    yes need to SPAN vlans in the DC,especially for wirelless VLAN.
    we need L2 looped topology at access/aggregation layer.

    q4.

    they need redistribute routes among OSPF processes,if

    router connectes 2 different customer, without visibility could be good choice.
    but this not the case, we like balance in both links.

    q5
    marking as close as possible from source.

    q6-
    without VSS
    SW1: HSRP primary/STP root and backup up for even VLANS
    SW2:HSRP primary and backup/STP root and back up for odd VLANS

    with VSS.

    no need HSRP. VSS address is the default gateway.

    q7.

    First Hop security should be on both 6500.

  • Anonymous

    Questions :
    1.What are the problems with the physical topology
    – stacking cabling must be done correctly. there is no connection between sw1 and sw3
    – from stack switches at least 2 uplink cable should go to vss working 6500 switches seperately.
    – there should be at least 2 layer 2 connection between 6500 switches.
    – router to ISP dual connections must be done to diferrent PE routers.

    2.What is the problem with the left 6500 and the router 802.1q trunk ?
    – connection between router and 6500 vss should be L3

    3. Based on Superent VLAN requirements, Does Superent have a problem with the physical topology ?

    4. Suppressant has two OSPF process between Router and their ISP. What is the problem with their routing design ?
    for Supressant dont have experience with ospf , eigrp must be deployed.

    5. What would be your suggestion to Superent for their QoS design in the CAMPUS ?
    – Qos classification should be done as close to source, that is Stack Switches.

    Suppressant wants to use all their links between access-distribution-core.

    1. Based on the above topology, is there a problem with the Spanning tree and HSRP design ? If yes, what would be your design recommendations ?
    in VSS there is no need to HSRP and all link between access-distribution-core is used. there must be 2 layer 2 link between 6500 and stack and 6500 switches pair.

    2. Based on the above topology, is there a problem with the Security design ? If yes, what would be your design recommendations ?
    in access switches dai, source guard , dhcp snooping , port security must be implemented.

    • Thanks for the answers

      • Anonymous

        i missed to leave a name , my name is Mehmet.

        • Thanks Mehmet

          • Mehmet

            Hi Orhan,
            would you post or discuss the answers of this mini scenario?

          • I am planning to post it tomorrow Mehmet, Since I was sick has been a week almost, I couldn’t update it.

            I am getting better hopefully so tomorrow with a new post , I will try to update this post as well.Thanks for following up, appreciate it

  • Anonymous

    Layer 2 Link is required between Core switches or between access layer switches
    Redundant Links required between distribution and access

    What is the problem with the left 6500 and the router 802.1q trunk ?
    THis Link should be layer 3 ,The Left 6500 Also should be the 802.1d root

    Based on Superent VLAN requirements, Does Superent have a problem with the physical topology ?
    Yes the layer two domain is disjointed and required an interswitch link at the access or distribution layer

    Suppressant has two OSPF process between Router and their ISP. What is the problem with their routing design ?
    Separate topology information for the same prefixes will require redistribution between the ospf processes and the EIGRP process
    ADMIN distances should be used to migrate to a EIGRP end to END

    What would be your suggestion to Superent for their QoS design in the CAMPUS ?
    Mark traffic at the edge and configure queueing and shaping outbound on the 6500 uplinks

    Suppressant wants to use all their links between access-distribution-core.
    Inverted U topology Layer two Topology would facilitate this

    Based on the above topology, is there a problem with the Spanning tree and HSRP design ? If yes, what would be your design recommendations ?
    Spanning tree and HSRP are not aligned

  • Roy Lexmond

    1. What are the problems with the physical topology

    – Mix of layer 2 and layer 3 towards the edge router there will be no fast convergence because eigrp cannot do ecmp or signal a feasible successor
    – Single homed to one PE.
    – Single provider is seen a single point of failure
    – Stack switches are single homed must be dual homed
    – Better to use 802.1w much better compared to 802.1d and looking at the amount of vlans no need to go for mst 802.1s.

    2. What is the problem with the left 6500 and the router 802.1q trunk ?
    – To prevent full traffic loss incase of a 6500 failure you need to split the odd and the even vlans and make both 6500 root switch for the odd or even vlans.
    – Traffic is using a sub-optimal traffic flow.

    3. Based on Superent VLAN requirements, Does Superent have a problem with the physical topology ?
    It will work but not in an optimal design
    4. Suppressant has two OSPF process between Router and their ISP. What is the problem with their routing design ?
    – Two ospf processes as PE-CE protocol makes it complex and not needed use one process and dual home the Datacenter. The company staff is already unexperienced with ospf so why make it harder for them. If possible migrate connection PE-CE datacenter connection to EIGRP to same as the branches.

    5. What would be your suggestion to Superent for their QoS design in the CAMPUS ?
    – Qos classification must me done as close to the source as possible so in the branches you must verify if the provider agrees with your qos policy then you only need to remark ingress or trust dscp on the datacenter edge router.

    Suppressant wants to use all their links between access-distribution-core.
    1. Based on the above topology, is there a problem with the Spanning tree and HSRP design ? If yes, what would be your design recommendations ?
    – Split the odd and the even vlans and make both 6500 root switch for the odd or even vlans. If you also want to load balance traffic over the 6500 switches you need an additional uplink and make triangles and implement a new FHRP protocol GLBP this will also decrease the traffic-loss by 50% if a 6500 will fail.

    2. Based on the above topology, is there a problem with the Security design ? If yes, what would be your design recommendations ?
    – There is not enough information to answer this question. But if I must give an answer I would say yes because they already taken actions to secure the 6500-layer they did not spoke about the access-layer they need port-security, 802.1x, dhcp snooping, dai etc.

    Good job Orhan thanks for the training 🙂

    • Thanks Roy. I am late to respond to this post but I was too busy with my vacation :)) You should continue to study

      • Roy Lexmond

        I am currently watching your video and I see VSS !!! I missed that completely :(:(

  • Roy Lexmond

    Yes it was a very nice video !!!
    I noticed again during the video that I miss keywords, both in your scenarios and on the exam.
    I know that’s my main problem that I read over them or interpret them in a wrong way. A few example’s highly critical, budget constrains vs best practice, overlapping requirements etc.

    Still figuring out how to fix this 😉

    Cheers,
    Roy

  • Anonymous

    I like your asnwer Orhan.. 🙂
    Do u think I am doing well in the mini design test overall ???, maybe it’s time to attend next online classes, and planning to 2016.

  • Anonymous

    Najib –

    • Let me check your answers particularly and let you know

    • You do very good job as i have seen. We need to more focus on design of the protocols/architectures together.

  • driss jabbar

    i think that i answered most of questions,next time i will add the training for the networking team in my recommandation,and for my real life as well 🙂

    • exactly, btw join the discussion to vrf-lite vs mpls vpn one.