In this post I will give you a campus network design scenario and as always will wait your answers.
You need to specify what are the mistakes, you need to recommend a technical solutions to Superent which is a fictitious company and don’t forget to give your answers based on customer requirements rather than industry best practices whenever if it is applicable.
If requirement is not given, you should follow the standards/best practices.
Background Information :
Superent is an Enterprise company which has a highly critical campus network.
Suppressant has 100 remote locations which are connect to their datacenter over MPLS Layer 3 VPN.
MPLS Layer 3 VPN service is received from same ISP even for the dual homed locations.
Superent wants to optimise their campus network design and asking your recommendations.
If your recommendations solve their current issues and if you can provide an optimal solution to their business requirements, Superent will continue to design their datacenter with you.
Company has 30 Voice, 30 Data Vlan and only one WLAN for their wireless clients.
They don’t require multi tenancy for now and stackable switches at the access layer.Switches have one link to the distribution layer switch.
Superent is using Cisco VSS at the distribution layer so they can use both uplink from their stackable switches at the access layer to distribution layer switches thanks to Multi Chassis Link Aggregation Group.
Superent is using EIGRP as a PE-CE routing protocol for the remote offices and the datacenter MPLS Layer 3 VPN connection. Network engineers of Superent don’t have an experience with OSPF.
Superent’s network manager complains about the convergence time when network outage occurs in the Campus.
Recently Supernet had an attack in the Campus and they decided to improve their network security in the campus.Their network engineer implemented first hop security features on the distribution layer switches.
Suppressant has many IP Phones in the campus which are registered to Call Manager in the datacenter. They want to implement end to end QoS to protect voice traffic.
Blue links depicts layer 2, red link depicts layer 3 connections.
Based on above topology and given requirements:
- What are the problems with the physical topology
UPDATE : Obvious problems with the Physical topology;access layer stack switches are not dual connected. In the requirements you are told that campus network is highly critical. There is only one WAN router in the campus which creates a single point of failure.
We need to add second router and connect it to the two 6500 VSS chassis.
We could connect one router to only one 6500 chassis and run routing protocol over it but control plane packets would still pass between the VSL link. Also I always recommend you to create a triangle topology not the square.( Did you read and watch physical topology matter article ? )
Although it is not listed in the requirements, in real life for the critical part of your network, having an MPLS L3 VPN service from two different service providers provide extra availability. Complexity for the customer site increases due to dealing with the two providers.(Did you read Network complexity Article ? )
- What is the problem with the left 6500 and the router 802.1q trunk ?
UPDATE : We will run a routing protocol, so that layer 2 link should to be replaced with Layer 3.
You can run a routing protocol by creating a trunk interface on the router but ideally you would want to same configurations in design.
Having a different configuration on 10 interfaces on a router is more complex than having a same configuration on 100 interfaces on that router.
Also, you need to have an SVI on the distribution layer switches to run a routing protocol. Ideally you want to run routing protocol over point to point IP links not over SVI, it is good practice for fast convergence as well. Check this.
- Based on Superent VLAN requirements, Does Superent have a problem with the physical topology ?
UPDATE : Superent has only one shared WLAN which should be used on the access layer switches.
Based on a given topology, we need to add a layer 2 link between distribution layer switches.
- Superent has two OSPF process between Router and their ISP. What is the problem with their routing design ?
UPDATE : Doesn’t matter one or two OSPF processes, the networking team of Superent doesn’t have an expertise on OSPF. Also on the remote offices Superent is using EIGRP.
Although nothing is said about training for the networking team (They can learn ospf), if remote offices run an EIGRP, you want to continue with the same routing protocol.
This can give you an IP Traffic Engineering capability if you need in the feature.
If you use different protocols on both side, because of redistribution on your side( not the service provider, service provider carries the metric attributes for the protocols in mpls l3 vpn) you loose the metric which is used in IP Traffic engineering.
- What would be your suggestion to Superent for their QoS design in the CAMPUS ?
UPDATE : If you want to have end to end QoS and QoS policy is critical on every place in the network, it should be started from the access layer.
Also you want to classify and mark the packets as close as possible to the source.
in the topology Classification is showed on router. Switches can do this operation much faster and efficient. You shouldn’t do it on the routers.
Even though you can think that you have plenty of bandwidth in the campus and WAN links will be bottleneck (in this topology nothing is said about link capacity but in real life it is true most of the time ), because of Micro Burst you want to have QoS in the campus. MicroBurst will be a topic of another article.
Suppressant wants to use all their links between access-distribution-core.
- Based on the above topology, is there a problem with the Spanning tree and HSRP design ? If yes, what would be your design recommendations ?
UPDATE : In Cisco VSS environment, control plane packets always handled by the active chassis. So you don’t need to configure HSRP in VSS. It is true for the spanning Tree as well.
But if you don’t have it in your network, best practices would be, align your spanning tree root with the HSRP active node, if you have a service (firewall, load balancer etc), also align active service node with those. I mean if left 6500 chassis will be spanning tree root, make it HSRP active and Active Firewall chassis/context etc.
- Based on the above topology, is there a problem with the Security design ? If yes, what would be your design recommendations ?
UPDATE : You want to place security policy ideally as close as possible to the source as well. The reason behind it is optimality. Of course there are disadvantages of it as well. I will cover high level and obvious one.
If you put your security policy in the second hop devices ( in this topology 6500 switches)
you need to configure much less amount of devices. This is good, but first hop devices (stackable access switches in this topology) stay un protected. So Man in the Middle attack let’s say would be successful. All layer 2 based attack would be successful.
If you would place a firewall/access list etc to control reachability between the VLANs, having it on the access layer gives an optimality. If you will filter already some traffic between VLANS you won’t carry the traffic between access and distribution if policy is deployed at the access layer. But definitely you need to configure and maintain much more devices. This is management vs optimality design tradeoff and it is common security design decision in the datacenter.