Tuesday, October 25, 2011

Enterprise Campus Design - Part 1

In this blogtorial we are going to dive into how to effectively and efficiently design an enterprise network. As I have always said "Networking is an art not science" as there are numerous ways to design and I am merely posting one of many. 

In this topology we will sink our hands into: 
  • STP (802.1d)
  • HSRP
  • OSPF 
    • OSPF route summarization
  • VTP
  • Different layers/modules of Enterprise Campus Design

Check out the topology below and let's get started. 


Relevant configurations are posted below.


Few notes about the Core Layer: 

  • Super Fast Transport
  • Use L3 Triangular Equal Cost Design
  • Limited QOS - Try and avoid CPU intensive process (QOS, security, etc)
  • Low latency
  • Fault tolerance / high reliability / redundant 
  • Port density
  • Should be able to handle all of Distribution layer traffic

Core Layer - R3

!
hostname R3
!
ip cef
!
interface Loopback0
ip address 192.168.10.3 255.255.255.255
!
interface FastEthernet0/0
description Connected to R1
ip address 192.168.1.1 255.255.255.252
speed 100
full-duplex
!
interface FastEthernet0/1
description Connected to R4
ip address 192.168.1.17 255.255.255.252
speed 100
full-duplex
!
interface FastEthernet1/0
description Connected to R2
no switchport
ip address 192.168.1.9 255.255.255.252
duplex full
speed 100
!
interface Vlan1
no ip address
!
router ospf 1
router-id 192.168.10.3
log-adjacency-changes
redistribute connected subnets
network 192.168.1.0 0.0.0.255 area 0
!
end

Core Layer - R4

!
hostname R4
!
ip cef
!
interface Loopback0
ip address 192.168.10.4 255.255.255.255
!
interface FastEthernet0/0
description Connected to R2
ip address 192.168.1.13 255.255.255.252
ip ospf cost 1
speed 100
full-duplex
!
interface FastEthernet0/1
description Connected to R1
ip address 192.168.1.5 255.255.255.252
speed 100
full-duplex
!
interface FastEthernet1/0
description Connected to R3
no switchport
ip address 192.168.1.18 255.255.255.252
duplex full
speed 100
!
interface Vlan1
no ip address
!
router ospf 1
router-id 192.168.10.4
log-adjacency-changes
redistribute connected subnets
network 192.168.1.0 0.0.0.255 area 0
!
end

Few notes about the Distribution Layer: 

  • QOS
  • Security - (Deploy IPS/IDS/ACLs etc) 
  • Load balancing (HSRP/GLBP/VRRP etc)
  • Use L3 Triangular Equal Cost Design
  • PBR (Policy based routing) 
  • InterVLAN routing 
  • Aggregate all access layer traffic
  • Redistribution of routing domains
  • Summarize routes towards the Core

Distribution Layer - R1

!
hostname R1
!
ip cef
!
spanning-tree vlan 10 priority 8192
!-- STP load balancing. R1 will be ROOT for VLAN 10
spanning-tree vlan 20 priority 16384
!-- STP load balancing. R1 will be secondary for VLAN 20
!
interface Loopback0
ip address 192.168.10.1 255.255.255.255
!
interface FastEthernet0/0
description Connected to R3
ip address 192.168.1.2 255.255.255.252
speed 100
full-duplex
!
interface FastEthernet0/1
description Connected to R4
ip address 192.168.1.6 255.255.255.252
speed 100
full-duplex
!
interface FastEthernet1/0
description Connected to R2
switchport mode trunk
!-- Reason the link between the distribution switches is not L3 (which is recommended) is because I wanted VLANs to span between the access layer switches. Avoid L2 looped topology if possible because L3 links will give you a better performing network in terms of convergence, scalability, reliability, and manageability.
!
interface FastEthernet1/1
switchport mode trunk
!
interface FastEthernet1/2
switchport mode trunk
!
interface FastEthernet1/3
interface Vlan1
no ip address
!
interface Vlan10
ip address 192.168.2.2 255.255.255.224
standby 1 ip 192.168.2.1
standby 1 priority 110
standby 1 preempt
!-- HSRP ip address for VLAN 10 with a higher priority so R1 can be active for VLAN 10
!
interface Vlan20
ip address 192.168.2.34 255.255.255.224
standby 1 ip 192.168.2.33

!-- HSRP ip address for VLAN 20 with a default priority of 100 so R1 can be standby for VLAN 20

!
router ospf 1
router-id 192.168.10.1
log-adjacency-changes
area 1 range 192.168.2.0 255.255.255.0
!-- Summarize routes towards the core
redistribute connected subnets
passive-interface Vlan10
passive-interface Vlan20
!-- Only establish peer or routing neighbor on transit links.
network 192.168.1.0 0.0.0.255 area 0
network 192.168.2.0 0.0.0.255 area 1
!-- Multi-area OSPF configuration for a hierarchical network design
!
end

Distribution Layer - R2

!
hostname R2
!
ip cef
!
spanning-tree vlan 10 priority 16384
!-- STP load balancing. R2 will be secondary for VLAN 10
spanning-tree vlan 20 priority 8192
!-- STP load balancing. R2 will be ROOT for VLAN 20
!
interface Loopback0
ip address 192.168.10.2 255.255.255.255
!
interface FastEthernet0/0
description Connected to R4
ip address 192.168.1.14 255.255.255.252
speed 100
full-duplex
!
interface FastEthernet0/1
description Connected to R3
ip address 192.168.1.10 255.255.255.252
speed 100
full-duplex
!
interface FastEthernet1/0
description Connected to R1
switchport mode trunk
!-- Reason the link between the distribution switches is not L3 (which is recommended) is because I wanted VLANs to span between the access layer switches. Avoid L2 looped topology if possible because L3 links will give you a better performing network in terms of convergence, scalability, reliability, and manageability.
!
interface FastEthernet1/1
switchport mode trunk
!
interface FastEthernet1/2
switchport mode trunk
!
interface Vlan1
no ip address
!
interface Vlan10
ip address 192.168.2.4 255.255.255.224
standby 1 ip 192.168.2.1
!-- HSRP ip address for VLAN 10 with a default priority so R2 can be standby for VLAN 10
!
interface Vlan20
ip address 192.168.2.35 255.255.255.224
standby 1 ip 192.168.2.33
standby 1 priority 110
standby 1 preempt
!-- HSRP ip address for VLAN 20 with a higher priority so R2 can be active for VLAN 20
!
router ospf 1
router-id 192.168.10.2
log-adjacency-changes
area 1 range 192.168.2.0 255.255.255.0
!-- Summarize towards the core
redistribute connected subnets
passive-interface Vlan10
passive-interface Vlan20
!-- Only establish peer or routing neighbor on transit links.
network 192.168.1.0 0.0.0.255 area 0
network 192.168.2.0 0.0.0.255 area 1
!-- Multi-area OSPF configuration for a hierarchical network design
!
end

VTP configuration is as follows on R1 and R2
  • vtp mode server
  • vtp domain ithitman
  • vtp password ithitman123
  • vtp version 2

Few notes about the Access Layer:

  • STP, RSTP (RSTP is recommended)
  • Security (ARP inspection/DHCP snooping, ACL close to the source as possible)
  • Policing and rate limiting
  • Layer 2
  • POE if needed

Let's take a look at the STP topology first. 

R1 and R2
Note that the same ports which are forwarding for VLAN 10 is blocking for VLAN 20 and vice versa to avoid network loops. This is one way to achieve fault tolerance and load balancing with STP. 


Let's take a look at the equal cost load balancing at the Core layer. 

R3#show ip route | beg 192.168.2.0
O IA 192.168.2.0/24 [110/2] via 192.168.1.10, 00:01:19, FastEthernet1/0
                    [110/2] via 192.168.1.2, 00:01:19, FastEthernet0/0

R4#show ip route | beg 192.168.2.0
O IA 192.168.2.0/24 [110/2] via 192.168.1.14, 00:02:10, FastEthernet0/0
                    [110/2] via 192.168.1.6, 00:02:10, FastEthernet0/1

Notice that 192.168.2.0 is summarized towards the core from the distribution and Core layer will load balance using both L3 links to the distribution layer switches. 

Part 2, 3, and 4 of this series will get more into Data Center (Core/Distribution/Access), Enterprise Edge, SP Edge, Remote modules such as Enterprise Branch etc. 

Many more articles to come so stay tuned. "Join this site" on the right ------> 
Posted by
Labels: , , ,

1 comment:

  1. UnknownAugust 11, 2013 at 12:31 AM

    Amazing...I did this lab and felt really good.. the results were the same and also it helped for a better understanding. The only goof-up were the hostnames, but I created my own configs so it helped. Thanks mate.

    ReplyDelete

Subscribe to: Post Comments (Atom)