are available to the entire campus and should be centrally accessible as an independent switch block connected to the network core.
Edge services usually are divided into these categories:
■ Internet access—Supports outbound traffic to the Internet, as well as inbound traffic to public services, such as email and extranet web servers. This connectivity is provided by one or more Internet service providers (ISPs). Network security devices generally are placed here.
■ Remote access and VPN—Supports inbound dialup access for external or roaming users through the Public Switched Telephone Network (PSTN). If voice traffic is supported over the campus network, Voice over IP (VoIP) gateways connect to the PSTN here. In addition, virtual private network (VPN) devices connected to the Internet support secure tunneled connections to remote locations.
■ E-commerce—Supports all related web, application, and database servers and applications, as well as firewalls and security devices. This switch block connects to one or more ISPs.
■ WAN access—Supports all traditional WAN connections to remote sites. This can include Frame Relay, ATM, leased line, ISDN, and so on.
Service Provider Edge Block
Each service provider that connects to an enterprise network must also have a hierarchical network design of its own. A service provider network meets an enterprise at the service provider edge, connecting to the enterprise edge block.
Studying a service provider network’s structure isn’t necessary because it should follow the same design principles presented here. In other words, a service provider is just another enterprise or campus network itself. Just be familiar with the fact that a campus network has an edge block, where it connects to the edge of each service provider’s network.
Can I Use Layer 2 Distribution Switches?
This chapter covers the best practice design that places Layer 3 switches at both the core and distribution layers. What would happen if you could not afford Layer 3 switches at the distribution layer?
Figure 2-5 shows a dual-core campus network with Layer 2 distribution switches. Notice how each access VLAN extends not only throughout the switch block but also into the core. This is because the VLAN terminates at a Layer 3 boundary present only in the core. As an example, VLAN A’s propagation is shaded in the figure.
42 Chapter 2: Modular Network Design
Figure 2-5 Design Using Layer 2 Distribution Switches
Here are some implications of this design:
■ Redundant Layer 3 gateways still can be used in the core.
■ Each VLAN propagates across the redundant trunk links from the access to the core layers.
Because of this, Layer 2 bridging loops form.
■ The STP must run in all layers to prevent Layer 2 loops. This causes traffic on some links to be blocked. As a result, only one of every two access-layer switch uplinks can be used at any time.
■ When Layer 2 uplinks go down, the STP can take several seconds to unblock redundant links, causing downtime.
■ Access VLANs can propagate from one end of the campus to the other, if necessary.
■ Broadcast traffic on any access-layer VLAN also reaches into the core layer. Bandwidth on uplinks and within the core can be wasted unnecessarily.
Evaluating an Existing Network
If you are building an enterprise network from scratch, you might find that it is fairly straightforward to build it in a hierarchical fashion. After all, you can begin with switches in the core layer and fan out into lower layers to meet the users, server farms, and service providers.
In the real world, you might be more likely to find existing networks that need an overhaul to match the hierarchical model. Hopefully, if you are redesigning your own network, you already
Access
Distribution VLAN
A
VLAN B
Layer 2 Links
Switch Block 1 Switch Block 2
Si Si Core Block
Layer 2 Links
Layer 3 Link
Evaluating an Existing Network 43
know its topology and traffic patterns. If you are working on someone else’s network, you might not know about its structure.
This section provides some basic information on two tasks:
■ Discovering the existing topology
■ Planning a migration to a better campus model
Discovering the Network Topology
Whether or not a diagram of a network is available, you should consider tracing out the topology for yourself. For one thing, network documentation tends to become out-of-date or isn’t drawn to show the type of information you need.
Some network administrators draw up a diagram that shows only the physical cabling between network devices. That might benefit someone who is working with the cabling, but it might not show any of the logical aspects of the network. After all, switched networks can be cabled together and then configured into many logical topologies.
As you discover or trace out a network, you might end up building several diagrams. One diagram might show all the network devices and only the physical cabling between them. Further diagrams might show Layer 2 VLANs and how they extend through the network.
To discover an existing network, you can connect a computer to any switch as a starting point and begin to “walk” the topology. Cisco devices periodically send information about themselves to any neighboring devices. This is done with the Cisco Discovery Protocol (CDP).
TIP The information exchanged in CDP messages includes the device type, software version, links between devices, and number of ports within each device.
By default, CDP runs on each port of a Catalyst switch, and CDP advertisements occur every 60 seconds. CDP communication occurs at the data link layer so that it is independent of any network layer protocol that might be running on a network segment. This means that CDP can be sent and received using only Layer 2 functionality. CDP frames are sent as multicasts, using a destination MAC address of 01:00:0c:cc:cc:cc.
Cisco Catalyst switches regard the CDP address as a special address designating a multicast frame that should not be forwarded. Instead, CDP multicast frames are redirected to the switch’s management port and are processed by the switch supervisor alone. Cisco switches become aware only of other directly connected Cisco devices.
CDP is enabled by default on all switch interfaces. To manually enable or disable CDP on an interface, use the following interface configuration command:
Switch(config-if)# [nnnnoo] coo cccddpddp pp eeeennnnaaaabblbblelleee
If a switch port connects to a non-Cisco device or to a network outside your administrative control, consider disabling CDP on that port. Add the no keyword to disable CDP.
44 Chapter 2: Modular Network Design
CDP is enabled by default on all Cisco switches and routers, so, chances are, you will be able to make use of it right away. With CDP, a switch becomes aware of only the devices that are directly connected to it. Therefore, you walk the topology one “hop” at a time: connect to one switch, find its neighbors, and then connect to them one at a time.
Figure 2-6 shows this process being used to discover a sample network. (The arrows in the sequence illustrated in Figure 2-6 point out where you are positioned as the topology is discovered.) A laptop PC has been connected to the console connection of an arbitrary switch, Switch-A. Here, Switch-A is a Catalyst 3550, determined either by inspection or from the show version command.
Figure 2-6 Network Discovery with CDP
At the top of the figure, you don’t know whether Switch-A is in the core, distribution, or access layer. Actually, you don’t even know whether this network has been built in layers.
When you are connected and in the privileged EXEC or enable mode, you can begin looking for CDP information by using the show cdp neighbors command. At Switch-A, suppose the command had the output in Example 2-1.
show cdp neighbors [detail]
Switch-A Catalyst 3550 192.168.254.3
Telnet 192.168.254.17 show cdp neighbors [detail]
Switch-A Catalyst 3550 192.168.254.3
Gig 1/1 Gig 0/1
Switch-B Catalyst 4500 192.168.254.17
Telnet 192.168.254.199 show cdp neighbors [detail]
Switch-A Catalyst 3550 192.168.254.3
Gig 1/1 Gig 3/1
Fa 0/0
Gig 0/1 Gig 0/1
Gig 2/1
Switch-B Catalyst 4500 192.168.254.17
Switch-C Catalyst 3550 192.168.254.199
Router 192.168.254.1
Internet Remote Sites
Evaluating an Existing Network 45
Based on the neighbors listed, you should be able to draw the connections to the neighboring switches and detail the names and model of those switches. Notice that the CDP neighbor
information shows the local switch interface as well as the neighbor’s interface for each connection.
This is helpful when you move to a neighbor and need to match the connections from its viewpoint.
From the output in Example 2-1, it’s apparent that Switch-A has a neighbor called Switch-B on interface GigabitEthernet 0/1. Switch-B is a Catalyst 4506.
Now you can use a variation of the command to see more detail about each neighbor. The show cdp neighbors [interface mod/num] detail command also shows the neighbor’s software release, interface settings, and its IP address, as demonstrated in Example 2-2.
When you know the IP address of a neighboring device, you can open a Telnet session from the current switch to the neighboring switch. (This assumes that the neighboring switch has been configured with an IP address and a Telnet password on its vty lines.) Choose a neighbor and use
Example 2-1 show cdp neighbors Command Output Reveals CDP Information
Switch-A# sssshhhhoowoowww ccccddddpppp nnenneeeiigiiggghhhhbbbboooorrsrrsss
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone
Device ID Local Intrfce Holdtme Capability Platform Port ID Switch-B Gig 0/1 152 R S I WS-C4506 Gig 1/1 Switch-A#
Example 2-2 show cdp neighbors detail Command Output Reveals Detailed Information About Neighboring Switches
Switch-A# sssshhhhoowoowww ccccddddpppp nnenneeeiigiiggghhhhbbbboooorrsrrsss ddddeeteetttaaaaiiliilll ---
Device ID: Switch-B
Entry address(es): 192.168.254.17
Platform: cisco WS-C4506, Capabilities: Router Switch IGMP
Interface: GigabitEthernet0/1, Port ID (outgoing port): GigabitEthernet1/1 Holdtime : 134 sec
Version :
Cisco Internetwork Operating System Software
IOS (tm) Catalyst 4000 L3 Switch Software (cat4000-I9S-M), Version 12.2(18)EW, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)
TAC Support: http://www.cisco.com/tac Copyright 1986-2004 by cisco Systems, Inc.
Compiled Fri 30-Jan-04 02:04 by hqluong advertisement version: 2
VTP Management Domain: ’’
Duplex: full
Management address(es):
Switch-A#
46 Chapter 2: Modular Network Design
the telnet ip-address command to move to the neighbor and continue your discovery. At Switch-B (the middle of Figure 2-6), you might see the CDP neighbor output in Example 2-3.
Next, the show cdp neighbors detail command reveals that Switch-C has the IP address 192.168.254.199, so you can open a Telnet session there. Switch-C might show only one neighbor (Switch-B), so you have reached the end of the switched network topology. At the bottom portion of Figure 2-6, the physical network has been discovered and drawn.
You can discover many more detailed aspects of a network. For example, you might want to know the extent of various VLANs across the switches, which interfaces are acting as trunks, the spanning tree topology for various VLANs, and so on.
Example 2-3 show cdp neighbors Command Output Display for Switch-B
Switch-B# sssshhhhoowoowww ccccddddpppp nnenneeeiigiiggghhhhbbbboooorrsrrsss
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone Device ID Local Intrfce Holdtme Capability Platform Port ID Switch-A Gig 1/1 105 S I WS-C3550-4Gig 0/1 Switch-C Gig 2/1 139 S I WS-C3550-4Gig 0/1 Router Gig 3/1 120 R Cisco 2610Fas 0/0
TIP You should assess the utilization or bandwidth used over various connections in the network. This is especially true of switch-to-switch links—if they are heavily used, you might want to plan for expansion. You also might want to get an idea of the total traffic being passed to and from individual server or user connections.
You can do this by using a network or protocol analyzer that is set up to monitor specific switch interfaces. However, you can get a quick snapshot of average traffic volumes with the show interfaces command. A switch maintains a running 5-minute average of traffic rates into and out of each interface. The output from show interfaces displays this information along with a host of other interface statistics.
To see only the interfaces that are in use and only the input and output data rates, you can add a filter to that command:
show interfaces | include (is up | rate)
This produces output similar to the following:
Switch# show interfaces | include (is up | rate)
GigabitEthernet2/1 is up, line protocol is up (connected) 5 minute input rate 63000 bits/sec, 34 packets/sec 5 minute output rate 901000 bits/sec, 168 packets/sec GigabitEthernet2/2 is up, line protocol is up (connected) 5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 194000 bits/sec, 80 packets/sec GigabitEthernet2/3 is up, line protocol is up (connected) 5 minute input rate 219000 bits/sec, 103 packets/sec 5 minute output rate 1606000 bits/sec, 265 packets/sec
Evaluating an Existing Network 47
These are all important things to consider in a network design and in troubleshooting a network, but they are beyond the scope of this chapter. These topics and the appropriate commands are presented in later chapters of this book.
Migrating to a Hierarchical Design
After you have discovered the topology of a network, you might find that it doesn’t resemble the overall design goals that were presented earlier in this chapter. Perhaps it doesn’t have a
hierarchical layout with distinct layers. Or maybe you aren’t able to see a modular layout with distinct switch blocks.
To move toward the campus hierarchical model, you also need to gather information about the traffic patterns crossing the network. For example, you should try to find answers to these questions:
■ Where are the enterprise resources (corporate email, web, and intranet application servers) located?
■ Where are the end user communities located?
■ Where are the service provider connections to the Internet, remote sites, and VPN users located?
Following the example of Figure 2-6, these have been identified by interviewing system administrators and network staff. Figure 2-7 shows the locations of user groups and server resources. Notice that these seem to be scattered across the entire network and that there is no clear picture of a modular network.
Figure 2-7 Identifying User and Enterprise Resources
Router Switch-A
Catalyst 3550
Users Server Servers
Switch-B Catalyst 4500
Switch-C Catalyst 3550
Internet Remote Sites
Users Server
48 Chapter 2: Modular Network Design
Now, you should add some structure to the design. Try to identify pieces of the network as specific modules. For example, the end user communities eventually will become switch block modules, containing both distribution- and access-layer switches. Redraw the network with the users and their switches toward the bottom.
Any resources related to connections to service providers, remote sites, or the Internet should be grouped and moved to become a service provider module or switch block. Enterprise servers, such as those in a data center, should be grouped and moved to become server farm switch blocks.
As you do this, a modular structure should begin to appear. Each module will connect into a central core layer, completing the hierarchical design. To see how the example of Figures 2-6 and 2-7 can be transformed, look at Figure 2-8. The existing switches have merely been moved so that they resemble the enterprise composite model. Without adding switches, the existing network has been migrated into the modular structure. Each module shown ultimately will become a switch block.
Figure 2-8 Migrating an Existing Network into a Modular Structure
Now, each module should be addressed so that it can be migrated into a proper switch block.
Remember that switch blocks always contain the switches necessary to connect a resource (users,
Router
Service Provider Module Core Module Server Farm Module
Internet Remote Sites
Servers
Access Modules
Users Users
Switch-C Catalyst 3550 Switch-A
Catalyst 3550
Switch-B Catalyst 4500
Evaluating an Existing Network 49
servers, and so on) into the core layer. If this is done for the network in Figure 2-8, the network shown in Figure 2-9 might result.
Figure 2-9 Migrating Network Modules into Switch Blocks
Notice that some additional switches have been added so that there is a distinct distribution layer of switches connecting into the core layer. Here, only single switches and single connections between switches have been shown. At this point, the design doesn’t strictly follow the hierarchical model because there is little or no redundancy between layers.
Finally, you should add the redundant components to complete the design. The core should have dual switches. Each switch block should have dual distribution switches and dual links to both the access and core layers. These can be added now, resulting in the network shown in Figure 2-10.
This might not be a practical design for a small sample network, but a full-fledged hierarchical design stages the sample network for growth and stability in the future.
Service Provider Module
Core or Collapsed Core
Server Farm Switch Block
Internet Remote Sites
Servers
Switch Block
Users Users
50 Chapter 2: Modular Network Design
Figure 2-10 Completing the Hierarchical Campus Design
Switch Blocks
Server Farm Switch Block
Users Users
Servers Internet
Remote Sites
Core Block Service Provider Module
Foundation Summary 51
Foundation Summary
The Foundation Summary is a collection of tables, figures, lists, and other information that provides a convenient review of many key concepts in this chapter. If you are already comfortable with the topics in this chapter, this summary might help you recall a few details. If you just read this chapter, this review should help solidify some key facts. If you are doing your final preparation before the exam, the following information is a convenient way to review the day before the exam.
A campus network can be logically divided into these building blocks:
■ Switch block—A group of access-layer switches, together with their distribution switches.
■ Core block—The campus network’s backbone.
■ Server farm block—A group of enterprise servers, along with their access- and distribution- layer switches.
■ Management block—A group of network-management resources, along with their access and distribution switches.
■ Enterprise edge block—A collection of services related to external network access, along with their access and distribution switches.
■ Service provider edge block—The external network services contracted or used by the enterprise network. These are the services with which the enterprise edge block interfaces.
Other than the core block, each switch block should have the following characteristics:
■ Switches that form an access layer
■ Dual distribution switches
■ Redundant connections into the access and core layers
The most important factors to consider when choosing a switch block’s size are as follows:
■ The number of users connected to the access-layer switches
■ The extent of the access VLAN or subnet
■ The multilayer switching capacity of the distribution switches in the switch block
■ The types, patterns, and volume of traffic passing through the switch block
52 Chapter 2: Modular Network Design
The core layer in a campus network can be designed as follows:
■ Collapsed core—The distribution- and core-layer switches are combined. This is usually acceptable in a small to medium-size network.
■ Dual core—The distribution and core layers are separate; the core layer consists of dual or redundant multilayer switches.
Q&A 53
Q&A
The questions and scenarios in this book are more difficult than what you should experience on the actual exam. The questions do not attempt to cover more breadth or depth than the exam;
however, they are designed to make sure that you know the answer. Rather than allowing you to derive the answers from clues hidden inside the questions themselves, the questions challenge your understanding and recall of the subject. Hopefully, these questions will help limit the number of exam questions on which you narrow your choices to two options and then guess.
You can find the answers to these questions in Appendix A.
1. Where is the most appropriate place to connect a block of enterprise (internal) servers? Why?
2. How can you provide redundancy at the switch and core block layers? (Consider physical means, as well as functional methods using protocols, algorithms, and so on.)
3. What factors should you consider when sizing a switch block?
4. What are the signs of an oversized switch block?
5. What are the attributes and issues of having a collapsed core block?
6. How many switches are sufficient in a core block design?
7. What building blocks are used to build a scalable campus network?
8. What are two types of core, or backbone, designs?
9. Why should links and services provided to remote sites be grouped in a distinct building block?
10. Why should network-management applications and servers be placed in a distinct building block?