Introduction to Virtual Local Area Networks: (Virtual LAN). Data center network infrastructure will become more flexible

31.10.2017 | Vladimir Khazov

The main task of an Internet provider is to provide communication services to subscribers (Internet access, telephony, digital television and others). And in order to provide access to these services, it is necessary to build a network. In the last one, we talked about the main steps for creating an Internet provider, in this we will dwell in more detail on building a network.

The figure shows a reference model for building a network. It is a tree topology (the union of multiple star topologies) with additional redundant links. Redundancy compensates for the main disadvantage of this topology (the failure of one of the nodes affects the operation of the entire network), but it also doubles the already excessive cable consumption. To reduce cable costs, many organizations “reinforce” only the most significant parts of the network.

It should be remembered that this is just a model, and therefore, the division into levels may be conditional - some devices can implement both levels at once, and some levels may be completely absent.

As you can see, this model consists of four levels:

• access level;
• aggregation level;
• network core level;
• server level.

Let's take a look at each of them separately.

Access level

The main process at this level is the connection of the client's equipment (computer, Wi-Fi router) to the provider's network. Here, the provider's equipment are switches (if it is a local network and you plan to connect using a wired medium) or base stations (if the connection is made via a wireless medium). As a rule, to organize a managed network, switches of the second level (L2) are used, less often - the third (L3). Some providers at the stage of building a local network give preference to unmanaged switches, later this may affect the quality of services provided.

Also, to reduce the cost of connection, devices with a maximum number of physical interfaces 24/48 are used. Cisco Catalyst 2900, 3500 and 3700 series have proven themselves as L2 managed switches, but many operators choose Eltex, SNR and other Russian developments as more affordable.

L3 switches at this level are quite rare, since they are more expensive than L2, and their placement in the technical premises of high-rise buildings is associated with certain risks. If L3 switches are encountered at the access level, then only in the combination of the access level and the aggregation level. A particular example of use is an office in an office or a department, and in the case of a provider, an apartment building or a residential section in this building.

It should be noted that when building a network, each provider chooses the degree of its segmentation. A network segment, or VLAN (Virtual Local Area Network), allows you to combine a group of users into one logical network or separate each one separately. It is considered very bad form when the network is "flat", that is, clients, switches, routers and servers are in the same logical segment. This network has many disadvantages. A more correct solution is to divide the whole network into smaller subnets, ideally, to allocate VLANs for each client.

Aggregation level

An intermediate level between the network core and the access level. As a rule, this level is implemented on L3 switches, less often on routers due to their high cost and, again, the peculiarities of operation in premises of a certain type. The main task of the equipment comes down to combining links from access level switches on a "backbone" switch in a "star" topology.

The distance from the access switches to the switches of this group can be up to several kilometers. If L2 switches are used at the access level, and the network is segmented, then L3 interfaces for VLANs registered at the access level are organized at this level. This approach is able to somewhat relieve the network core, since in this case the core does not have records about the VLANs themselves and the VLAN interface parameters, but only has a route to the final subnet.

The most popular equipment used by providers to implement this layer is the Cisco Catalyst 3750 and 3550 series, in particular the WS-C3550-24-FX-SMI.

The latter gained popularity due to the largest number of optical interfaces, but, unfortunately, it is outdated and does not meet modern requirements for the construction of networks. The equipment of Foundry (now Brocade), Nortel (outdated), Extreme, SNR and Eltex also copes well with the tasks of this level. Hardware provided by Foundry / Brocade allows you to use the chassis and expansion slots to it and increase performance as needed.

Kernel level

The kernel is an integral part of any network. This layer is implemented on routers, less often on high-performance L3 switches (again, to reduce the cost of the network itself.) As mentioned earlier, depending on the network architecture, the core can "hold" static routes or have settings for dynamic routing.

Server level

It is implemented, as the name implies, by network servers. The implementation can be both on server platforms and on specialized equipment. Today software for server platforms is presented by different manufacturers and under different types of licenses, as well as the OS on which this software will run. The standard set of the provider at this level:

• DHCP server;
• DNS server;
• one or more access servers (if required);
• AAA server (radius or diameter);
• billing server;
• database server;
• server for storing flow statistics and billing information;
• network monitoring server;
• entertainment services for users (optional);
• content servers (such as Coogle Cache).

We will take a closer look at these services in the next article.

Border level

The boundary layer is usually absent in the diagrams given at the very beginning, since it operates outside the main network, although it can be implemented at the kernel level. But it is better to allocate an independent device for these purposes. At this level, traffic is exchanged between the provider and the upstream provider or between the AS (autonomous system) of the operator with other autonomous systems (in the case of using BGP). At the beginning of the construction of the network, the level can be implemented on the access server, but later, as soon as it becomes necessary to add another access server, the question of the subnetwork from its own real addresses will arise.

This need can be realized on routers or on L3 switches - it is enough to bury the external pool of addresses from your own external subnet to the IP address issued by the provider when connecting.

The final scheme of the Internet provider's network may look like this, but in practice it is modified for specific tasks.

In the following articles, we will talk about the main services that need to be used in an ISP's network, as well as how some of them converge using the platform.

For more detailed information about the advantages of the modern system of in-depth analysis of VAS DPI traffic, its effective use on the networks of telecom operators, as well as migration from other platforms, please contact the company's specialists, developer and supplier of the DPI traffic analysis system.

(). We understand that OSI and TCP / IP are scary words for newbies. But don't worry, we are not using them to intimidate you. This is something that you will have to meet every day, so during this cycle we will try to reveal their meaning and relationship to reality.

Let's start by setting the problem. There is a certain company engaged, for example, in the production of elevators that go only upwards, and that is why it is called Lift mi ap LLC. They are located in an old building on the Arbat, and rotted wires stuck in burnt and burnt 10Base-T switches do not expect new servers to be connected via gigabit cards. So, they have a catastrophic need for network infrastructure and money is not pecked by chickens, which gives you unlimited choice. This is a wonderful dream for any engineer. And you passed the interview yesterday, and in a difficult struggle you rightfully got the position of network administrator. And now you are the first and only one of your kind in it. Congratulations! What's next?

The situation should be somewhat specific:

1. At the moment the company has two offices: 200 squares on the Arbat for workplaces and a server room. Several providers are represented there. Another on Rublevka.
2. There are four user groups: accounting (B), financial and economic department (FEO), production and technical department (PTO), other users (D). And also there are servers ©, which are placed in a separate group. All groups are delimited and do not have direct access to each other.
3. Users of groups C, B and FEO will only be in the office on Arbat, PTO and D will be in both offices.

Having estimated the number of users, the required interfaces, communication channels, you prepare a network diagram and an IP plan.

When designing a network, you should try to adhere to a hierarchical network model, which has many advantages over a “flat network”:

• simplifies understanding of networking
• the model implies modularity, which means that it is easy to increase capacity exactly where it is needed
• easier to find and isolate the problem
• increased fault tolerance due to duplication of devices and / or connections
• distribution of functions to ensure the operability of the network across various devices.

According to this model, the network is divided into three logical levels: core of the network(Core layer: high-performance devices, the main purpose is fast transport), distribution rate(Distribution layer: enforces security policies, QoS, aggregation and routing in VLANs, defines broadcast domains), and access level(Access-layer: usually L2 switches, purpose: connecting end devices, traffic marking for QoS, protection against rings in the network (STP) and broadcast storms, providing power for PoE devices).

On a scale like ours, the role of each device is blurred, but it is possible to logically separate the network.
Let's make a rough diagram:

In the presented diagram, the core (Core) will be router 2811, switch 2960 will be referred to the distribution level (Distribution), since it aggregates all VLANs into a common trunk. The 2950 switches will be Access devices. End users, office equipment, and servers will be connected to them.

We will name the devices as follows: the abbreviated city name ( msk) - geographical location (street, building) ( arbat) - the role of the device in the network + sequence number.
According to their roles and location, we choose hostname:
Router 2811: msk-arbat-gw1(gw = GateWay = gateway)
Switch 2960: msk-arbat-dsw1(dsw = Distribution switch)
Switches 2950: msk-arbat-aswN, msk-rubl-asw1(asw = Access switch)

Network documentation

The entire network must be strictly documented: from the schematic diagram to the name of the interface.
Before proceeding with the configuration, I would like to provide a list of required documents and actions:

• Network diagrams L1, L2, L3 in accordance with the layers of the OSI model (Physical, channel, network)
• IP Addressing Plan = IP Plan
• VLAN list
• Signatures ( description) interfaces
• List of devices (for each you should specify: hardware model, installed IOS version, RAM \ NVRAM volume, list of interfaces)
• Labels on cables (where and where they go), including power and ground cables and devices
• A single regulation that defines all of the above parameters and others

What we will follow in the simulation program is highlighted in bold. Of course, all network changes must be made to the documentation and configuration to keep them up to date.

When we talk about labels / stickers on cables, we mean this:

In this photo, you can clearly see that each cable is marked, the meaning of each machine on the dashboard in the rack, as well as each device.

We will prepare the documents we need:

VLAN list

Each group will be allocated to a separate vlan. This will limit the broadcast domains. We will also introduce a special VLAN for device management.
VLAN numbers 4 through 100 are reserved for future use.

IP plan

IP address	Note	VLAN
172.16.0.0/16
172.16.0.0/24	Server farm	3
172.16.0.1	Gateway
172.16.0.2	Web
172.16.0.3	File
172.16.0.4	Mail
172.16.0.5 - 172.16.0.254	Reserved
172.16.1.0/24	Control	2
172.16.1.1	Gateway
172.16.1.2	msk-arbat-dsw1
172.16.1.3	msk-arbat-asw1
172.16.1.4	msk-arbat-asw2
172.16.1.5	msk-arbat-asw3
172.16.1.6	msk-rubl-aswl
172.16.1.6 - 172.16.1.254	Reserved
172.16.2.0/24	Point-to-Point Network
172.16.2.1	Gateway
172.16.2.2 - 172.16.2.254	Reserved
172.16.3.0/24	VET	101
172.16.3.1	Gateway
172.16.3.2 - 172.16.3.254	User pool
172.16.4.0/24	FEO	102
172.16.4.1	Gateway
172.16.4.2 - 172.16.4.254	User pool
172.16.5.0/24	Accounting department	103
172.16.5.1	Gateway
172.16.5.2 - 172.16.5.254	User pool
172.16.6.0/24	Other users	104
172.16.6.1	Gateway
172.16.6.2 - 172.16.6.254	User pool

Allocation of subnets is generally arbitrary, corresponding only to the number of nodes in this local network, taking into account possible growth. In this example, all subnets have a standard mask / 24 (/24=255.255.255.0) - these are often used in local networks, but not always. We advise you to read about the classes of networks. In the future, we will turn to classless addressing (cisco). We understand that links to technical articles on Wikipedia are bad manners, but they give a good definition, and we will try in turn to transfer this to the picture of the real world.
A Point-to-Point network is a point-to-point connection from one router to another. Usually, addresses with a mask of 30 are taken (returning to the topic of classless networks), that is, containing two host addresses. Later it will become clear what this is about.

Equipment connection plan by ports

Of course, now there are switches with a bunch of 1Gb Ethernet ports, there are switches with 10G, 40Gb is available on advanced operator hardware costing thousands of dollars, 100Gb is in development (and rumor has it that there are even such cards that have gone into industrial production). Accordingly, you can choose switches and routers in the real world according to your needs, without forgetting about the budget. In particular, a gigabit switch can now be bought inexpensively (20-30 thousand) and this with a margin for the future (if you are not a provider, of course). A router with gigabit ports is already significantly more expensive than a router with 100Mbps ports, but it's worth it because the FE models (100Mbps FastEthernet) are outdated and their bandwidth is very low.
But in the emulator / simulator programs that we will use, unfortunately, there are only simple equipment models, so when modeling the network we will start from what we have: a cisco2811 router, cisco2960 and 2950 switches.

Device name	Port	Name	VLAN
Access	Trunk
msk-arbat-gw1	FE0 / 1	UpLink
	FE0 / 0	msk-arbat-dsw1		2,3,101,102,103,104
msk-arbat-dsw1	FE0 / 24	msk-arbat-gw1		2,3,101,102,103,104
	GE1 / 1	msk-arbat-asw1		2,3
	GE1 / 2	msk-arbat-asw3		2,101,102,103,104
	FE0 / 1	msk-rubl-asw1	2,101,104
msk-arbat-asw1	GE1 / 1	msk-arbat-dsw1		2,3
	GE1 / 2	msk-arbat-asw2		2,3
	FE0 / 1	Web-server	3
	FE0 / 2	File-server	3
msk-arbat-asw2	GE1 / 1	msk-arbat-asw1		2,3
	FE0 / 1	Mail-Server	3
msk-arbat-asw3	GE1 / 1	msk-arbat-dsw1		2,101,102,103,104
	FE0 / 1-FE0 / 5	PTO	101
	FE0 / 6-FE0 / 10	FEO	102
	FE0 / 11-FE0 / 15	Accounting	103
	FE0 / 16-FE0 / 24	Other	104
msk-rubl-asw1	FE0 / 24	msk-arbat-dsw1	2,101,104
	FE0 / 1-FE0 / 15	PTO	101
	FE0 / 20	administrator	104

Why this is how VLANs are allocated will be explained in the following sections.

Network diagrams

Based on this data, all three network diagrams can be drawn up at this stage. To do this, you can use Microsoft Visio, some free application, but bound to its format, or graphics editors (you can also handwritten it, but it will be difficult to keep it up to date :)).

Not to promote open source for, but a variety of funds for the sake of using Dia. I consider it to be one of the best schematics applications for Linux. There is a version for Windows, but, unfortunately, there is no compatibility in VISIO.

L1

That is, on the L1 diagram, we reflect the physical devices of the network with port numbers: what is connected where.

L2

On the L2 diagram, we indicate our VLANs

L3

In our example, the third level scheme turned out to be rather useless and not very clear, due to the presence of only one routing device. But over time, it will become overgrown with details.

As you can see, the information in the documents is redundant. For example, VLAN numbers are repeated both in the diagram and in the plan by ports. Here, as it were, who is good for what. As it is more convenient for you, do so. This redundancy makes it difficult to update in the event of a configuration change, because you need to fix it in several places at once, but on the other hand, it makes it easier to understand.

We will return to this first article more than once in the future, just as you will always have to go back to what you originally planned.
Actually, the task is for those who are just starting to learn and are ready to make an effort for this: read a lot about vlans, ip-addressing, find the Packet Tracer and GNS3 programs.
As for fundamental theoretical knowledge, we advise you to start reading the Cisco press. This is what you will definitely need to know.
In the next part, everything will be in an adult way, with a video, we will learn to connect to the equipment, deal with the interface and tell you what to do to a careless administrator who has forgotten the password.
P.S. Thanks to the co-author of the article - Maxim aka gluck.
P.P.S For those who have what to ask, but do not have the opportunity to ask their question here, you are welcome to

Introduction to Virtual Local Area Networks: (Virtual LAN)
In Layer 2 switched networks, the network appears to be "flat" (see Figure 1). Any broadcast packet is forwarded to all devices, regardless of whether the device needs to receive this data.

Since Layer 2 switching generates separate collision domains for each device connected to the switch, the restrictions on the length of the Ethernet segment, i.e. larger networks can be built. The increase in the number of users and devices leads to an increase in the number of broadcasts and packets processed by each device. Another issue with Layer 2 flat switching is network security. Keep in mind that all users "see" all devices. You cannot cancel device broadcasts and user responses to those broadcasts. To increase the level of security, password protection of servers and other devices allows. Creating a VLAN helps solve many of the Layer 2 switching problems, as shown below.

Broadcasts are native to any protocol, but their frequency depends on the particulars of the protocol, the applications running on the internetwork and how the network services are used. Sometimes you have to rewrite old applications to reduce the number of broadcasts. However, next-generation applications are bandwidth-hungry and take up all the resources they discover. Multimedia applications make heavy use of broadcasts and multicasts. Hardware failures, inadequate segmentation, and poorly designed firewalls can affect the intensity of application broadcasts. Special precautions are recommended during network design because broadcasts travel over a switched network. By default, routers only return these broadcasts to the original network, but switches forward the broadcasts to all segments. That is why the network is called "flat", because a single broadcast domain is being formed. It is the responsibility of the network administrator to ensure that network segmentation is correct so that single segment problems do not spill over to the entire network. The most efficient way to do this is through switching and routing. Because the switch has a better cost-to-performance ratio, many companies are moving from flat networks to fully switched networks or VLANs. All VLAN devices are members of the same broadcast domain and receive all broadcasts. By default, broadcasts are filtered on all switch ports that are not members of the same VLAN. Routers, Layer 3 switches, and route switch modules (RSMs) should be used in conjunction with switches to provide connections between VLANs and prevent broadcasts from propagating across the entire network. Security Security is another issue with flat networks, which is defined by the connection of hubs and switches through routers. Network protection is provided by routers. However, anyone who connects to the physical network gains access to its resources. In addition, the user can connect a network analyzer to a hub and observe all network traffic. An additional problem is connected with the inclusion of a user in a workgroup - it is enough to connect a network station to a hub. Using VLANs and creating multiple broadcast groups will allow the administrator to manage each port and user. Users will no longer be able to independently connect their workstations to an arbitrary port on the switch and gain access to network resources. The administrator controls each port and all resources provided to users. Groups are formed based on user requirements for network resources, so the switch can be configured to notify the network management station of any unauthorized access attempts to network resources. If communication between VLANs is present, restrictions on access through routers can be implemented. Limitations are imposed on hardware addresses, protocols, and applications. Flexibility and scalability The Layer 2 switch does not filter, it only reads frames, since it does not parse the network layer protocol information. This causes the switch to redirect all broadcasts. However, creating a VLAN creates broadcast domains. These broadcasts from a host on one VLAN will not be directed to ports on another VLAN. By assigning switched ports and users to a specific VLAN group of one switch or a group of associated switches (this group is called factorycommutation - switch fabric), we increase the flexibility to add a user to only one broadcast domain, regardless of the user's physical location. This prevents a broadcast storm from spreading across the internetwork when a network interface card (NIC) or application fails. When the VLAN becomes very large, new VLANs can be formed without letting broadcasts take up too much bandwidth. The fewer users on a VLAN, the fewer users are broadcasted. To understand what a VLAN looks like from a switch perspective, it is helpful to first look at common localized trunks. In fig. Figure 2 shows a collapsed backbone created by connecting physical LANs to a router. Each network is connected to a router and has its own logical network number. Each node on a separate physical network must respect this network number in order to communicate on the resulting internetwork. Consider the same switch based circuit. Rice. 3 shows how the switch removes the physical boundaries of interoperability in the internetwork. A switch is more flexible and scalable than a router. You can group users into communities of interest, which is called a VLAN organizational structure.

Using a switch seems to obviate the need for a router. This is not true. In fig. 3, four VLANs (broadcast domains) are visible. Hosts on each VLAN can communicate with each other, but not with or with other VLANs. During VLAN configuration, hosts must be within the localized backbone (see Figure 2). What does the host need in fig. 2 to refer to a host "or a host on another network? The host needs to access through a router or other layer 3 device, just like intra-VLAN communication (see Figure 3). Communication between VLANs, as well as between physical networks, must be through device level 3.

VLAN membership

A VLAN is usually created by an administrator who assigns switch ports to it. This method is called static VLAN. If the administrator tries a little and assigns the hardware addresses of all hosts through the database, the switch can be configured to dynamically create a VLAN. Static VLANs Static VLANs are a typical way of forming such networks and are highly secure. VLAN-assigned switch ports always remain in effect until the administrator re-assigns the ports. This type of VLAN is easy to configure and monitor, and static VLANs are well suited for networks where user movement is controlled. Network management software will guide you through the port assignments. However, it is not necessary to use such programs. Dynamic VLANs Dynamic VLANs automatically track the assignment of nodes. The use of intelligent network management software allows dynamic VLANs to be generated based on hardware (MAC) addresses, protocols, and even applications. Suppose the MAC address has been entered into the VLAN Management Central application. If the port is then connected to an unassigned switch port, the VLAN management database will find the hardware address, assign it, and configure the switch port for the desired VLAN. This simplifies administrative management and configuration tasks. If the user moves to a different location on the network, the switch port will automatically be assigned back to the correct VLAN. However, the administrator will have to work hard to populate the database initially.

Cisco network administrators can use VLAN Management Policy Server (VMPS) to set up a MAC address database that is used to create dynamic VLANs. VMPS is a database for translating MAC addresses on VLANs.

VLAN identification A VLAN can span multiple connected switches. Devices in such a switch fabric keep track of both the frames themselves and their belonging to a particular VLAN. For this, frame tagging is performed. The switches will be able to route frames to the appropriate ports. In such a switching environment, there are two different types of links: Access links(Access link) Links belonging to only one VLAN and considered the primary link of a single switch port. Any device attached to the access link is unaware of its VLAN membership. This device considers itself to be part of the broadcast domain, but is unaware of actual physical network membership. The switches remove all VLAN information even before the frame is sent to the access link. Devices on access links cannot communicate with devices outside their VLAN unless packets pass through a router. Backbone connections(Trunk link) Trunk links are capable of serving multiple VLANs. The names of these lines are borrowed from telephone systems, where trunk lines are capable of carrying multiple telephone conversations at the same time. In computer networks, trunk lines are used to connect switches to switches, routers, and even servers. Backbones only support Fast Ethernet or Gigabit Ethernet. The Cisco switch supports two different identification schemes, ISL and 802. lq, to ​​identify a specific Ethernet VLAN in a frame. Trunk links transport VLANs between devices and can be configured to support all or only a few VLANs. Trunk links retain their native VLAN (ie, default VLAN) that is used when the trunk fails.

Frame marking

The internetwork switch needs to keep track of users and frames that go through the switch fabric and VLAN. A switch fabric is a group of switches that share the same VLAN information. Identification (marking) of frames involves assigning a unique user-defined identifier to frames. This is often referred to as VLAN ID assignment or color assignment. Cisco has developed a frame tagging method used to transport Ethernet frames over backbones. The VLAN tag (tag) is removed before the frame leaves the trunk. Any switch that receives the frame must identify the VLAN ID in order to determine further actions with the frame based on the filtering table. If a frame hits a switch that is connected to another trunk, the frame is routed to a port on that trunk. When the frame hits the end of the trunk and needs to go to the access link, the switch removes the VLAN ID. The terminal will receive the frame without any VLAN information.

VLAN identification methods

The VLAN ID is used to track frames traveling through the switch fabric. It marks the belonging of frames to a specific VLAN. There are several methods for tracking frames on backbones: ISL protocol ISL (Inter-Switch Link) is licensed for Cisco switches and is used only on FastEthernet and Gigabit Ethernet lines. The protocol can be applied to a switch port, a router interface, or a network adapter interface on a server that is a backbone. This backbone server is suitable for creating VLANs that do not violate the 80/20 rule. The backbone server is simultaneously a member of all VLANs (broadcast domains). Users do not need to cross a Tier 3 device to access a server that is shared across the organization. IEEE 802.1q The protocol was created by the IEEE as a standard method for tagging frames. The protocol assumes the insertion of an additional field into the frame for VLAN identification. To create a trunk link between Cisco switched lines and a third-party switch, you will need to use 802.lq, which will enable the trunk to work. LANE LANE (LAN emulation) protocol is used for communication of multiple VLANs over ATM. 802.10 (FDDI) Allows forwarding VLAN information over FDDL. Uses the SAID field in the frame header to identify the VLAN. The protocol is licensed for Cisco devices. ISL protocol ISL (Inter-Switch Link) is a way to explicitly mark VLAN information in Ethernet frames. Tagging allows VLANs to be multiplexed on trunks using an external encapsulation method. LSL can interconnect multiple switches while maintaining VLAN information while moving traffic both across the switch and across the trunk. ISL has low latency and high line-level performance for FastEthernet in half and full duplex mode. ISL was developed by Cisco, so ISL is considered licensed only for Cisco devices. If you need an unlicensed VLAN protocol, use 802.lq (see the book CCNP: Switching Study Guide). ISL is an external labeling process, i.e. the original frame does not change in any way, but is appended with a new 26-byte ISL header. In addition, a second 4-byte FCS (frame check sequence) field is inserted at the end of the frame. Since the frame is encapsulated, only devices that support the ISL protocol can read it. Frames must not exceed 1522 bytes. The device that received the ISL frame may consider the frame too large, given that Ethernet has a maximum segment length of 1518 bytes. On ports of multiple VLANs (trunk ports), each frame is tagged as it enters the switch. A network interface card (NIC) that supports the ISL protocol allows a server to receive and send tagged frames for multiple VLANs. Moreover, frames can pass through several VLANs without crossing the router, which reduces latency. This technology can be used in network probes and analyzers. The user will be able to connect to the server without crossing the router at each access to any information resource. For example, a network administrator might use ISL to include a file server on multiple VLANs at the same time. It is important to understand that ISL VLAN information is added to the frame only when redirecting to a port configured for trunk mode. The ISL encapsulation is removed from the frame as soon as it enters the access link. Backbone connections Trunks are point-to-point connections at 100 Mbps or 1000 Mbps between two switches, between a switch and a router, or between a switch and a server. Trunk links are capable of delivering traffic to multiple VLANs (from 1 to 1005 networks are supported simultaneously). The operation of backbone connections in 10 Mbit / s lines is not allowed. Trunking allows a port to be made a member of multiple VLANs at the same time so that, for example, a trunk server can be in two broadcast domains at the same time. Users will be able to avoid crossing the layer 3 device (router) when logging in and using the server. In addition, by connecting the switches, the trunking will allow some or all of the VLAN information to be carried over the line. If you do not form a trunk link between switches, then by default these devices will be able to communicate only one VLAN information over the link. All VLANs are configured with trunking, unless manually created by the administrator. Cisco switches use Dynamic Trunking Protocol (DTP) to control trunking mode failover in Catalyst switch software version 4.2 or later and use ISL or 802.lq. DTP is a point-to-point protocol that is designed to carry trunk information over 802. lq trunks.

This is the first article in the series "Networks for the little ones". Maxim aka Gluck and I thought for a long time where to start: routing, VLAN "s, equipment configuration. In the end, we decided to start with a fundamental and, one might say, the most important thing: planning. Since the cycle is designed for completely newbies, we will go all the way from start to finish.

It is assumed that you have at least read about the OSI reference model, about the TCP / IP protocol stack, know about the types of existing VLANs, about the most popular port-based VLAN now, and about IP addresses. We understand that OSI and TCP / IP are scary words for newbies. But don't worry, we are not using them to intimidate you. This is something that you will have to meet every day, so during this cycle we will try to reveal their meaning and relationship to reality.

Let's start by setting the problem. There is a certain company engaged, for example, in the production of elevators that go only upwards, and that is why it is called Lift mi ap LLC. They are located in an old building on the Arbat, and rotted wires stuck in burnt and burnt 10Base-T switches do not expect new servers to be connected via gigabit cards. So, they have a catastrophic need for network infrastructure and money is not pecked by chickens, which gives you unlimited choice. This is a wonderful dream for any engineer. And you passed the interview yesterday, and in a difficult struggle you rightfully got the position of network administrator. And now you are the first and only one of your kind in it. Congratulations! What's next?

The situation should be somewhat specific:

1. At the moment the company has two offices: 200 squares on the Arbat for workplaces and a server room. Several providers are represented there. Another on Rublevka.
2. There are four user groups: accounting (B), financial and economic department (FEO), production and technical department (PTO), other users (D). And also there are servers (C), which are placed in a separate group. All groups are delimited and do not have direct access to each other.
3. Users of groups C, B and FEO will only be in the office on Arbat, PTO and D will be in both offices.

Having estimated the number of users, the required interfaces, communication channels, you prepare a network diagram and an IP plan.

When designing a network, you should try to adhere to a hierarchical network model, which has many advantages over a “flat network”:

• simplifies understanding of networking
• the model implies modularity, which means that it is easy to increase capacity exactly where it is needed
• easier to find and isolate the problem
• increased fault tolerance due to duplication of devices and / or connections
• distribution of functions to ensure the operability of the network across various devices.

According to this model, the network is divided into three logical levels: core of the network(Core layer: high-performance devices, the main purpose is fast transport), distribution rate(Distribution layer: enforces security policies, QoS, aggregation and routing in VLANs, defines broadcast domains), and access level(Access-layer: usually L2 switches, purpose: connecting end devices, traffic marking for QoS, protection against rings in the network (STP) and broadcast storms, providing power for PoE devices).

On a scale like ours, the role of each device is blurred, but it is possible to logically separate the network.

Let's make a rough diagram:

In the presented diagram, the core (Core) will be router 2811, switch 2960 will be referred to the distribution level (Distribution), since it aggregates all VLANs into a common trunk. The 2950 switches will be Access devices. End users, office equipment, and servers will be connected to them.

We will name the devices as follows: the abbreviated city name ( msk) - geographical location (street, building) ( arbat) - the role of the device in the network + sequence number.

According to their roles and location, we choose hostname:

• router 2811: msk-arbat-gw1(gw = GateWay = gateway);
• switch 2960: msk-arbat-dsw1(dsw = Distribution switch);
• switches 2950: msk-arbat-aswN, msk-rubl-asw1(asw = Access switch).

Network documentation

The entire network must be strictly documented: from the schematic diagram to the name of the interface.

Before proceeding with the configuration, I would like to provide a list of required documents and actions:

• network diagrams L1, L2, L3 in accordance with the layers of the OSI model (physical, channel, network);
• IP Addressing Plan = IP Plan;
• VLAN list;
• signatures ( description) interfaces;
• list of devices (for each, you should specify: hardware model, installed IOS version, amount of RAM \ NVRAM, list of interfaces);
• labels on cables (from where and where they go), including on power and ground cables and devices;
• a single regulation that defines all of the above parameters and others.

What we will follow in the simulation program is highlighted in bold. Of course, all network changes must be made to the documentation and configuration to keep them up to date.

When we talk about labels / stickers on cables, we mean this:

In this photo, you can clearly see that each cable is marked, the meaning of each machine on the dashboard in the rack, as well as each device.

We will prepare the documents we need:

VLAN list

Each group will be allocated to a separate vlan. This will limit the broadcast domains. We will also introduce a special VLAN for device management. VLAN numbers 4 through 100 are reserved for future use.

IP plan

Allocation of subnets is generally arbitrary, corresponding only to the number of nodes in this local network, taking into account possible growth. In this example, all subnets have a standard mask / 24 (/24=255.255.255.0) - these are often used in local networks, but not always. We advise you to read about the classes of networks. In the future, we will turn to classless addressing (cisco). We understand that links to technical articles on Wikipedia are bad manners, but they give a good definition, and we will try in turn to transfer this to the picture of the real world.

A Point-to-Point network is a point-to-point connection from one router to another. Usually, addresses with a mask of 30 are taken (returning to the topic of classless networks), that is, containing two host addresses. Later it will become clear what this is about.

IP plan

IP address	Note	VLAN
172.16.0.0/16
172.16.0.0/24	Server farm	3
172.16.0.1	Gateway
172.16.0.2	Web
172.16.0.3	File
172.16.0.4	Mail
172.16.0.5 — 172.16.0.254	Reserved
172.16.1.0/24	Control	2
172.16.1.1	Gateway
172.16.1.2	msk-arbat-dsw1
172.16.1.3	msk-arbat-asw1
172.16.1.4	msk-arbat-asw2
172.16.1.5	msk-arbat-asw3
172.16.1.6	msk-rubl-aswl
172.16.1.6 — 172.16.1.254	Reserved
172.16.2.0/24	Point-to-Point Network
172.16.2.1	Gateway
172.16.2.2 — 172.16.2.254	Reserved
172.16.3.0/24	VET	101
172.16.3.1	Gateway
172.16.3.2 — 172.16.3.254	User pool
172.16.4.0/24	FEO	102
172.16.4.1	Gateway
172.16.4.2 — 172.16.4.254	User pool
172.16.5.0/24	Accounting department	103
172.16.5.1	Gateway
172.16.5.2 — 172.16.5.254	User pool
172.16.6.0/24	Other users	104
172.16.6.1	Gateway
172.16.6.2 — 172.16.6.254	User pool

Equipment connection plan by ports

Of course, now there are switches with a bunch of 1Gb Ethernet ports, there are switches with 10G, 40Gb is available on advanced operator hardware costing thousands of dollars, 100Gb is in development (and rumor has it that there are even such cards that have gone into industrial production). Accordingly, you can choose switches and routers in the real world according to your needs, without forgetting about the budget. In particular, a gigabit switch can now be bought inexpensively (20-30 thousand) and this with a margin for the future (if you are not a provider, of course). A router with gigabit ports is already significantly more expensive than a router with 100Mbps ports, but it's worth it because the FE models (100Mbps FastEthernet) are outdated and their bandwidth is very low.

But in the emulator / simulator programs that we will use, unfortunately, there are only simple equipment models, so when modeling the network we will start from what we have: a cisco2811 router, cisco2960 and 2950 switches.

Device name	Port	Name	VLAN
			Access	Trunk
msk-arbat-gw1	FE0 / 1	UpLink
	FE0 / 0	msk-arbat-dsw1		2,3,101,102,103,104
msk-arbat-dsw1	FE0 / 24	msk-arbat-gw1		2,3,101,102,103,104
	GE1 / 1	msk-arbat-asw1		2,3
	GE1 / 2	msk-arbat-asw3		2,101,102,103,104
	FE0 / 1	msk-rubl-asw1		2,101,104
msk-arbat-asw1	GE1 / 1	msk-arbat-dsw1		2,3
	GE1 / 2	msk-arbat-asw2		2,3
	FE0 / 1	Web-server	3
	FE0 / 2	File-server	3
msk-arbat-asw2	GE1 / 1	msk-arbat-asw1		2,3
	FE0 / 1	Mail-Server	3
msk-arbat-asw3	GE1 / 1	msk-arbat-dsw1		2,101,102,103,104
	FE0 / 1-FE0 / 5	PTO	101
	FE0 / 6-FE0 / 10	FEO	102
	FE0 / 11-FE0 / 15	Accounting	103
	FE0 / 16-FE0 / 24	Other	104
msk-rubl-asw1	FE0 / 24	msk-arbat-dsw1		2,101,104
	FE0 / 1-FE0 / 15	PTO	101
	FE0 / 20	administrator	104

Why this is how VLANs are allocated will be explained in the following sections.

Network diagrams

Based on this data, all three network diagrams can be drawn up at this stage. To do this, you can use Microsoft Visio, some free application, but bound to its format, or graphics editors (you can also handwritten it, but it will be difficult to keep it up to date :)).

Not to promote open source for, but a variety of funds for the sake of using Dia. I consider it to be one of the best schematics applications for Linux. There is a version for Windows, but, unfortunately, there is no compatibility in VISIO.

L1

That is, on the L1 diagram, we reflect the physical devices of the network with port numbers: what is connected where.

L2

On the L2 diagram, we indicate our VLANs.

L3

In our example, the third level scheme turned out to be rather useless and not very clear, due to the presence of only one routing device. But over time, it will become overgrown with details.

As you can see, the information in the documents is redundant. For example, VLAN numbers are repeated both in the diagram and in the plan by ports. Here, as it were, who is good for what. As it is more convenient for you, do so. This redundancy makes it difficult to update in the event of a configuration change, because you need to fix it in several places at once, but on the other hand, it makes it easier to understand.

We will return to this first article more than once in the future, just as you will always have to go back to what you originally planned. Actually, the task is for those who are just starting to learn and are ready to make an effort for this: read a lot about vlans, ip-addressing, find the Packet Tracer and GNS3 programs. As for fundamental theoretical knowledge, we advise you to start reading the Cisco press. This is what you will definitely need to know. In the next part, everything will be in an adult way, with a video, we will learn to connect to the equipment, deal with the interface and tell you what to do to a careless administrator who has forgotten the password.

In recent years, experts in the field of local area networks are increasingly inclined to believe that networks with hundreds, thousands, or even tens of thousands of nodes should be structured according to a hierarchical model, the superiority of which over a flat, non-hierarchical model seems convincing.

It would seem that after replacing slow routers with more efficient Layer 3 switches, nothing can stop the spread of this model. However, the reduction in the cost of switches encourages the choice in favor of solutions based entirely on the second layer. The advantages of structured networks are ignored.

ADVANTAGES OF THE HIERARCHICAL MODEL

In a hierarchical model, the entire network is divided into several levels, which are handled separately. This makes it very easy to set design goals, since each individual level can be implemented in accordance with the specific requirements of a particular scope. Reducing the size of the subnets allows you to achieve a reduction in the number of communication links for each end device. For example, broadcast “storms” are growing rapidly with an increase in the number of systems in a flat network.

Responsibility for maintaining individual sub-regions of the network tree in the hierarchical model is easily delegated without any major interface problems, which is not possible in the case of a flat network. In addition, the visibility of the network structure in the case of a hierarchical model also justifies itself when searching for errors. With a hierarchical network structure, various kinds of changes are much easier to implement, since, as a rule, they affect only part of the system. In a flat model, they can affect the entire network. This circumstance greatly simplifies the build-up of hierarchical networks: it is realized by adding a new network area to the existing level or the next level without the need to redraw the entire structure.

FROM ROUTING TO SWITCHING AT LEVEL THIRD

For a long time, the high cost and low performance of existing devices hindered the successful spread of the hierarchical network design. Classic routers could not compete with Layer 2 switches in terms of packet transfer rate or port cost. Implementing the required combination of Layer 2 routing and switching in practice has proven to be problematic. Therefore, in many enterprises, the choice for communications within IP subnets or virtual local area networks (VLANs) has been made in favor of combined layer 2 frame switching and ATM. Meanwhile, there was no high-performance equipment for communications over IP between virtual networks. It finally became available with the advent of Layer 3 switching (with the initial flaws corrected, it can now be considered mature).

Layer 3 switches route each packet individually using Applications Specific Integrated Circuits (ASICs), analyzing the contents of the packets and making path decisions based on information from higher layers. Communication between VLANs is as fast as inside, that is, with maximum network bandwidth. Products with a transmission rate of up to 100 million packets per second have already appeared on the market.

Replacing existing routers with Layer 3 switches is very simple: you only need to replace the corresponding devices. All the skills and know-how potential accumulated over the years of operation of the routers can be used in further work.

Switches of the second and third levels currently differ little from each other in terms of performance, so the choice of the type of device depends - along with functionality - on the cost of the ports. At the same time, even despite the noticeable reduction in the cost of Layer 3 switches, simple Layer 2 switches still cost much less. Thus, the field of application of the former is mainly network backbones, and of the latter, working groups.

CLEAR LOCAL SUBMISSION

VLAN technology associated with Layer 2 switching emerged as a result of the desire to minimize communication between IP subnets, as it occurs over slow connections to routers. It is possible to increase the share of communications within VLANs and reduce that between VLANs by mapping IP subnets and dedicated organizational structures to VLANs. In this case, the same subnet can be spread over several buildings - as a rule, for VLANs, geography does not matter.

Figure 2. Redundant Layer 2/3 Network.

The third-level switching still gives a chance for the consistent implementation of the hierarchical principles of building a network. Thus, the question of the so-called flat or hierarchical approach again acquires special significance. The logical structure of a flat unstructured network corresponds to the diagram shown in Figure 1. There is no link between the location of the end devices and their IP addresses. The third octet of the IP address (in the figure: "1", "2" or "3") does not provide any information about the location of the target device.

An alternative could be a layer 3 infrastructure in the core of the network with connected layer 2 switches, perhaps as shown in Figure 2. The structured network follows the logical diagram shown in Figure 3, which clearly shows the relationship between the location of end devices and their IP addresses. ... The third octet of the IP address gives the exact location of the end device. The fourth and last octet identifies specific target devices.

Figure 3. The logical structure of the third level network.

SECOND / THIRD LEVEL STRUCTURED NETWORKS

When examining the advantages and disadvantages of the topologies under consideration, one can nevertheless find one significant positive aspect of flat second-level networks: when moving equipment, you do not need to change IP addresses and you do not need to reconfigure applications in which IP addresses are used as identification signs.

However, this can be contrasted with a number of advantages of structured networks of the second / third level:

• no negative consequences of potential duplicate IP addresses for the entire network as a whole;
• separation of broadcast domains and, thereby, a significant reduction in the load on end devices;
• ubiquitous correspondence of network layer addresses to buildings and switches: "speaking" addresses facilitate the localization of errors that occur;
• the ability to implement security functions at the boundaries between subnets;
• ensuring the required quality of service at the network and transport layers, for example, by prioritizing certain applications;
• more efficient broadcast management through the use of broadcast traffic routing in Layer 3 switches;
• significant reduction in the time required to achieve convergence when implementing redundant joins. For example, when choosing the Open Shortest Path First (OSPF) first, this will take only a few seconds, while the Spanning Tree protocol takes from 40 to 50 seconds. At the IP subnet level, the Hot Standby Router Protocol / Virtual Router Redundancy Protocol (HSRP / VRRP) can be used as the default router redundancy mechanism.

COMPETITIVE APPROACHES TO DESIGN

Layer 2/3 structured networking seems to be best suited to ensure safe and stable operation even in large networks. Almost all network architects come to such conclusions, but recently many adherents have received a new approach to network design, which is based solely on second-level switches. This is due to the fact that many enterprises are forced to look for opportunities to reduce investment, including in local networks.

Such concepts are based primarily on the use of inexpensive Layer 2 switches and consist in the composition of them, for example, a ring structure. The mechanism for implementing redundancy in ring structures is based on the Rapid Spanning Tree protocol. This approach is supported by the IEEE 802.1w standard, which defines fast spanning tree reconfiguration, which was designed to reduce the convergence time of the infamous Spanning Tree protocol to a few seconds.

Such "inexpensive" schemes, where the model of a hierarchical network structure is left out, at first glance look attractive: the savings amount to tens of percent. Mild skepticism doesn't hurt, though. Low-cost L2 switches must have stable codes to support Rapid Spanning Tree. However, this seems like a very daring assumption considering how long it took for the original algorithm to work more or less stable. Also, keep in mind that low convergence times in the presence of redundant connections is just one of the reasons why Layer 3 infrastructure is used. But what about talking IP addresses, protecting against misdirected addresses, reducing broadcast traffic, and better managing broadcast traffic in Layer 3 networks?

With this point of view, the price aspect becomes relative, because, after all, the two approaches to network design cannot be compared. Of course, a completely redundant double-star design costs much more than a cascade structure with inexpensive components. However, a network project using third-level devices can also be somewhat cheaper: it is not at all necessary to take "excess" hardware as a basis. This will help build a third-level network and save about 35% of its cost.

Berotz Moyeri works for the Comconsult Beratung und Planung. You can contact him at: