6 - Network Design

Politec Politecnico nico di Torino Torino

Progetto Progetto di Reti Locali

Homew Hom ework ork 6: Net Netw work Des Design ign

Fulvio Risso

March 9, 2011

Contents

I.

Intro duction

3

1. Methodology

4

I I. Exercises

6

2. HSRP

7

2.1. 2.2. 2.3. 2.4. 2.5.

Exercise Exercise Exercise Exercise Exercise

n. n. n. n. n.

1 2 3 4 5

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. 7 . 8 . 9 . 10 . 11

3. Network Design

3.1. 3.2. 3.3. 3.4. 3.5. 3.6.

Exercise Exercise Exercise Exercise Exercise Exercise

n. n. n. n. n. n.

12

6 7 8 9 10 10 11 11

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

12 13 14 15 16 17

I II. Solutions

18

4. HSRP

19

4.1. Solution for exercise n. 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 4.2. Solution for exercise n. 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 5. Network Design

21

5.1. Solution for exercise n. 6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 5.2. Solution for exercise n. 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 5.3. Solution for exercise n. 11 11 . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

2

Part I.

Introduction

3

1. Methodology In this set of exercise we focus first on HSRP/VRRP analysis, and then on network design and analysis when L2/L3 switches are present. The first kind of exercises are definitely simple and require only the application of the general rules of the associated protocols specifications. Therefore, in this methodology section we concentrate on the problems that may arise when facing with L2-L3 network design, which includes the application of  the the most important technologies that can be found in a modern corporate network. Most of the exercises related to the network design require to predict the path of a set of packets, given a specific network topology (in terms of switches and routers, physical links, interfaces configured at L2 or L3, VLANs). The solution usually requires the following main steps: 1. If multilayers are present in the network, take each one of them, plot its L2 and L3 components as discrete objects, then mark each interface as part of the L2 or L3 domain. 2. Determine the outcome of the Spanning Tree (i.e., which L2 ports are active and are then able to forward frames), for each VLAN present in the topology. Beware that a network may have multiple instances of the Spanning Tree. 3. If HSRP/VRRP is configured in the network, determine which is the active router (for each IP network present in the topology). 4. Analyze the packet flow generated by the application (e.g., PING), associating each packet with the proper source and destination addresses at both L2 and L3, and to the proper VLAN-ID. 5. Given that points (3) and (4) have been completed, we can now determine the path of each frame on the network topology. For this, we can exploit the source and destination MAC addresses contained in the frame in order to determine the source and destination stations on the network, and analyze the actual path of  this frame according to the STP topology derived before. Please remember that in an L2 network the path between two stations is unique (the STP does not allow multiple paths between stations) and that we have to select the right STP instance related to that frame in case multiple instances are present.

4

5

Part II.

Exercises

6

2. HSRP 2.1. Exercise n. 1 Referring to the network topology depicted below, configure the proper HSRP parameters on routers R1 and R2 in order to guarantee redundancy when connecting to the Internet, with R1 acting as primary router. Configure also the proper value for the default gateway on the hosts.

7

2.2. Exercise n. 2 Referring to the network topology depicted below, configure the proper HSRP parameters on routers R1 and R2 in order to guarantee redundancy and load balancing when connecting to the Internet. Configure also the proper value for the default gateway on the hosts.

8

2.3. Exercise n. 3 Referring to the network topology depicted below, determine the path of a packet sent by host H1 toward the Internet in case the routers have the configuration shown in the figure and the link from R1 to the Internet has a fault.

9

2.4. Exercise n. 4 Referring to the network topology depicted below that includes hosts belonging to two VLANs: •

configure the proper HSRP parameters on routers R1 and R2 in order to guarantee redundancy and load balancing in connecting to the Internet;

•

for all the interfaces of the switches and host/routers, list whether they are configured in access/trunk mode and associate the proper VLAN to them.

Let us suppose that R1 and R2 do not generate any routing traffic (e.g. OSPF) within the LAN. Finally, do not include in the solution the interfaces connected to the Internet.

10

2.5. Exercise n. 5 Referring to the network topology depicted below, a server S is configured in a faulttolerant mode using HSRP. Both interfaces are part of the same HSRP group in order to achieve protection against a fault of the links between the server itself and one of the two switches. Vice versa, hosts into the network are equipped with a fault-tolerant NIC (without HSRP) that features two different interfaces connected to the two available switches. The fault-tolerant NIC will select automatically one of the link as active, and the other will be put in stand-by. •

Supposing that the link (S → SW-1) is active, while the link (S fault, will the HSRP work properly in this configuration?

•

In general, is it correct to deploy HSRP in such a network?

11

→

SW-2) has a

3. Network Design 3.1. Exercise n. 6 Referring to the network topology depicted below that includes hosts belonging to two VLANs: •

Determine the STP topology (all switches have default parameters);

•

Configure the proper HSRP parameters on routers R1 and R2 in order to guarantee redundancy and load balancing when connecting to the Internet;

•

For all the interfaces of the switches and host/routers, list whether they are configured in access/trunk mode and associate the proper VLAN to them;

•

Determine the links crossed by HSRP packets exchanged between R1 and R2.

Please note that R1 and R2 are expected to exchange routing traffic (e.g. OSPF) among them in order to calculate the routing topology. Finally, do not include interfaces connected to the Internet in the solution.

12

3.2. Exercise n. 7 Referring to the network configuration depicted below, write a possible configuration (using a Cisco-like syntax) of the interfaces of the multilayer switch, focusing on the L2-L3 interfaces configuration commands.

13

3.3. Exercise n. 8 Referring to the network topology depicted below that includes hosts belonging to two VLANs: •

Determine the path of an IP packet directed from host H1 to H2 and write the most important parameters (e.g. MAC source /destination, IP source/destination) of that packet;

•

Repeat the same for an IP packet directed from host H2 to host H1.

Assume that all the ports of the multilayer switch are configured in L2 mode.

14

3.4. Exercise n. 9 Referring to the network topology depicted below that includes hosts belonging to two VLANs: •

determine the STP topology;

•

configure the proper interfaces (e.g. IP addresses) and HSRP parameters on multilayer switches ML-1 and ML-2 in order to guarantee redundancy and load balancing in connecting to the Internet;

•

associate all the interfaces of switches and hosts to the proper VLAN and indicate weather they are in access /trunk mode;

•

Determine the path of the HSRP packets exchanged by ML-1 and ML-2;

•

Determine how many HSRP packets do you expect on the link between ML-1 and SW-1.

Please note that ML-1 and ML-2 are expected to generate routing traffic (e.g. OSPF) among them in order to exchange the routing topology. Do not include in the solution the interfaces connected to the Internet. Repeat the exercise in case the direct link between ML-1 and ML-2 fails. Finally, discuss whether the direct link between ML-1 and ML-2 work better if configured in L2 more or in L3 mode.

15

3.5. Exercise n. 10 Given the network topology depicted below that includes hosts belonging to three VLANs: 1. Determine the path of an IP packet from host H1 to host H3; 2. Determine the path of the same packet when a fault occurs on the direct link between ML-1 and ML-2; 3. Suggest three possible modifications of the network (either at the physical or at the configuration level) in order to optimize the L3 paths; 4. Indicate the number of VLANs that we expect to configure over that network; 5. List the possible IP addresses configured on the two multilayer switches ML-1 and ML-2. All the interfaces of the multilayer switches are configured in L2 mode, except the interface that connects to the WAN. Finally, let us suppose the use of the standard STP protocol (not the per-VLAN STP).

16

3.6. Exercise n. 11 Given the network topology depicted below that includes hosts belonging to two VLANs, propose a configuration that: •

enables optimized load balancing on the external links toward the Internet;

•

optimizes the paths for the exiting traffic, so that packets directed to the WAN always crosses only a single multilayer switch.

Let us suppose that all the interfaces of the multilayer switches are configured in L2 mode, except the interface that connects to the WAN and that we use the Per-VLAN STP protocol. Finally, show also the final outcome of the Spanning Tree Protocol and the path of an IP packet from host H1 to host H2.

17

Part III.

Solutions

18

4. HSRP 4.1. Solution for exercise n. 1 Although HSRP can be configured to provide also load balancing in addition to redundancy, the exercise focuses only on the first objective. Therefore a single HSRP group is required and the solution is shown in the network topology below. Since the IP address of router R1 is smaller than the IP address of router R2, the priority value has to be configured in order to force the election of that router as “active”. The default gateway for each host is shown on the network topology below.

19

4.2. Solution for exercise n. 4 The network includes two VLANs, hence we can achieve load balancing by forwarding VLAN1 traffic through R1 and VLAN2 traffic through R2; hence load balancing does not rely on HSRP. HSRP will provide only gateway redundancy and will have to be configured per-VLAN. Since routers must participate in all VLANs (i.e. they must be able to receive all the VLAN packets on their interfaces), their NICs must be configured in trunk mode. Virtual VLAN interfaces must be created and associated to VLANs; these virtual interfaces will be configured at the IP level. All hosts have access ports; the switch has access ports toward clients and trunk p orts toward the routers. The resulting configuration is depicted in the picture below.

20

5. Network Design 5.1. Solution for exercise n. 6 Question 1 The STP topology is extremely simple, since we do not have loops in the L2 network (in fact, the direct link between R1 and R2 is a pure L3 link and hence it belongs to a different broadcast domain of the switches). Therefore, the STP topology on the L2 network overlaps with the physical topology.

Questions 2 and 3 The configuration of the VLAN ports and the HSRP on the routers can be the following: Router R1 --------Interface Fe0 Trunk port, VLAN 1-2 Virtual Interface VLAN 1 IP: 130.192.16.252/24 HSRP Group 1 Virtual IP: 130.192.16.254 Priority 105 Virtual Interface VLAN 2 IP: 130.192.17.252/24 HSRP Group 2 Virtual IP: 130.192.17.254 Interface Fe1 Access port, no VLANs IP: 130.192.18.1/24 OSPF: active Router R2 --------Interface Fe0 Trunk port, VLAN 1-2 Virtual Interface VLAN 1 IP: 130.192.16.253/24

21

HSRP Group 1 Virtual IP: 130.192.16.254 Virtual Interface VLAN 2 IP: 130.192.17.253/24 HSRP Group 2 Virtual IP: 130.192.17.254 Interface Fe1 Access port, no VLANs IP: 130.192.18.2/24 OSPF: active

Routers have their Fe1 interface configured in pure L3 mode, hence the interface is not associated to any VLAN (it operates in access mode) and it has an IP address active on it. Hosts are VLAN-unaware (no VLANs are configured on their ports); the configuration of the VLANs on the switches is the following: Switch SW-1 Interface

Mode

VLAN-ID

Fe0

Access

1

Fe1

Trunk

1,2

Fe2

Trunk

1,2

Interface

Mode

VLAN-ID

Fe0

Access

2

Fe1

Trunk

1,2

Fe2

Trunk

1,2

Switch SW-2

Question 4 With respect to the path followed by HSRP packets, we have to note that these packets are generated on the VLAN interfaces of the routers, which are linked to the upper interface (Fe0 ). Therefore HSRP packets will exit from interface Fe0 of router R1, will go through switch SW-1, SW-2 and then will reach interface Fe0 of R2, where they will be redirected to the proper VLAN interface. HSRP packets from R2 to R1 will follow the opposite path. It is worthy noticing that the direct link between R1 and R2 will not transport any HSRP packet. Instead, it can be used to transport routing traffic. In case of absence of  this link, the routing traffic would have to be transported anyway and a possible config-

22

uration involves a new VLAN (e.g. VLAN 3) that will be dedicated to such this traffic. While such a new VLAN for routing traffic is not mandatory (routing messages can also exchanged through VLAN 1 or VLAN 2), it is a good practice to have it in order not to have routing traffic received from network hosts, therefore avoiding possible attacks coming from the clients present in the edge network.

23

5.2. Solution for exercise n. 7 Interfaces Fe0 and Fe1 are L2 interfaces (switched interfaces) and belong to the same switching domain of switches SW-1 and SW-2. Interfaces are in trunk mode and should support all the VLANs present in the network. Additionally, some virtual VLAN interfaces must be configured in order to implement the default gateway functionalities on the switched network. Interface Fe2 is configured in L3 mode (routed interface) and connects the network to the Internet. The configuration can be the following 1 : ! interface fe0 switchport mode trunk switchport trunk allowed vlan 1,2 ! interface fe1 switchport mode trunk switchport trunk allowed vlan 1,2 ! interface vlan 1 ip address 10.1.1.253 255.255.255.0 ! interface vlan 2 ip address 10.1.2.253 255.255.255.0 ! interface fe2 no switchport ip address 20.2.2.2 255.255.255.252 !

1

Please note that different Cisco devices may use a slightly different syntax. Therefore the commands used must be considered as an indication of a possible configuration and may not work on all the devices.

24

5.3. Solution for exercise n. 11 Since the network requires both redundancy and load balancing of the Internet access, the HSRP configuration requires two groups, one per VLAN, in which ML-1 is the active router for the first group and ML-2 is active for the second. A possible solution is shown in the figure below:

In order to optimize the exit paths toward the WAN, we can use the PVST (Per-VLAN Spanning Tree) protocol in order to concentrate on the same multilayer switch both the “HSRP active” and the root bridge functionalities. In this case, the exit traffic will reach the HSRP active router, and from there it will go directly to the Internet. This can be achieved by setting the Bridge Priority of ML-1 equal to 24576 and 28672 (respectively for VLANs 1 and 2), which corresponds to a better priority for VLAN 1, and invert those values for ML-2 (which corresponds to a better priority for VLAN 2). In addition, HSRP groups must be configured accordingly (i.e., a better HSRP priority for ML-1 on network 10.1.1.0/24, and a better priority for ML-2 on network 10.1.2.0/24). This configuration leads to the two topologies (respectively for VLAN 1 and VLAN 2) shown in the figures below 2 .

2

Please note that in the most recent STP specifications the Bridge Priority is allowed only in multiple of 4096, and that only the most significant 4 bits are actually used and inserted in the BPDU, while the remaining 12 bits correspond to the VLAN-ID. In other words, a priority of 28672 for VLAN 1 will lead to the value 28673  in the BPDU generated for that VLAN, while the priority of 24576 for VLAN 2 will lead to the value 24578  in the BPDU generated for that VLAN.

25

It is worthy noting that this configuration optimizes the exit paths toward the Internet, but it corresponds to a worsening of the internal paths (e.g., from H1 to H2). In fact, a packet from H1 to H2 will be generated in VLAN 1 and it will traverse the network

26

(according to the topology allowed for VLAN 1) till it reaches its default gateway (i.e., ML-1, which is the HSRP active router for VLAN 1). From there, the packet will belong to VLAN 2 and then it will traverse the network according to the topology allowed for that VLAN, till it reaches the final destination H2. It is evident (as shown in the figure below) that internal paths require the traversal of both multilayer switches and therefore are not as much optimized.

27