|
Network Services Technical Marketing
entpme@cisco.com
As corporate intranets continue to evolve, network managers and architects are faced with a multitude of options in building and modifying their networks. Starting from a premise that a network already has an existing combination of Layer 2 and Layer 3 routers within the network, this guide shows how the campus intranet can scale to meet the demands of business.
Scaling the campus intranet with the CiscoFusion Architecture starts with a set of building blocks---the building block, the core block, the file-server block---which presents a logical design for the network irrespective of any product that may be implemented. The success of any campus intranet is based upon the placement of network services and when applied correctly will guarantee continued scalability.
The World Wide Web has arrived, and it is changing the way we do business. With highly interactive applications that deliver information faster, cheaper, and easier than ever before, the Web has empowered the consumer through the commercial Internet, and at the same time has driven a revolutionary approach to the reengineering of internal business processes. The success of the Web has elevated the importance of the campus network within the organization, and has driven the necessity for the switched intranet.
Web-based applications use two methods of transport to deliver high-resolution graphics and applications to the desktop: file transfer and multimedia transport for live TV simulcasts. The implementation of these transport techniques has driven the need for a faster, smarter network to be implemented. To meet this demand, network architects have been challenged to provide a network infrastructure that requires a total system approach that offers scalable bandwidth, end-to-end quality of service (QOS), and network resilience.
A total system approach to scaling the switched intranet requires a strong foundation. As in the construction industry, the foundation for the switched intranet consists of a structure that is anchored around cornerstones, including: network architecture, network services, application services, scalable bandwidth, and network management. Each of these cornerstones will impact the scope and complexity of the network.
Campus networks have traditionally been implemented as collapsed backbones, with core network level intelligence and services implemented at the center of the network. Over the past few years as switching has become the dominant technology implemented within the campus, the network has diverged from the collapsed backbone. The transition of the campus network has created much debate within the data communications industry as to the role of switches and routers in a network. The current generation of LAN switches are inherently Layer 2 devices and, although they are replacing shared media concentrators, they are not replacements for Layer 3 devices. The art of building the campus network will be based upon the balanced implementation of scalable switching and Layer 3 services, as highlighted in the Data Communications article "Next-Generation Routing." Stephen Saunders points out in the article that "Routing is still a big part of switched networks---and it will be for the foreseeable future."
Implementing a switched intranet will take a total system approach. As the leading provider of scalable intranets, Cisco Systems is the only provider of a total end-to-end solution. The foundation of any system or highway construction is based upon a blueprint; the creation of the blueprint requires that the architect understand the specific uses of the highway. On and off ramps must be placed in specific areas, traffic flows must be understood, and placement of services and the overall management of the network must be provided for. Without considering each of these sections, the blueprint will not be complete, and a total system will not be achieved. The first step in designing campus networks is to lay out a general blueprint of the design. The campus can be separated into domains, or blocks: the building block, the core block, and the server block.
When your enterprise network includes wide-area and dial services, you can also add in a WAN/dial block, which connects these services to the campus core or data center.
The basic building block appears as in Figure 1.
The basic building block consists of Layer 2 switches in the wiring closets to connect users. The wiring closets collapse into a distribution switch. At this distribution location, Layer 2 connectivity as well as Layer 3 functionality are found. These two operations can be run with a Layer 2 switch and external router, or with an integrated Layer 2/Layer 3 device, such as the Route Switch Module in the Catalyst® 5000 product line. The Layer 2 functionality is to provide a central connection point for all the switches in the wiring closets. The Layer 3 functionality provides network services and creates a protection point for the building block. For example, if the building block experiences a broadcast storm, the Layer 3 functionality will prevent the broadcast storm from propagating into the core and the rest of the network; each block is protected from the other blocks when failures occur.
The core block consists of high-speed Layer 2 switches, as shown in Figure 2:
The Layer 3 engines in the building blocks will connect to the core switches. The responsibility of the core block is to transfer data as quickly as possible without doing any processor-intensive operations. The core can consist of any high-speed technology, such as Fast Ethernet, Asynchronous Transfer Mode (ATM), and future Gigabit Ethernet switching.
The server block consists of the centralized servers in the network, which need to have equal access to almost everyone on the network. These servers can be e-mail servers, Web servers, multimedia servers, and so on.
They are typically located in the data center, where the core block can be located. The server block needs one level of Layer 2 switches, and Layer 3 functionality, which provides the protection from other failures on the network, as well as security, multicast routing functionality, accounting services, etc., as shown in Figure 3.
Network services provide a proliferation of utilities that protect the network while providing the basis for the successful implementation of business objectives. Networks of the past have had most of these services implemented across a disparity of networking devices, but the successful implementation of a switched intranet will require that these services converge into one homogenous system. The services that are necessitating changes within the switched intranet are segmented into five distinct sections: file services, user mobility, application services, multimedia services, and security.
One of the rules when constructing LANs is to keep as much traffic on the local LAN as possible, and allow only a small percentage of the traffic to traverse the intranet. This rule of thumb is known as the 80/20 rule. With the migration of applications to the Web, this balance of traffic between the local LAN and the intranet has been changed forever, and the traditional LAN "rules of thumb" have been thrown out the window. Typically file servers are purchased and controlled by individual departments, and for the best performance they are connected directly to the departmental LAN.
However, the role of file servers is evolving from high-powered server platforms to the desktop, especially now that any Web client may become a Web server, empowering users to share greater amounts of information. The evolution, however, has caused an exponential increase in the bandwidth required within the network.
As more corporations implement laptop computers and allow the power of the desktop to become more portable, users are demanding the flexibility to move around the campus and be able to access their local applications as if they had remained within their office. A leading provider of computer services has found that moving users around its largest campus location requires a small army of employees. In this company, on average a person moves four times a year, and it takes ten people three days to facilitate each move. In business, this overhead cost is extensive, and needs to be reduced if the company is to remain competitive within the industry.
User mobility can be segmented into two distinct disciplines, moves and adds/changes. Moves within the network are relatively simple to accomplish as the network already knows about the users. Their Media Access Control (MAC) and IP addresses are already known to the network and thus, in a virtual LAN (VLAN) environment, the move is a simple matter of adding the users' new switch ports to their old VLANs, as shown in Figure 4. Adds and changes, however, are more complex.
When a new workstation or user is added to the network, the LAN administrator must set up specific items, starting with the LAN protocols that will be used to garner file server access. The protocols in use today, IPX, AppleTalk, and Banyan, have all implemented dynamic addressing, so apart from implementing the drivers on the workstation, the LAN administrator does not have to specifically identify the workstation. However, one protocol has not yet addressed this issue, and still requires the identification of user and workstation. The IP Protocol still has the archaic requirement that the user and address are tied to each other.
This scenario is changing, and by implementing the Dynamic Host Configuration Protocol (DHCP), the administration of IP addresses can be made more dynamic.
Each of the network protocols uses names, (not specifically addresses) to identify file servers and print servers. When a user requests a logon to another file server, the protocol, or network operating system, will try to resolve the file server name to a network address. In Novell's NetWare or IPX protocol, each file server contains a table that maps file server name to network address. Again, in the IP protocol, this mapping is handled by a global server known as the Domain Name Server (DNS). The DNS is a static registry of all IP servers and their associated names. Therefore, the implementation of DHCP alone will not completely solve the IP mobility issue. If a workstation has an entry in the DNS and it is moved frequently throughout the campus, getting a new address at each move, the DNS would have to be manually changed to reflect the change in address. Cisco has resolved this issue with the Cisco Distributed Director (CDD), which is the combination of a DHCP server, a DNS server, and a dynamic update mechanism that updates the DNS server every time a workstation user is allocated a new address.
Web-based applications are changing not only how we do business, but also how we are educated. Cisco Systems has been on the forefront of this evolution; with the implementation of Web applications users now have the ability to purchase and track the delivery of Cisco Systems equipment through the commercial Internet. Cisco has implemented these applications not only for its customers, but also internally for sales support, travel, and education. Most of these new applications, especially those that deliver live videoconferencing, are based upon high-bandwidth broadcast/multicast transport technology. As this traffic grows on the switched intranet, it will require implementation of new levels of end-to-end quality of service and network services.
In the past, multimedia applications have been implemented using the client server model. For example, in the past, users who subscribed to a videoconference would log into a central server. The video server would validate each user and present all the conferences that the user would be authorized to view; it would also act as the focal point for the distribution of the video streams to each user. As each user connected to the server, a new video stream would be set up. This stream would be a point-to-point conversation between the user and the server, which meant that for 20 users to view the same conference, 20 streams were sent over the network. This scenario raises two issues, the performance and reliance of the video server (not covered in this document), and network performance. Sending the same packet 20 times is not the most efficient method of communicating, not to mention the strain that it places on the network. The good news is that this scenario is changing, and a new method of sending one packet out and having the network replicate the packet has been put in place. This process, known as multicasting, is defined for the IP community in RFC 1112. Multicasting consists of a mechanism in which hosts identify which multicast sessions they wish to participate in. The notification, which is done through the use of the Internet Group Management Protocol (IGMP), is used by multicast routers to flood or prune the multicast from the VLAN or local segment. An IP multicast consists of a combination of the destination MAC address and a destination group IP address. As defined in RFC 1112, a multicast host group address is designated as a Class D IP address that falls in the range of 224.0.0.0 to 239.255.255.255. The destination Ethernet MAC address becomes the multicast address 01-00-5E-xx-xx-xx, with the low-order IP address placed in the low-order bytes of the MAC address. For example, if the multicast destination group address is 224.1.1.1, then the destination MAC would be 01-00-5E-01-01-01. Since Layer 2 devices do not automatically register and filter multicast packets, each multicast packet or video stream is flooded out all ports on the switch. This presents a significant issue with implementing a Layer 2 switch strategy. In the multicast world, Cisco has combined its knowledge and investment in Layer 3 services with the speed of Layer 2 switching. The result is the Cisco Group Management Protocol, or CGMP. Cisco IOS software integrates disparate "service classes" by prioritizing, reserving, and managing network resources based on end-to-end QoS requirements. Cisco IOS features for managing QoS currently include Weighted Fair Queuing (WFQ), Random Early Discard (RED), RSVP and priority-aware queuing. With these features, Cisco IOS software enables predictable performance and response time as well as a high level of session availability for mission-critical and multimedia environments.
Like centralized systems of old, access to applications was primarily granted by job function and provided through the use of a user ID and a password. However, in today's world of peer-to-peer connectivity, this is not the case. As the use of DHCP proliferates and the administration of network addresses becomes negligible, a down-side effect will be that identification of the end user becomes more difficult, and network security may be adversely affected. Questions arise, such as: Who owns the IP address 192.132.150.32? What department are they associated with? What resources are they allowed to access? If a user cannot be identified with a specific network address, then access lists and filters cannot be implemented to restrict this specific user's access into restricted areas of the network. While this scenario does not readily compromise the applications or any traffic flowing through the network, it does create a problem of host and end-user authentication and accounting.
Cisco is answering these questions and solving these problems with a series of products that tie authentication, authorization, and accounting principles into the Cisco IOS software. Products such as CiscoSecure and the Enterprise Identity Server will allow network managers to implement dynamic addressing schemes such as DHCP in their networks while maintaining, and in fact extending, the security that these network managers demand and require.
Although each campus network is different, by providing this general blueprint for the network designer to begin with, the campus intranet can now be customized to meet the requirements of that particular network. The hardware components will remain similar. For example, a Layer 2 switch is always recommended in the wiring closet, and a high-speed Layer 2 switch in the core, with Layer 3 functionality separating the blocks. The specifics of each type of device will be determined based on the port count needed, the technology that has been decided upon, and so on. But it is the network services that CiscoFusion provides that customizes each network design to provide optimization for overall network performance. A typical campus network will consist of one or more building blocks, a core block, and a centralized server block, as shown in Figure 5.
The sizes of these blocks are flexible, yet there are some recommended ceilings. A building block can have up to 1200 nodes in it. This node count assumes that there is more than one broadcast domain within the block. (This number is based on geographic size and administration considerations.) In general, there are up to ten wiring closets in a building block, with an average of no more than 100 to 120 users per wiring closet. It is also recommended that no more than 15 building/server blocks be attached to the core. This recommendation arises from the concern for routing adjacencies within a single peer group. With 15 blocks, up to 30 routers are attached to the core, and they are all in the same subnet. As for the server block, most enterprise networks typically have one; however, if physical space, geographically dispersed data centers, or traffic loads dictate, then there may easily be more than one server block in the campus network. In this case, multiple server blocks are treated as building blocks, with the maximum number of blocks attached to the core kept at 15.
The following sections consider three network designs: barebone, scalable, and complex. Each network design keeps the fundamental building blocks, but utilizes different network services to satisfy network requirements. Each customer's network will be slightly different from these three examples, but the design can begin at one of these examples, and then be modified to meet the customer's specific goals.
Barebone design is geared toward customers who have very few network requirements. The customer who feels that cost is most important, and that network downtime will not adversely impact user's productivity, may look to start at the barebone design. Network characteristics of the barebone design include:
This barebone design, as illustrated in Figure 6, has no redundancy, security, or other network services built into it. The network is not scalable, and it is subject to outages if a cable, interface card, or network component should fail. As far as data paths are concerned, it is a viable design and full connectivity will occur. Anyone designing and building a network based upon this model should be fully aware of its caveats and be prepared for specific failure scenarios that will arise.
The scalable design presents the network architect with a solid, robust starting point to grow an enterprise network where mission-critical applications are expected to run. As network requirements differ from customer to customer, the scalable design can be modified to meet these needs. Some network characteristics of the scalable design include:
The scalable network looks like the diagram in Figure 7.
The network services that can be used in this design to meet the design requirements include redundancy, multimedia applications, VLAN applications, mobility, and security. At the building block level, redundancy can be achieved two ways. The first way, as shown in the diagram in Figure 8, consists of backup links connecting each wiring closet switch to the distribution switches.
The Spanning-Tree Protocol blocks redundant links. Upon failure of the primary link, the redundant links become active. Hot Standby Router Protocol (HSRP) on the routers will provide a second level of redundancy for IP. If the active HSRP router or the link to the active HSRP router fails, the backup HSRP router becomes active. This feature is important so that end stations that have a default gateway configured (either statically or via DHCP) do not need to be reconfigured in the event of a failure. HSRP is another example of a critical network service offered through the Cisco IOS software.
A second building block redundancy scheme is shown in Figure 9.
Note that, in this example, the emphasis on redundancy was placed at the distribution layer; the wiring closets have no built-in redundancy. In implementing this scheme, the network architect is making the conscious decision that, if a distribution switch fails, then it is acceptable for multiple wiring closets to lose connectivity as well. This solution still utilizes the Spanning-Tree Protocol, but not to the extent as the previous redundancy solution. HSRP can still be used at the routers in this design situation.
Redundancy in the core consists of having more than one core switch and designing the building block routers to connect to different core switches, as shown in Figure 10.
To enable multimedia applications to work effectively across the network, several network functions must be implemented on the network devices. These functions include IGMP support on the end stations, multimedia servers, routing devices; a multicast routing protocol, and, optimally, CGMP on the routers and Layer 2 switches. The building block is illustrated in Figure 11.
Cisco routers support all three multimedia requirements: IGMP registration, multicast routing protocol, and CGMP. The Layer 2 switches support CGMP. Protocol Independent Multicast (PIM) sparse mode is used as the multicast routing protocol. Currently (Q2 '97) PIM sparse mode is an Internet draft. With PIM, a rendezvous point is set up so that all IGMP registrations will go to one single point in the network. All initial video streams will go through the rendezvous point and be delivered to only the routers that have requested the video stream, instead of flooding throughout the network. Running CGMP on the routers and switches enables the Layer 2 devices to direct multicast packets to specific ports, instead of flooding them out all interfaces, without impacting the performance of the switches.
If PIM sparse mode is implemented throughout the network, as shown in Figure 12, the routers in the server block send out unicasts to the rendezvous points instead of flooding the core switches with multicasts. In an ATM LAN Emulation (LANE) environment, this improves performance and scalability significantly. If the Distance Vector Multicast Routing Protocol (DVMRP) or PIM dense mode are used, then the core would be subject to flooding of multicast packets. Based on the definition of the core block that is to be used for high-speed connectivity between building and server blocks, these multicast packets could begin to consume much-needed valuable bandwidth.
As a network design requirement, VLANs are to be used for broadcast domain control; thus there are no cross-campus VLANs. The VLANs stay local to the distribution switch; they may span a couple of wiring closets, or stay within a single wiring closet, depending on the size of the broadcast domain. The diagram in Figure 13 shows VLANs in the building block.
In this instance, the VLANs span two switches, which may or may not be in the same wiring closet, but they both have their primary links going to the same distribution switch. If a user on VLAN A moves to another switch that supports only VLAN C or D, then that user becomes part of VLAN C or D and does not remain part of VLAN A.
Using VLANs for broadcast domain control allows more than one VLAN to reside on a single switch, hence more than one broadcast domain can be on a single switch. If, for example, the decision was to have 150 users per broadcast domain, and 220 users going to that wiring closet, then the switches must support two broadcast domains, or VLANs.
The core of the network, however, needs to support only one VLAN, as shown in the Figure 14.
Because the core is isolated from each block by the routing functionality, there is no reason for more than one VLAN on the core. Using this method means that native routing can be employed. If ATM LANE is used, however, inter-VLAN routing must be used instead of native routing because of the characteristics of ATM LANE technology (LAN Emulation Configuration Server [LECS], LAN Emulation Server [LES], Broadcast and Unknown Server [BUS]).
The server block needs to reside in only a single VLAN, unless there are too many devices for a single broadcast domain, in which case multiple VLANs are needed. By using VLANs for broadcast domain control instead of cross-campus VLANs, traffic management becomes easier and traffic patterns are more easily defined.
To enable dynamic IP addressing, three things must happen on the network. First, there must be a DHCP server on the network that allocates IP addresses to clients requesting one. Also, the end stations must support DHCP client software, so that the end station knows to ask for an address. Lastly, the routing device must be able to forward IP broadcast packets so that the DHCP server can receive them. The network with dynamic addressing configured is shown in Figure 15.
The routers will direct the DHCP request to the DNS/DHCP server in the form of a unicast. Each time users log on to the network, they may get a new IP address (depending on the lease time set in the DHCP server). If users move to another location in the building, then they become part of the new VLAN, and will obtain a new IP address.
To make a network secure, two questions need to be asked: who is allowed on to the network, and what is that individual allowed to access? The first question can be answered by providing network logon. As soon as the end station obtains an IP address, users are asked to log on to the network with a user name and password. If this logon succeeds, then they have gained access to the network, but not necessarily the servers. After they are on the network, they can try to gain access to servers.
Setting up security on the network infrastructure takes some of the responsibility and traffic load off the servers. A couple of ways to accomplish security on the network are shown in Figure 16.
By implementing access lists on the routers, the network itself becomes another gate for unauthorized users to go through before connecting to servers with sensitive data. Access lists do not remove the authentication and authorization process inherent on the network servers, but rather augment the security of these servers. If, for example, certain Web servers are not completely open, then the authentication/authorization responsibility must remain at the server. Another method of enhancing network security is route authentication. If hackers are able to log on to the network and set their station up to be a router, then they can tap and inject false routes into the network and usurp data being sent through the network. With route authentication, the routers authenticate each other and make sure that the correct device is, in fact, part of the network, thus preventing hackers from understanding the topology of the network.
With the network services described in the previous section, along with the additional hardware required, a much more robust and flexible network has now been designed over the barebone network. Now consider the complex design, which starts with the features built into the scalable design and enhances them even further.
The complex design is in most ways an expansion of the scalable design. There are some added features in the building blocks, such as extended redundancy, added encryption for security, and more complex VLAN implementation.
The characteristics of a complex design include:
A few more network services are enabled in the more complex network design than in the scalable network design. To add more redundancy into the building blocks, it is added at the workstation, as shown in Figure 17.
With network interface cards (NICs) redundancy added, if a wiring closet switch fails, the workstation can still connect to the network via the NIC that is connected to another wiring closet. The same holds true with servers, as shown in Figure 18.
This method adds fault tolerance to the workstations and servers. If that fault tolerance is added to the built in redundancy in the network infrastructure, the building block can suffer several failures without losing connection to the rest of the network. By adding this extra level of fault tolerance to the already existing redundancy in the building block, a greater level of resiliency is attained.
Next consider security. For networks that need a very secure network, encryption will become utilized throughout.
Figure 19 shows the two areas in the network that can implement encryption.
Encryption can be implemented on a Layer 3 device for partial network data integrity. The data is encrypted at the first Layer 3 device that the data passes through, and then decrypted at the final Layer 3 device that the data passes through. The other encryption opportunity is at the workstation. Implementing encryption at the workstations provides full end-to-end data integrity for extremely sensitive and classified information. Only the sending and receiving end stations can encrypt and decrypt the data. By using encryption on the end stations and on the network infrastructure, data integrity is occurring end to end throughout the network. End-station encryption can be used for extremely sensitive data; for less-critical information, encryption at the Layer 3 device is sufficient.
The final service that can be made more complex in the building block is the area of VLANs. To provide added flexibility and mobility into the network, VLANs can be expanded throughout a building block, instead of limited to a distribution switch. This implementation will not break the network, and traffic patterns can still be understood and tracked. Figure 20 shows VLANs with more flexibility than the scalable design.
VLANs A to D can now spread across all of building block 1, and VLANs J to M can span building block N. The core can remain as one VLAN, as can the centralized server block.
There are generally two types of cores, frame based and cell based. This section discusses three examples; a frame-based LAN core, cell-based LAN core, and a cell-based Metropolitan Area Network (MAN) core.
The frame-based core consists of high-speed switches that support frame technology such as Fast Ethernet, and, in the future, Gigabit Ethernet, as shown in Figure 21.
The switches are connected in a mesh, to provide multiple paths in case of failure. In addition, the Layer 3 devices in the building blocks are dual connected to two different switches. In case of a switch failure in the core, there are still multiple paths for the building block to communicate throughout the network. All the Layer 3 services occur at the building block, not inside the core.
The cell-based core uses high-speed ATM switches instead of frame switches. Several technologies can be used over ATM, such as LANE, RFC 1577 in IP-only networks, RFC 1483, and, in the near future, Multiprotocol Over ATM (MPOA). A cell-based core using LANE is shown in Figure 22.
The redundancy links are still utilized in the cell-based core. LANE also has the added redundancy of Simple Server Redundancy Protocol (SSRP) for the LANE services in the network, as shown in Figure 23.
The decision to use a frame-based core or a cell-based core must be determined for each network design. The best technology to use is the technology that best meets the requirements and priorities of the network.
In both cases, the LAN cores are designed to provide high-speed transport between building blocks. As more services are integrated into the LAN (such as video, which is occurring today, and voice in the future), the core of the network needs to reliably pass this traffic through at high speeds and low delay.
A third core, the private MAN, is used to connect several LAN networks to each other. The MAN core is typically cell based, as shown in Figure 24.
Each set of ATM switches connecting to a mux represents a separate campus LAN network. The MAN core does not use a full mesh, but a partial mesh between the muxes. Although most MAN cores use cell-based technology, it is usually not LANE, which is used in the campus. Today, the MAN typically uses Synchronous Optical Network (SONET) to connect sites together.
The complex design is obviously an extension of the scalable design that has added redundancy, security, and VLAN functionality. The introduction of full mesh connections into the core definitely adds more complexity into the design of the network.
While network architects could solve problems one at a time, the requirements of user mobility and multimedia applications will require a total system approach. Adoption of the CiscoFusion architecture provides network architects with the basic building block, the core of the network, and Layer 3 services that will deliver a scalable campus network. Through the three unique network designs presented in this paper, a network architect has a starting point on which to base the design of the network and a method to introduce services that meet current and future networking requirements. Cisco is the only vendor that can supply the technology, services, and management applications that will provide a complete, end-to-end solution.
Posted: Fri Mar 5 23:48:42 PST 1999
All contents copyright © 1992--1999 Cisco Systems, Inc. Important Notices and Privacy Statement.