COE4510
HIERARCHICAL NETWORK DESIGN
HIERARCHICAL NETWORK DESIGN
The best place to start when designing a network is at the bottom: the
physical layer.
For the most part, physical layer design is about bits and bytes, how to size a link about bits and bytes, how to size a link
properly, what type of media to use, and what
signaling method to use to get the data onto
and off of the wire
• You must have stable physical links to get traffic to pass over the network
• A well-designed topology-layout of the network is the basis for all stable networks
network is the basis for all stable networks
"Why do networks melt?"
• The routing protocol never converges
• Since all routing protocols produce routing loops while they converge, and no routing protocol can provide correct forwarding protocol can provide correct forwarding
information while it's in a state of transition, it's important to converge as quickly as
possible after any change in the network
• In a converged network all routers "agree" on
what the network topology looks like
The Right Topology
• It's always easier to tackle a problem if it is broken into smaller pieces, and large-scale networks are no exception
• You can break a large network into smaller pieces that can be dealt with separately
that can be dealt with separately
• Most successful large networks are designed hierarchically, or in layers
• Layering creates separate problem domains,
which focuses the design of each layer on a single goal or set of goals
• The amount of time it takes for a routing
protocol to converge depends on two factors:
The number of routers participating in The number of routers participating in convergence
and
The amount of information they must process
Summarization is the key to reducing the
number of routers participating in convergence and the amount of data routers have to deal
with when converging
with when converging
Hierarchical Network Design
• There are generally three layers defined within a hierarchical network
• The network core forwards traffic at very high
speeds; the primary job of a device in the core of the network is to switch packets
the network is to switch packets
• The distribution layer summarizes routes and aggregates traffic
• The access layer feeds traffic into the network, performs network entry control, and provides other edge services
The following are two restated fundamental design principles:
• The area affected by a topology change in the network should be bound so that it is as small network should be bound so that it is as small as possible
• Routers (and other network devices) should
carry the minimum amount of information
possible
• You can achieve both of these goals through
summarization, and summarization is done at the distribution layer
• So, you generally want to bound the convergence
• So, you generally want to bound the convergence area at the distribution layer
• For example, a failing access layer link shouldn't affect the routing table in the core, and a failing link in the core should produce minimal impact on the routing tables of access layer routers
The Network Core
• The core of the network has one goal:
switching packets
• No network policy implementation should take place in the core of the network.
take place in the core of the network.
• Every device in the core should have full
reachability to every destination in the
network
No Policy Implementation
• Any form of policy implementation should be
done outside the core; packet filtering and policy routing are two perfect examples
• Even if the core devices can filter and policy-
route packets at high rates of speed, the core is route packets at high rates of speed, the core is not the right place for these functions
• The goal of the network core is to switch packets, and anything that takes processing power from core devices or increases packet switching
latencies is seriously discouraged
• Beyond this, the complexity added to core router configurations should be avoided
• It is one thing to make a mistake with some policy at the edge of the network and cause policy at the edge of the network and cause one group of users to lose connectivity, but to make a mistake while implementing a change in policy at the core can cause the entire
network to fail
• Place network policy implementations on
edge devices in the access layer or, in certain circumstances, on the border between the access layer and the distribution layer
access layer and the distribution layer
• Only in exceptional circumstances should you
place these controls in the core or between
the distribution layer and the core
Policy-Based Routing
• Normally, routers forward traffic based only on the final destination address, but there are times when you want the router to make a forwarding decision based on the source address, the type of decision based on the source address, the type of traffic, or some other criteria
• These types of forwarding decisions, based on some criteria or policy the system administrator has configured, are called policy-based routing
• A router can be configured to make a forwarding decision based on several things, including
• Source address
• Source/destination address pair
• Source/destination address pair
• Destination address
• IP packet type (TCP, UDP, ICMP, and so on)
• Service type (Telnet, FTP, SMTP)
• Precedence bits in the IP header
Typically, configuring policy-based routing consists of the following three steps:
1. Build a filter to separate the traffic that needs a specific policy applied from the normal traffic a specific policy applied from the normal traffic 2. Build a policy
3. Implement the policy
Full Reachability
• Devices in the core should have enough routing
information to intelligently switch a packet destined to any end device in the network
• core routers should not use default routes to reach internal destinations
• However, this doesn't mean a router in this layer
• However, this doesn't mean a router in this layer
should have a path to each individual subnet in every corner of the network
• Summary routes can, and should, be used to reduce the size of the core routing table. Default routes should be used for reaching external destinations, such as
hosts on the Internet
The reason for the no default routes strategy is threefold:
• Facilitating core redundancy
• Reducing suboptimal routing
• Preventing routing loops
• Preventing routing loops
Traffic volume is at its greatest in the core; every switching decision counts. Suboptimal routing can be destabilizing in this type of an environment
Types of Cores
• When networks are small, they tend to use
collapsed cores, which means that a single router acts as the network core connecting with all
other routers in the distribution layer
• Collapsed cores are easy to manage (it's just one
• Collapsed cores are easy to manage (it's just one router, after all), but they don't scale well (it is just one router). They don't scale well because every packet that is carried through the network will cross the backplane of the central router; this will eventually overwhelm even the largest and fastest routers
• Collapsed cores also result in a single point of failure almost too good for Murphy's Law to resist: If only one router in the entire network goes down, it will be this single core router
• Because a single router collapsed core cannot handle the needs of a large network, most large networks use the needs of a large network, most large networks use a group of routers interconnected with a high speed local area network (LAN) or a mesh of high speed WAN links to form a core network
• Using a network as a core rather than a single router allows redundancy to be incorporated into the core design and to scale the core's capabilities by adding additional routers and links
The Distribution Layer
• The distribution layer has the following three primary goals: ·
• Topology change isolation
• Controlling the routing table size
• Controlling the routing table size
• Traffic aggregation
Use the following two main strategies in the distribution layer to accomplish these goals:
Route summarization
Minimizing core to distribution layer connections
• The distribution layer aggregates traffic. This is accomplished by funneling traffic from a large number of low speed links (connections to the access layer devices) onto a few high bandwidth access layer devices) onto a few high bandwidth links into the core
• This strategy produces effective summarization points in the network and reduces the number of paths a core device must consider when making a switching decision
Access Layer
Access layer devices are the visible part of the network; this is what the customers associate with "the network."
The access layer has three goals: ·
• Feed traffic into the network
• Control access
• Perform other edge functions
Feeding Traffic into the Network
• It's important to make certain the traffic
presented to the access layer router doesn't overflow the link to the distribution layer
• While this is primarily an issue of link sizing, it
• While this is primarily an issue of link sizing, it can also be related to server/service
placement and packet filtering
• Traffic that isn't destined for some host
outside of the local network shouldn't be
forwarded by the access layer device
Controlling Access
• Since the access layer is where the customers actually plug into the network, it is also the
perfect place for intruders to try to break into the network
• Packet filtering should be applied so traffic that
• Packet filtering should be applied so traffic that should not be passed upstream is blocked,
including packets that do not originate on the locally attached network
• This prevents various types of attacks that rely on falsified (or spoofed) source addresses from
originating on one of these vulnerable segments
• The access layer is also the place to configure packet filtering to protect the devices
attached to the local segment from attacks
sourced from outside (or even within) your
sourced from outside (or even within) your
network
Access Layer Security
• While most security is built on interconnections between your network and the outside world, particularly the Internet, packet level filters on access layer devices regulating which traffic is allowed to enter regulating which traffic is allowed to enter your network can enhance security tremendously.
• you need to apply filters on the access layer
router to provide basic security
The basic filters that should be applied are:-
• No spoofing: only packets sourced from a particular address say 10.1.4.0/24 should be permitted to pass through the router
permitted to pass through the router
• No broadcast sources: The broadcast address 255.255.255.255 is not acceptable source
address
• No directed broadcast: A directed broadcast is a packet that is destined to the broadcast address of a segment
Other Edge Services provided by Access Layer
• Tagging packets for Quality of Service (QoS) based forwarding: If you are using voice-over-IP or video conferencing, you will probably want to tag the real time traffic with a high IP precedence flag so real time traffic with a high IP precedence flag so that they are forwarded through the network
with less delay
• Terminating tunnels— Tunnels are typically used for carrying multicast traffic, protocols that aren't switched on the core, and secure traffic
• Traffic metering and accounting— These services include NetFlow services in Cisco routers.
• Policy-based routing
• Policy-based routing
Summary
• Hierarchical routing is the most efficient basis for large scale network designs because it breaks one large problem into several smaller problems that can be solved separately
• Reduces the size of the area through which
• Reduces the size of the area through which
topology change information must be propagated
• Reduces the amount of information routers must store and process
• Provides natural points of route summarization and traffic aggregation