all-in-one enterprise network core technologies (encor) v1 ... · introduction to cisco enterprise...
TRANSCRIPT
All-in-One Enterprise Network Core Technologies (ENCOR) V1.0 Exam
CCIE and CCNP Core Exam 350-401 V1.0 Cert Guide
1st Edition
Copyright © 2020 CCIEin8Weeks.com All rights reserved.
ISBN: 9798602947885
3
Our Cisco Next-Level Certifications Catalog
2
Our Cisco DevNet Certifications Catalog
5
Contents at a Glance Chapter 1 Architecture Chapter 2 Virtualization Chapter 3 Infrastructure Chapter 4 Network Assurance Chapter 5 Security Chapter 6 Automation
6
Table of Contents
AbouttheAuthor..........................................................................................................................................13Preface..............................................................................................................................................................15IntroductiontoCiscoEnterpriseCore(ENCOR)Exam...................................................................................................16KeyDifferencesBetweenCCIERoutingandSwitchingWrittenandENCORExams.........................................18CCIEEnterpriseInfrastructureExamTopics–LabExam.............................................................................................18CCNPEnterpriseCertification....................................................................................................................................................19
WhatthisStudyGuidecontains...............................................................................................................19HowtousethisStudyGuide......................................................................................................................20What’savailableontheCCIEin8Weekswebsite.................................................................................21CHAPTER1ARCHITECTURE......................................................................................................................23ExplaintheDifferentDesignPrinciplesUsedinanEnterpriseNetwork................................................................25
Enterprise network design such as Tier 2, Tier 3, and Fabric Capacity planning..................................................26Tier-3 Network Design..............................................................................................................................................................26Tier-2 Network Design..............................................................................................................................................................28High availability techniques such as redundancy, FHRP, and SSO...........................................................................29First-Hop Routing Protocols (FHRPs)..................................................................................................................................30FHRP Best Practices...................................................................................................................................................................32Stateful Switchover (SSO)........................................................................................................................................................32
AnalyzeDesignPrinciplesofaWLANDeployment..........................................................................................................33Wireless deployment models (centralized, distributed, controller-less, controller based, cloud, remote branch).............................................................................................................................................................................................34Centralized (Local-Mode) Model...........................................................................................................................................34Distributed Model........................................................................................................................................................................35Controller-less Model.................................................................................................................................................................36Controller-based Model.............................................................................................................................................................36Cloud-based Model.....................................................................................................................................................................37Remote Branch Model...............................................................................................................................................................38SD-Access Wireless Model......................................................................................................................................................39Location services in a WLAN design...................................................................................................................................40Further Reading............................................................................................................................................................................40
DifferentiateBetweenon-premisesandCloudInfrastructureDeployments.......................................................40Cloud Deployment Models.......................................................................................................................................................41Cloud Service Models................................................................................................................................................................42Public Cloud..................................................................................................................................................................................44Private Cloud.................................................................................................................................................................................45Virtual Private Cloud (VPC)....................................................................................................................................................45Hybrid Cloud.................................................................................................................................................................................46Multi-cloud....................................................................................................................................................................................47Infrastructure as a service (IaaS)............................................................................................................................................48Platform as a service (PaaS).....................................................................................................................................................49Software as a Service (SaaS)...................................................................................................................................................50Consolidation................................................................................................................................................................................51Virtualization.................................................................................................................................................................................51Automation....................................................................................................................................................................................52Performance, Scalability, and High Availability..............................................................................................................52Performance...................................................................................................................................................................................52Scalability and High Availability...........................................................................................................................................54Security Implications, Compliance, and Policy.................................................................................................................55
7
Workload Migration...................................................................................................................................................................56ExplaintheWorkingPrinciplesoftheCiscoSD-WANSolution..................................................................................58
SD-WAN Control and Data Planes Elements....................................................................................................................58vBond Orchestrator.....................................................................................................................................................................59vManage.........................................................................................................................................................................................59vSmart Controller........................................................................................................................................................................59vEdge Devices..............................................................................................................................................................................60Further Reading............................................................................................................................................................................61
ExplaintheWorkingPrinciplesoftheCiscoSD-AccessSolution...............................................................................61SD-Access Control and Data Planes Elements..................................................................................................................62SD-Access Control Plane..........................................................................................................................................................62SD-Access Data Plane...............................................................................................................................................................62Cisco SD-WAN Solution (formerly Viptela).....................................................................................................................64Software-Defined Access (or SD-Access)..........................................................................................................................68Traditional Campus Interoperating with SD-Access.......................................................................................................70Further Reading............................................................................................................................................................................70
DescribeConceptsofWiredandWirelessQoS...................................................................................................................70QoS Components.........................................................................................................................................................................71QoS Policy.....................................................................................................................................................................................71
DifferentiateHardwareandSoftwareSwitchingMechanisms....................................................................................72Process and CEF Switching.....................................................................................................................................................73Software-based CEF...................................................................................................................................................................73Hardware-based CEF..................................................................................................................................................................74MAC Address Table and TCAM...........................................................................................................................................74FIB vs. RIB....................................................................................................................................................................................75
ChapterSummary............................................................................................................................................................................77CHAPTER2VIRTUALIZATION..................................................................................................................78DescribeDeviceVirtualizationTechnologies......................................................................................................................80
Hypervisor Type 1 and Type 2................................................................................................................................................81Virtual Machine............................................................................................................................................................................82
Kubernetes.........................................................................................................................................................................................85Virtual Switching.........................................................................................................................................................................88Virtual Machine Device Queues (VMDq)..........................................................................................................................90Single Root IO Virtualization (SR-IOV).............................................................................................................................91
ConfigureandVerifyDataPathVirtualizationTechnologies.......................................................................................91VRF..................................................................................................................................................................................................92Configuring Multi-VRF CE.....................................................................................................................................................94PE Configuration.........................................................................................................................................................................96Verifying VRF Configuration.................................................................................................................................................97Further Reading............................................................................................................................................................................98GRE and IPsec Tunneling.........................................................................................................................................................98Configuring GRE and IPSec Tunneling.............................................................................................................................100Verifying GRE/IPSec Configuration..................................................................................................................................101
DescribeNetworkVirtualizationConcepts........................................................................................................................102LISP................................................................................................................................................................................................102Further Reading..........................................................................................................................................................................103VXLAN.........................................................................................................................................................................................103VXLAN Tunnel Endpoint (VTEP)......................................................................................................................................104Further Reading..........................................................................................................................................................................105
ChapterSummary..........................................................................................................................................................................106CHAPTER3INFRASTRUCTURE.............................................................................................................107Layer2................................................................................................................................................................................................109
Native VLAN Mismatch and VLAN Leaking.................................................................................................................109Trunk Mode Mismatch............................................................................................................................................................110
8
Allowed VLANs on Trunks...................................................................................................................................................111VLAN Trunking Protocol (VTP) issues............................................................................................................................111VLANs not propagating from Servers to Clients............................................................................................................112Newly added Switch not receiving VLANs from VTP Server..................................................................................112Ports become Inactive after Power Cycle..........................................................................................................................112Configure and Verify Common Spanning Tree Protocols (RSTP and MST).......................................................113RSTP Configuration.................................................................................................................................................................114RSTP Verification.....................................................................................................................................................................114MST Configuration...................................................................................................................................................................115MST Verification.......................................................................................................................................................................116
Layer3................................................................................................................................................................................................116Compare routing concepts of EIGRP and OSPF (advanced distance vector vs. linked state, load balancing, path selection, path operations, metrics)............................................................................................................................116EIGRP............................................................................................................................................................................................116Further Reading..........................................................................................................................................................................118OSPF..............................................................................................................................................................................................118Further Reading..........................................................................................................................................................................119Configure and verify simple OSPF environments, including multiple normal areas, summarization, and filtering (neighbor adjacency, point-to-point and broadcast network types, and passive interface)..............119Multiple Areas............................................................................................................................................................................119Route Summarization...............................................................................................................................................................121Inter-area Route Summarization...........................................................................................................................................121External Route Summarization.............................................................................................................................................122Route Filtering............................................................................................................................................................................123Further Reading..........................................................................................................................................................................125Configure and verify eBGP between directly connected neighbors (best path selection algorithm and neighbor relationships).............................................................................................................................................................125Best Path Selection Criteria....................................................................................................................................................126Neighbor Relationships...........................................................................................................................................................126Further Reading..........................................................................................................................................................................128
Wireless.............................................................................................................................................................................................129Describe Layer 1 concepts, such as RF power, RSSI, SNR, interference noise, band and channels, and wireless client devices capabilities......................................................................................................................................129RF Power......................................................................................................................................................................................129RSSI...............................................................................................................................................................................................129Signal to Noise Ratio (SNR)..................................................................................................................................................130Interference Noise.....................................................................................................................................................................130Wi-Fi Band and Channels.......................................................................................................................................................130Wireless Client Devices Capabilities..................................................................................................................................131Describe AP modes and antenna types...............................................................................................................................132Describe access point discovery and join process (discovery algorithms, WLC selection process).............133LAP Registration with the WLC..........................................................................................................................................133Further Reading..........................................................................................................................................................................134Describe the main principles and use cases for Layer 2 and Layer 3 roaming.....................................................134Troubleshoot WLAN configuration and wireless client connectivity issues.........................................................136Troubleshooting WLAN Configuration.............................................................................................................................136WLAN Configuration and Logs Collection......................................................................................................................136WLC Show and Debug Commands.....................................................................................................................................137Show Commands.......................................................................................................................................................................137Debug Commands.....................................................................................................................................................................137AP Show and Debug Commands.........................................................................................................................................138Preparing the AP for debugging...........................................................................................................................................138Show Commands.......................................................................................................................................................................138Debug Commands.....................................................................................................................................................................139AP-COS Show Commands.....................................................................................................................................................139
9
AP-COS Debug Commands...................................................................................................................................................1391800 Series Debug Commands.............................................................................................................................................1402800/3800 Series Debug Commands..................................................................................................................................140Troubleshooting Wireless Client Connectivity Issues..................................................................................................140IP Services....................................................................................................................................................................................142Describe Network Time Protocol (NTP)...........................................................................................................................142Configure and Verify NAT/PAT..........................................................................................................................................142Static NAT...................................................................................................................................................................................143Dynamic NAT.............................................................................................................................................................................144Static PAT....................................................................................................................................................................................144PAT (NAT Overload)...............................................................................................................................................................145Configure First Hop Redundancy Protocols, such as HSRP and VRRP.................................................................145HSRP Configuration.................................................................................................................................................................145HSRP Verification.....................................................................................................................................................................146VRRP Configuration................................................................................................................................................................148VRRP Verification....................................................................................................................................................................148Describe Multicast Protocols, such as PIM and IGMP v2/v3....................................................................................149Any Source Multicast (ASM)................................................................................................................................................149Source Specific Multicast (SSM).........................................................................................................................................149
ChapterSummary..........................................................................................................................................................................151CHAPTER4NETWORKASSURANCE....................................................................................................152Diagnosenetworkproblemsusingtoolssuchasdebugs,conditionaldebugs,traceroute,ping,SNMP,andsyslog..........................................................................................................................................................................................154
Cisco IOS XE Conditional Debugging Examples..........................................................................................................155Configure and verify device monitoring using syslog for remote logging.............................................................155Configuring Syslog...................................................................................................................................................................155Verifying Syslog........................................................................................................................................................................156Configure and verify NetFlow and Flexible NetFlow...................................................................................................156NetFlow Interface Support for Ingress (Received) Traffic on an interface............................................................157NetFlow Interface Support for Egress (Transmitted) Traffic on an Interface.......................................................157NetFlow Flow Export Destination and Version..............................................................................................................157Verifying NetFlow Configuration........................................................................................................................................158Creating a Flow Record...........................................................................................................................................................160Creating a Flow Monitor.........................................................................................................................................................160Creating a Flow Exporter........................................................................................................................................................160Verifying Data in the Flow Monitor Cache......................................................................................................................161Configure and verify SPAN/RSPAN/ERSPAN..............................................................................................................161Configuring SPAN, RSPAN and ERSPAN......................................................................................................................162Configuring ERSPAN Source Session...............................................................................................................................163Configuring ERSPAN Destination Session......................................................................................................................163
ConfigureandverifyIPSLA.......................................................................................................................................................163IP SLA Configuration..............................................................................................................................................................164ICMP Echo Operation Example...........................................................................................................................................164UDP Echo Operation Example.............................................................................................................................................164IP SLA Verification..................................................................................................................................................................165
DescribeCiscoDNACenterworkflowstoapplynetworkconfiguration,monitoring,andmanagement...............................................................................................................................................................................................................165
Network Configuration Workflows.....................................................................................................................................166Creating a Workflow................................................................................................................................................................166
ConfigureandverifyNETCONFandRESTCONF..............................................................................................................167NETCONF Example.................................................................................................................................................................169NETCONF Configuration.......................................................................................................................................................169NETCONF Verification..........................................................................................................................................................169RESTCONF.................................................................................................................................................................................170
10
RESTCONF Configuration....................................................................................................................................................171RESTCONF Verification........................................................................................................................................................171
ChapterSummary..........................................................................................................................................................................173CHAPTER5SECURITY..............................................................................................................................174Configureandverifydeviceaccesscontrol........................................................................................................................176
Lines and password protection..............................................................................................................................................176Authentication and authorization using AAA..................................................................................................................177
Configureandverifyinfrastructuresecurityfeatures...................................................................................................177ACLs..............................................................................................................................................................................................177Further Reading..........................................................................................................................................................................178CoPP...............................................................................................................................................................................................178Describe REST API security.................................................................................................................................................183
Configureandverifywirelesssecurityfeatures..............................................................................................................184EAP................................................................................................................................................................................................184EAP Verification........................................................................................................................................................................185WebAuth.......................................................................................................................................................................................185Configuring VLAN Interface................................................................................................................................................186Configuring WLC for Internal Web Authentication......................................................................................................186Adding a WLAN Instance......................................................................................................................................................187Configure User Authentication Type (Local, RADIUS, LDAP)...............................................................................187Pre-shared Key (PSK)..............................................................................................................................................................187
Describethecomponentsofnetworksecuritydesign..................................................................................................188Threat defense.............................................................................................................................................................................188Endpoint Security......................................................................................................................................................................188Next-generation firewall..........................................................................................................................................................189TrustSec, MACsec.....................................................................................................................................................................189
Networkaccesscontrolwith802.1X,MAB,andWebAuth..........................................................................................189ChapterSummary..........................................................................................................................................................................190
CHAPTER6AUTOMATION......................................................................................................................191InterpretBasicPythonComponentsandScripts.............................................................................................................193
REST API calls using Python requests library................................................................................................................195Further Reading..........................................................................................................................................................................200Cisco Python SDKs...................................................................................................................................................................200
ConstructValidJSONEncodedFile........................................................................................................................................206JSON Parsing in Python..........................................................................................................................................................207
DescribetheHigh-levelPrinciplesandBenefitsofaDataModelingLanguage,SuchasYANG..................209NETCONF...................................................................................................................................................................................212RESTCONF.................................................................................................................................................................................214
DescribeAPIsforCiscoDNACenterandvManage.........................................................................................................229Further Reading..........................................................................................................................................................................237
InterpretRESTAPIResponseCodesandResultsinPayloadUsingCiscoDNACenterandRESTCONF..243ConstructEEMApplettoAutomateConfiguration,Troubleshooting,orDataCollection.............................247CompareAgentVs.AgentlessOrchestrationTools,SuchasChef,Puppet,Ansible,andSaltStack............248VersionControlSystems(GitandSVN)...............................................................................................................................250
Clone Operation.........................................................................................................................................................................255Add/remove Operations...........................................................................................................................................................256Commit Operation.....................................................................................................................................................................257Push / Pull Operations..............................................................................................................................................................258Branch............................................................................................................................................................................................261Merge and handling conflicts................................................................................................................................................264Diff Operation.............................................................................................................................................................................265GitOps............................................................................................................................................................................................268Further Reading..........................................................................................................................................................................268
ChapterSummary..........................................................................................................................................................................276
12
13
About the Author Muhammad Afaq Khan started his professional career at Cisco TAC San Jose and passed his first CCIE in 2002 (#9070). He held multiple technical and management positions at Cisco San Jose HQ over his 11 years of tenure at the company before moving into cloud software and data center infrastructure IT industries. He has worked at startups as well as Fortune 100 companies in senior leadership positions over his career. He is also a published author (Cisco Press, 2009) and holds multiple patents in the areas of networking, security, and virtualization. Currently, he is a founder at Full Stack Networker and a vocal advocate for network automation technologies and NetDevOps.
14
16
Introduction to Cisco Enterprise Core (ENCOR) Exam ENCOR or Implementing Cisco Enterprise Network Core Technologies (ENCOR 350-401) exam is crucial because of the following reasons.
• ENCOR exam consists of topics from six domains of knowledge, i.e., Architecture, Virtualization, Automation, Infrastructure, Network Assurance, and Security. It went live on February 24, 2020.
• ENCOR serves a triple purpose as CCNP Core, and CCIE Infrastructure Lab and CCIE Wireless Lab qualification exam. CCIE recertification requirements are now different from the initial qualification.
• It is the mandatory Core exam for the CCNP Enterprise track. You become CCNP Enterprise certified when you pass one of the professional Concentration exams in addition to ENCOR.
• It obsoletes both old CCNP R&S exams (300-101 and 300-115) and CCIE written exams for both R&S (400-101) and Wireless (400-351) tracks.
• It is a 120-minute exam that costs $400 (USD) per attempt, it is significantly cheaper than $450 per attempt for older 400 series qualification or “written exams”
• Each successful attempt at ENCOR recertifies your CCNP for three years, which is the same as today. However, the CCNP Recertification exam cost change from $400 (passing one core exam) to $900 (passing three concentration exams), i.e., you pay more than 200% in the new format. There are other possible exam combinations for recertification, including Continuing Education (CE) credits.
• Each successful attempt at ENCOR plus any one of the Professional track concentration exams recertifies your CCIE Enterprise for three years. However, the recertification exam cost to change from $450 (one exam) to $700 (2 exams). There are other possible exam combinations for recertification, including Continuing Education (CE) credits.
17
Let’s now double click into each of those areas and the actual underlying topics that are either removed or added into the new exam.
18
Key Differences Between CCIE Routing and Switching Written and ENCOR Exams
• Beyond the addition of wireless topics (makes sense now that ENCOR doubles up as Enterprise as well as Wireless qualification exam), network fundamental topics are pretty much gone. Thumbs up!
• Layer 2, Layer 3, and VPN technologies have only seen removal and no additions. If you compare ENCOR with 400-101 V5.1 blueprint, you will be shocked to see that protocols or technologies such as VLANs, most multicast, RIP, IS-IS, iBGP, MPLS/MPLS VPNs, DMVPN and even most topics related to OSPF and eBGP have been eliminated.
• Security topics are a net gainer by a significant margin (+15%, as we noted above). However, most security topics are Cisco proprietary and lack some crucial security technologies and solutions such as Cloud Access Security Broker (or CASB).
• IP or Infra services topics have mostly shrunk, but Cisco still managed to paddle along Flexible NetFlow and DNA Center, so a thumbs down!
• Finally, I liked how Cisco chucked away IOT topics (good one!) but super surprised to see the removal of SDN, Kubernetes, and containers topics. Cisco also added a lot of proprietary SD-WAN (aka Viptela solution).
CCIE Enterprise Infrastructure Exam Topics – Lab Exam The new CCIE Enterprise Lab exam blueprint includes five sections.
19
Looking at the actual exam topics line items, I can’t help but notice that about 90% of the exam is Cisco proprietary. In contrast, 10-15% within Infra automation and programmability consist of open standard and evolving topics. Now, if you recall, in the older format, Evolving Technologies were only part of the CCIE written exam but no-show in the CCIE R&S lab. So given the context, the inclusion of automation in the Lab exam is a huge step forward, and I applaud this change.
CCNP Enterprise Certification The new CCNP Enterprise certification2 track obsoletes the current CCNP R&S, Wireless, and CCDP certifications. Unlike the old CCNP, in the newer format, CCNA is no longer required as a pre-qualification. The CCNP Enterprise certification requires you to pass one Core and one Concentration exam before you can become certified. The ENCOR 350-401 is the mandatory Core exam, besides that there are six Concentration or Elective exams available that you can choose from. Unlike the older, ROUTE/SWITCH/TSHOOT exams, you’ve plenty of choices in the newer CCNP Enterprise. CCNP Enterprise Concentration Exams include the following exams.
• Implementing Cisco Enterprise Advanced Routing and Services (ENARSI 300-410) • Implementing Cisco SD-WAN Solutions (ENSDWI 300-415) • Designing Cisco Enterprise Networks (ENSLD 300-420) • Designing Cisco Enterprise Wireless Networks (ENWLSD 300-425) • Implementing Cisco Enterprise Wireless Networks (ENWLSI 300-430) • Automating and Programming Cisco Enterprise Solutions (ENAUTO 300-435)
What this Study Guide contains This study guide includes all of the topics from Cisco's official exam blueprint for Implementing Cisco Enterprise Network Core Technologies, i.e., ENCOR 350-401. As you may already have noticed on the "Contents at a Glance" page that this guide has been formatted around the Cisco's official ENCOR 350-401 exam topics or curriculum. The benefit? Well, as you read through the various topics, you will know exactly where you're within your learning journey.
2 https://bit.ly/2uTqg8n
20
All contents are carefully covered with core concepts, code snippets (where applicable), and topic summaries to help you master the skills so you can confidently face the pressures of the Cisco exam as well as its real-world application. The ENCOR exam contains subject matter from six domains, which also happen to be the six chapters in this study guide.
1. Architecture 2. Virtualization 3. Infrastructure 4. Network Assurance 5. Security 6. Automation
How to use this Study Guide This guide is for anyone who's studying for Cisco ENCOR 350-401 V1.0 exam. I strongly suggest taking a methodical approach for exam preparation, i.e., start with a target date or when you would like to sit for the actual exam and then work backward to see what kind of study plan would work for you. To help further, I have put together an 80 hours learning plan3 consisting entirely of public resources, something that you can download and follow.
Cisco Enterprise Core (ENCOR) 350-401 V1.0 Exam Topics Bodies of Knowledge
Exam Weight
Automation 15% Infrastructure 30% Network Assurance 10% Security 20% Architecture 15% Virtualization 10%
3 https://bit.ly/3130UB1
21
What’s available on the CCIEin8Weeks website CCIEin8Weeks.com carries the supplemental resources (sold separately) that go hand in hand with this study guide to further ensure your exam success.
• All-in-One Course4 that covers all bodies of knowledge tested on the ENCOR Exam • 6x Practice Quizzes (one for each section as per the official curriculum) • 1x Practice Exam Simulation (to help you prepare to face the pressure of a real Cisco
exam) • Hands-on Labs with cloud-hosted IDE for immediate Python code execution • Code snippets hosted as GitHub Gists that you can clone/fork for modification
4 https://bit.ly/36RWiim
22
23
CHAPTER 1 ARCHITECTURE This chapter covers the following exam topics from the Cisco’s official 350-401 V1.0 Enterprise Network Core Technologies (ENCOR)5 exam blueprint.
• Explain the different design principles used in an enterprise network o Enterprise network design such as Tier 2, Tier 3, and Fabric Capacity planning o High availability techniques such as redundancy, FHRP, and SSO
• Analyze design principles of a WLAN deployment o Wireless deployment models (centralized, distributed, controller-less, controller
based, cloud, remote branch) o Location services in a WLAN design
• Differentiate between on-premises and cloud infrastructure deployments • Explain the working principles of the Cisco SD-WAN solution
o SD-WAN control and data planes elements o Traditional WAN and SD-WAN solutions
• Explain the working principles of the Cisco SD-Access solution o SD-Access control and data planes elements o Traditional campus interoperating with SD-Access
• Describe concepts of wired and wireless QoS o QoS components o QoS policy
• Differentiate hardware and software switching mechanisms o Process and CEF o MAC address table and TCAM o FIB vs. RIB
5 https://bit.ly/3b7cn7o
24
25
Explain the Different Design Principles Used in an Enterprise Network Before we get into the specifics of network design discussion for an enterprise network, it behooves us to look at the big picture and the very fundamentals of network design. The network is simply a resource, and a means to an end. Every enterprise network is laid out to facilitate the applications running on top of it. The network will meet its goals if enterprise applications can run in a reliable and performant manner. With the increasing adoption of cloud applications (or SaaS apps such as CRM or HRM), i.e., applications that are hosted by the providers (such as Salesforce) in their own data centers as opposed to being on-premise, the role of the network changes again. In the new world of cloud apps, the network still has to provide reliable and performant access to those off-premise apps, but even more so maintain the necessary user experience, security, and compliance with visibility and control with the help of solutions such as Cloud Access Security Broker (or CASB6).
You can never know everything. While you’ve to build your network for current requirements, it must be able to evolve if you think in a modular fashion, where your core design choices stay the same (for example, 2-tier versus 3-tier architecture). Still, at the same time, other parts of the network can evolve, much like building blocks of a Lego. Whether you are designing for only
6 https://en.wikipedia.org/wiki/Cloud_access_security_broker
26
on-premise or everything off-prem (SaaS/PaaS), you are designing will still need to be performant, resilient, and scalable.
Enterprise network design such as Tier 2, Tier 3, and Fabric Capacity planning
Enterprise campus network can consist of a single building or a group of buildings spread out over a large geographic area much like a college campus but still in closer proximity. The primary goal of the campus design is to deliver the fastest speed (say 1 or 10 Gbps) and variety of access (LAN, WLAN) to the endpoints. Campus network design can be organized around three core set of principles, i.e.
• Hierarchy (2-tier / 2-layer or 3-tier / 3-layer) • Modularity (functional building blocks, collection of devices within a layer) • Resiliency • Flexibility
In 1999, Cisco pioneered the campus network design with hierarchical design model which used a layered approach. The hierarchical network design can help break otherwise down complex and flat network into multiple smaller and manageable network tiers or layers. Each layer is focused on a specific set of requirements and roles. With this design, network designers can pick the most suitable platform and software features for each layer. As we discussed earlier, regardless of how a network was designed, the ability to modify an existing design, i.e. without rip and replace, is of utmost importance. There can be many underlying reasons for such modifications, i.e. addition of newer services, more bandwidth, and so on.
Tier-3 Network Design
When you think of network design, you’re likely thinking about the most discussed and much talked about three tier or layer design. Three-layer design is most suited to large enterprise campus networks. Those three well known layers are
1. Core 2. Distribution 3. Access
Now, let me describe primary functions of each layer.
27
• Core layer provides transport between distribution layer devices. • Distribution layer provides policy driven connectivity and boundary control between the
access and core layers. It is the boundary between the layer 2 and layer 3 domains. • Access layer provides users access to the network
Each layer in the 3-tier architecture provides a distinct function and thus relies on a unique set of features. The access layer is not just about connectivity but also feature richness up and down the OSI stack.
OSI Layer Typical Access Layer Features L1-L2 (convergence, HA, security, multicast)
PVST+, Rapid PVST+, LACP, UDLD, FlexLink, IGMP Snooping, PoE, DHCP Snooping, DAI, IPSG, Port Security, broadcast suppression, Aux VLAN, 802.1x, PortFast, UplinkFast, BackboneFast, LoopGuard, BPDU Guard, BPDU Filter, RootGuard, DTP, etc.
L3 (convergence, HA, security, multicast)
EIGRP, OSPF, IP multicast
IP Services QoS The distribution layer is about the connectivity as well as policy, convergence, QoS and HA features.
28
OSI Layer Typical Distribution Layer Features
Connectivity (L2/L3) Aggregating wiring closets from access layer to the core via uplinks
L3 Route summarization, convergence, load sharing, etc. IP Services QoS, HSRP, GLBP, etc.
The core layer is about high speed and high bandwidth connectivity and less about the features. It acts as the backbone for the network and glues all of the network building blocks. It also acts as an aggregation point for the distribution layer.
Tier-2 Network Design
Two-layer design is a modified three-layer design where the core has been collapsed into the distribution layer. The main motivation for the collapsed core has to do with cost and the operational simplicity that it brings. It is best suited for small to medium-sized networks.
It is worth noting that the above discussion is about enterprise campus design and not enterprise data center. The campus is where end-users connect to the network whereas the data center provides connectivity to the servers and devices such as load balancers and storage arrays. Let me summarize the key differences between the two network designs before we move on.
29
Campus Network Data Center Network Architecture Three or two-tier Three-tier or Leaf-Spine Clos Traffic Flow Mostly North-South North-South and East-West
(depending on the applications)
Speeds and Feeds Mostly 1G for access and 10/40G for uplinks
Mostly 10/40G for access and 10/40/100G for uplinks
Oversubscription Typically, 20:1 Typically, 1:1 or 4:1 Failure domains Mostly limited impact Mostly larger impact Access Medium Wired and Wireless Wired only
High availability techniques such as redundancy, FHRP, and SSO
When designing an enterprise network, network engineers should try to include redundancy at each layer. Let’s first discuss the broad HA and redundancy considerations.
• You should try to use Host Standby Routing Protocol (HSRP) or Gateway Load Balancing Protocol (GLBP) with sub-second timers for redundancy at the default gateway
• Avoid daisy-chaining switches and use StackWise and chassis-based solutions instead • Avoid protecting against double failures and over-engineering with three or more
redundant links • L2/L3 distribution should be implemented with HSRP or GLBP with the distribution
layer at the boundary. It is known to provide up to sub-second convergence • L3-based access, i.e. using a routing protocol in the access layer and an L3 p2p routed
link between the access and distribution switches, is recommended for sub-200 milliseconds failover
Let’s now discuss some specific redundancy considerations by each campus network layer. Core Distribution Access L2 versus L3 L3 designs are better
than L2 L3 to Core switches L2 to Access switches
HW redundancy
30
Link redundancy Redundant p2p L3 interconnections lead to faster convergence
Dual L3 equal-cost paths to Core layer
SW redundancy via LACP or EC
First-Hop Routing Protocols (FHRPs)
The purpose of default gateway or first-hop redundancy is to help protect against a single node failure so that traffic from end hosts can continue flowing through active default gateway device after a small sub-second convergence. In the hierarchical design that we have discussed so far, distribution switches define the L2/L3 network boundary and act as the default gateway to the entire L2 domain facing the access layer. Without some form of redundancy in place, default gateway failure could result in a massive outage. HSRP, VRRP, and GLBP are three popular first-hop routing protocols for implementing default gateway redundancy. HSRP and GLBP are Cisco proprietary, whereas VRRP is an IETF standard based protocol defined in RFC 3768 and RFC 5798. HSRP and VRRP are the recommended protocols and can provide sub-second failover with some tuning for redundant distribution switches. If you are using Cisco switches, best practices indicate that you would be better off using feature rich HSRP however VRRP is a must when your design requires vendor inter-op. The configuration snippet below shows how you can use HSRP in an enterprise campus deployment and achieve sub-second failover times. interface Vlan100 description Data VLAN for Access-Switch ip address 10.1.1.1 255.255.255.0 ip helper-address 10.1.2.1 standby 1 ip 10.1.1.2 standby 1 timers msec 200 msec 750 standby 1 priority 150 standby 1 preempt standby 1 preempt delay minimum 180 It is strongly recommended to configure HSRP with a preemption feature which allows a previously failed device to reclaim its role upon recovery. It is the desired behavior because
31
STP/RSTP root should be the same device as the HSRP primary device for a given subnet or VLAN. Without consolidating HSRP primary and STP root in a single device, the transit link between the distribution switches can act as a transit link where traffic to/from default gateway takes multiple L2 hops. It is also recommended that preemption delay is set to 150% of the time that it takes for the switch to boot up from scratch. HSRP preemption needs to be configured with switch boot time and overall connectivity to the rest of the network. If preemption and neighbor adjacency occur before switch has L3 connectivity to the core, no traffic will actually and remain blackholed until complete L3 connectivity is restored. GLBP protects traffic against device or circuit failure much like HSRP or VRRP, but in addition to that, it also allows packet load sharing between a group of redundant routers. Before GLBP, you could only implement HSRP or VRRP hacks to get load balancing to work. For example, you could configure distributes devices as alternate root switches and divide and direct traffic from VLANs into both. Yet another hack would have been to use multiple HSRP groups on a single interface and use DHCP to alternate between the default gateways. As you can see, none of these hacks are clean and could very easily become an administrative nightmare. HSRP uses a virtual IP and MAC pair which is always assumed by the active router whereas GLBP uses one virtual IP address for multiple virtual MAC addresses. The configuration snippet below shows GLBP configuration. interface Vlan100 description Data VLAN for Access-Switch ip address 10.1.1.1 255.255.255.0 ip helper-address 10.1.2.1 glbp 1 ip 10.1.1.2 glbp 1 timers msec 250 msec 750 glbp 1 priority 150 glbp 1 preempt delay minimum 180 Let’s now wrap up the FHRP discussion with a side by side comparison table. HSRP VRRP GLBP Interop Cisco proprietary IETF standard Cisco proprietary Redundancy mechanism
Active / Standby Active / Standby Active / Active
32
Preemption Supported, disabled by default
Supported, enabled by default
Supported, enabled by default
Multicast address for hellos
224.0.0.2/224.0.0.102 224.0.0.18 224.0.0.102
Transport UDP 1985 IP (Protocol #112) UDP 3222
FHRP Best Practices
• VRRP is an IETF standard and that makes it viable in multivendor networks • With GLBP, you can go a step beyond and achieve uplink load balancing • Consider tuning preempt timers to avoid blackholing traffic
Stateful Switchover (SSO)
Today, most network devices can provide a level of high availability intra-box, i.e. in the form of redundant supervisors such as Cisco Catalyst 6500, 4500, and Nexus 7K. When you have redundant supervisors, the box can also support Stateful Switchover or SSO which ensures that the standby supervisor blade contains state information from the active blade and can thus switchover and become primary to assume the L2 forwarding function. The Cisco Catalyst 6500 and N7K switches support L3 Non-Stop Forwarding or NSF which allows redundant supervisors to assume L3 forwarding functions without tearing down and rebuilding L3 neighbor adjacencies in the event of primary supervisor failure.