Understanding the Design of the Midsize Enterprise Campus Solution(B)
Fancy Wang
Helping Global Enterprises Optimize Network Performance | Ethernet Card & Switch Solutions
Fancy Wang 2411 2020
The following part is from JUNIPER
MC-LAG Design Considerations
MC-LAG can be configured in active/standby mode, in which only one device actively forwards traffic, or in active/active mode, in which both devices actively forward traffic. Figure 3 illustrates the difference between active/standby and active/active.
Figure 3: MC-LAG Active/Standby Versus Active/Active
This solution uses active/active as the preferred mode for the following reasons:
- Traffic is load-balanced in active/active mode, resulting in link-level efficiency of 100 percent.
- Convergence is faster in active/active mode than in active/standby mode. In active/active mode, information is exchanged between devices during operations. After a failure, the operational switch or router does not need to relearn any routes and continues to forward traffic.
- It enables you to configure Layer 3 protocols on integrated routing and bridging (IRB) interfaces, providing a hybrid Layer 2 and Layer 3 environment on the core switch.
MC-LAG is used in conjunction with the Virtual Router Redundancy Protocol (VRRP) both on the core switches and on the edge routers. VRRP permits redundant routers to appear as a single virtual router to the other devices. In a VRRP implementation, each VRRP peer shares a common virtual IP address and virtual MAC address in addition to its unique physical IP address and MAC address. Thus, each IRB configured on the core switches must have a virtual IP address.
Typically, VRRP implementations are active/passive implementations, in which only one peer forwards traffic while the other peer is in standby. However, in the Junos? operating system (Junos OS), the VRRP forwarding logic has been modified when both VRRP and active/active MC-LAG are configured. In this case, both VRRP peers forward traffic and load-balance the traffic between them. As shown in Figure 4, data packets received by the backup peer on the MC-LAG member link are forwarded by the backup peer rather than being sent to the master peer for forwarding.
Figure 4: VRRP Forwarding in MC-LAG Configuration
Firewall Chassis Cluster Design
SRX Series Services Gateways achieve node redundancy through chassis clustering. In the solution design, two SRX650 gateways are clustered to provide stateful failover of processes, services, and traffic flow.
Creating a chassis cluster requires configuring the following interfaces on the SRX650 Services Gateways:
- Control link—Link between the cluster nodes that transmits session state, configuration, and aliveness signals.
- Fabric link—Link between the cluster nodes that transmits network traffic between the nodes and synchronizes the data plane software’s dynamic runtime state.
- Redundant Ethernet interface—Virtual interface that is active on one node at a time and can fail over to the other node. Each redundant Ethernet (reth) interface consists of at least one interface from each cluster node. The redundant Ethernet interface has its own MAC address, which is different from the physical interface MAC addresses of its members. When a redundant Ethernet interface fails over, the connecting devices are updated with the MAC address of the new physical interface in use. Because the redundant Ethernet interface continues to use the same virtual MAC address and IP address, Layer 3 operations continue to work with no need for user intervention.
Figure 5 illustrates the chassis cluster topology.
Figure 5: SRX650 Gateway Chassis Cluster
In this topology, two redundant Ethernet interfaces are configured:
- reth0, which connects to the core switches
- reth1, which connects to the edge routers
To increase redundancy and bandwidth, the redundant Ethernet interfaces are configured as redundant Ethernet LAGs, with two physical interfaces bundled into each LAG on each cluster node. These physical interfaces permit each cluster node to have a physical connection to each core switch and edge router.
Firewall Chassis Cluster Design Considerations
SRX Series chassis clusters support both active/active and active/backup clustering modes. Because the additional scale provided by active/active mode is not required by this solution, the design uses the simpler and more commonly implemented active/backup mode. In active/backup mode, only the LAG member links on the active cluster node are active and forward data traffic.
The active node uses gratuitous ARP to advertise to the connecting devices that it is the next-hop gateway. If a failover occurs, the backup node uses gratuitous ARP to announce that it is now the next-hop gateway. As a result, for failover to work, the redundant Ethernet interface members and their connecting interfaces on the other devices must belong to the same bridge domain, as shown in Figure 5. These bridge domains result in an OSPF broadcast network.
The core switches and edge routers must be configured with an OSPF priority of 255 and 254 to ensure that they will always be the designated router and backup designated router for their bridge domain.
Switching and Routing Design
In the switching and routing design, the aggregation layer forms the boundary between Layer 2 and Layer 3, as illustrated in Figure 6.
Figure 6: Layer 2 and Layer 3 Boundary
The following summarizes the basic switching and routing design:
- The devices in the access layer are configured as Layer 2 switches that forward user traffic on high-speed trunk ports to the aggregation layer.
- The switches in the aggregation layer provide the boundary between Layer 2 and Layer 3. They are configured to provide Layer 2 switching on their downstream trunk ports to the access switches and Layer 3 routing on their upstream ports to the core. They act as the default gateways for the access devices.
- The devices in the core and edge layers are primarily Layer 3 devices, routing traffic between the aggregation layer devices and between the internal campus network and the external Enterprise WAN and Internet.
This section covers:
- Switching Design
- Routing Design
- Multicast Routing and Snooping Design
Switching Design
Important considerations for the design of the switching network are:
- Separation of Layer 2 Traffic
- Layer 2 Loop Prevention
Separation of Layer 2 Traffic
The access layer of the campus network provides network access to a wide variety of devices and users. The traffic generated by these devices and users often has different management or security requirements and thus needs to be separated. For example, voice traffic generated by VoIP phones requires different quality-of-service parameters than data traffic generated by laptops. Or users from the finance department might need to be granted access to a server that no other users can access.
Typically in campus networks, this traffic separation is achieved through the use of virtual LANs (VLANs) in the access and aggregation layers. Each organization will have its own requirements for separating user traffic using VLANs. In testing, this solution deployed a VLAN design that is optimized for management simplicity and that can be easily adapted to other organization environments. In the solution design, user traffic is separated into VLANs based on:
- Traffic type—Voice and data traffic are carried on separate VLANs.
- Department—Each functional group, or department, has its own VLAN. For example, there are different VLANs for Engineering, Marketing, Sales, Finance, and Executive personnel.
- Access method—Wired traffic and wireless traffic are separated into different VLANs.
Wired data traffic is dynamically assigned to a port data VLAN as a result of the user authentication process.
For wired voice traffic, this solution takes advantage of the voice VLAN feature supported on EX Series switches. This feature enables otherwise standard access ports to accept both untagged (data) and tagged (voice) traffic and separate these traffic streams into separate VLANs. This in turn allows a VoIP phone and an end-host machine to share a single port while enabling the application of different quality-of-service parameters to the voice traffic.
In this solution, then, each user access port is associated with two VLANs—a data VLAN, which is dynamically assigned as a result of the authentication process, and a voice VLAN, which is statically configured on the port. A single voice VLAN can be used for all wired voice traffic because voice traffic typically has the same security requirements regardless of user role.
Layer 2 Loop Prevention
In campus architectures, each access switch is typically connected to two aggregation switches for reliability and high availability. The aggregation switches in turn have a Layer 2 connection to each other. This topology can create a Layer 2 loop.
Traditionally, a Spanning Tree Protocol (STP) is used to prevent Layer 2 loops. SPT exchanges information with other switches to prune specific redundant links, creating a loop-free topology with a single active Layer 2 data path between any two switches.
However, STP adds latency to the network. Although more recent versions of STP have reduced convergence after a failure to a few seconds, STP still has not achieved the sub-second convergence that Layer 3 protocols have achieved. Real-time applications, such as voice or video, experience disruptions when STP is used in campus networks. In addition, STP results in inefficient use of network resources because it blocks all but one of the redundant paths.
To prevent the creation of Layer 2 loops, this solution uses MC-LAG in the aggregation layer of location A and Virtual Chassis in the aggregation layer of location B. Each technology creates a single virtual device from one or more physical devices. From the point-of-view of the connecting access switch, the switch has multiple links to a single device through an aggregated Ethernet interface. STP is unnecessary when these technologies are incorporated into the Layer 2 network. This improves network performance by reducing latency and improves network efficiency by enabling all links to forward traffic.