Learn Some Linux Series - Networking Part 3

Continuing on from Part 2- Networking Tutorials,

Edge Network switches connect users desktops PCs, laptops (with Ethernet ports or using a docking station), IP desk phones, shared network printers and wireless APs throughout a mid to large organization. There are many other devices that are now connecting via wire to these edge switches, though many laptops are more frequently connected via wireless / Wi-Fi. These extra devices may include Ethernet Lights, wherein expensive electrical work is replaced with lower cost data cabling and DC power fed by edge switches utilizing Power over Ethernet technology (POE) that is also used by Wireless APs. Ethernet lights also offer the advantage of scheduled on / off, change of intensity and turning off certain lights etc based on ambient light conditions and even changing the colors of these lights. All this is managed via light controllers. This all amounts of Green Office building initiatives and saved utility and costs. These Ethernet lights are generally daisy chained and not home run to the network switches.

There are devices like thermostats, door access controllers, IP Cameras and Smart TVs, Attendance Time Clocks and manufacturing devices like Programmable Logic Controllers (PLC) and Computerized Numeric Controllers (CNC) machines that require wired Ethernet connections and they thus terminate on to Edge switches.

These edge switches will a minimum of 24 port in a business, though increasingly 48 port and multiple of these in any site of a business, depending upon the size and needs of the business. These network switches will be housed in a room called Network Room or Network Closet (old name sticks even if room is much bigger than a closet), IT room, Server room etc. If building size is large and multiple floors, there will be multiple of these network rooms. And if business is small or a branch of a building or a small school, then all network switches, along with other equipment like firewalls, ISP equipment, Audio-Video equipment, PBX / Phone system, Servers etc, may all be located in a single network room.

In larger network rooms, we can have multiple of 24 or 48 port switches, connected in a stack using high speed backplane interconnections called stacking cables and then 2 to 8 switches behave like a single managed switch with hundred of ports. Or we can have a chassis type of switch with 24 or 48 port modules in multiple slots of the chassis.These chassis switches will have redundant power supplies so that a failure of a single power supply does not bring down the services. Similarly, the stack of switches may each have redundant power supply and / or there can be separate stack power sharing cabling so that if a power supply were to fail in a any switch, the operation will continue from other switches feeding power to this affected switch, while failed power supply is replaced.

Traditionally, we will have edge switches act as L2 switches with multiple VLANs for various functions, but one vlan will be designated as management vlan. These L2 switches are then managed by an IP address assigned to this management VLAN.

In a single network closet environment, we may have the edge switch / stack of switches utilize L3 functionality, wherein inter-vlan routing is handled by the switch itself. Or L2 switch / stack will be linked to a router or firewall, which will provide gateway routing functionality for inter-vlan routing and routing to and from Internet or other branches or sites.

L3 switch functionality requires each vlan to have an IP address to act as gateway for corresponding VLAN. As advised above, L2 switch will only need management VLAN to have an IP address. In both L2 and L3 switches, we first add all required VLAN IDs in the vlan database on the switch to achieve L2 functionality and assign required ports to corresponding VLAN IDs. In Case of L3 switch, we enable IP routing to enable inter-vlan functionality and set up a default route to point to upstream router or firewall. Also in case of L3, each vlan interface will have DHCP relay / dhcp helper address(es) assigned to point to the DHCP server(s) IP in the server vlan. There will be certain VLAN, that will not have dhcp services, but most will have DHCP services enabled. This functionality was explained in detail in the previous part.

L2 switches will uplink to L3 switch (Core switch(es)) / router or firewall, via two or more links that are aggregated / teamed together via protocols and technologies like LACP, Link Aggregation Control Protocol/LAG, Link Aggregation/ Portchannel / Etherchannel / vPC (Virtual PortChannel)- MC-LAG (Multi-Chassis LAG) etc for resiliency and increased bandwidth and load balancing of traffic across multiple uplink ports.

A typical end node (PC, server, IOT device, Security camera, or IP phone etc) will be assigned a VLAN ID on the corresponding switch port to which it is connected. There is also a concept of two VLANs on the same port, typically used to connect an IP phone to a port and then PC on the desk is daisy chained behind the IP Phone. IP phone can be thought to have a 3 port switch in it, with one port uplinked to edge switch, one port is internally connected to the phone and third port is on back of Phone (physically there are two ports on back of IP Phone) to connect a PC or laptop or docking station. We can also connect a printer or projector or something like that to the second port behind the IP Phone.

The ports with a single VLAN assigned to it (for typical node as described above) is termed as untagged port on that VLAN. If we need a PC to be daisy chained behind the phone, then we can have two VLANs on the switch port, one vlan for data / PC traffic and second vlan for voice / phone traffic. In small offices, with no vlans, both IP phone and PC may be placed in same VLAN and then port will accordingly be untagged on that vlan. However, if we have two separate VLANs, then data vlan will be untagged and voice vlan will be tagged. The phone uplink will thus split the tagged vlan of its tag and pass that traffic over to the phone and passthru the untagged data vlan to the PC. PC cannot understand the VLAN tag, but phone can understand the vlan tags.

In cases of connecting a IP Phone or IP camera, we also feed power to these devices via switch port using POE.

The uplink(s) from the L2 switches to Core/L3 switches will carry all the VLANs. To make sure VLAN frames are segregated from each other and can be understood at both end switches, the switches add suitable VLAN tag (an ID) to these VLANs when traversing over a single port. Either all vlan will be tagged or we can have only one VLAN untagged and all other vlans tagged to ensure VLAN traffic can be identified and processed at each end. The untagged vlan over uplinks is called Native VLAN. In many situations, native vlan is simply VLAN 1. Many times for security purposes, VLAN 1 is suppressed (but cannot be deleted, being a parking vlan in switches), and then a dummy vlan or management vlan could be setup as native vlan. This native vlan must match at both ends.

L3 switches can also uplink to firewalls or other routers, via Routed-PortChannel / LACP. Core switches and firewalls will generally be set up in a redundant pair called High Availability (HA) pair so that a failure of one will cause other to take over without any noticeable service interruptions.

Wireless Access Points, Wireless APs or WAPs are like wireless hubs that will consolidate multiple of connecting WI-fi clients and uplink them to the Edge switch via a wired uplink. Many Wireless APs are managed and controlled by wireless LAN Controller (WLC). And these WLC may be HA paired in serious businesses. Some WAPs may continue working even if there was a single WLC which goes down, but some services may get impacted like Guest services or others functionality like bandwidth management or interference mitigation , Intrusion prevention, seamless roaming, and visibility and control of wireless users and controls. So a failed WLC will be generally replaced / repaired in a day or two to restore full services. Also in such situations of WLC failure, if power failure also happens that will reboot any WAPs, they may not come online, until they again register with WLC.

Routers can be installed for interfacing to ISP WAN circuits to link to datacentres and multiple branches utilizing private ISP WAN circuits like MPLS. Or Routers can also support site to site and multisite VPN circuits over Internet. And these routers can also support newer technology of SD-WAN (Software Defined WAN) wherein a MPLS and Internet or two or more Internet circuits from different ISPs may be aggregated with suitable orchestration of traffic using different types of classifications and business priorities and ISP circuits health and cost and bandwidth capacities.

Routers can also act as a simplified firewall using NAT technologies. NAT or Network Address Translation allows to proxy and shield the private devices from direct internet by masquerading their sessions to the Router / firewall WAN side IP address (es). So all traffic from inside devices, that is destined to internet, is intercepted and converted to Public IP address assigned by the ISP and Internet based servers will see traffic coming from that Public IP and not from individual private IP devices behind the firewall or router.

Firewall acts like Routers but have some additional features like Security Policy features of web filtering, Intrusion Prevention, Anti Virus, Anti Spam email filtering, Encrypted traffic / SSL Inspection, DNS filtering, Application inspection, Web Application Firewalling and such functionality. Some Routers may offer specialized routing features for large businesses and ISP / Service provider networking that firewall will not have.

Servers and special network appliances are generally connected to core switches.

In very large campus networks with many buildings, we will find intermediate distribution switches, which are L3 switches and will have fiber terminations to connect edge switches in the building or area and then consolidate their traffic and then multiple distribution switch will then uplink to core via L3 links. In such scenarios, we will normally see VLANs terminate at distribution and not span over to other distribution switches or via core switches. In some cases, where same VLANs need to span across multiple buildings, special technologies that bridge L2 VLANs thru L3 infrastructure like VxLAN are used. But typically such technologies are used in large service provider datacentres which service multiple customers (multi-tenancy) and same customer might be assigned servers (virtual servers, called VM, Virtual Machines or VPS, Virtual Private Server) spread across different racks serviced by different L2/L3 switch combos and same customer will need their servers to be in the same VLAN. These VLANs are isolated from all other customers by encapsulating their traffic into a customer specific vNet, Virtual Network. Multiple VLANs belonging to same tenant can thus be assigned to same vNet. VxLAN uses these encapsulated tunnels over the underlay network belonging to service provider. These VxLAN tunnels are called Overlay network that bridge the traffic across. Each of the datacenter rack that has many physical servers in it (blade servers in large chassis) and then each physical server carrying many VPS or VMs, are then serviced by a TOR (top of rack) L3 switch that is termed as a Leaf Switch or VTEP, Virtual Tunnel End Point). So Leaf switch in Service Provider datacenter is equivalent to an edge switch in business / enterprise. And these Leaf switches are uplinked to Spine Switch (which is similar to Core Switch in business).

To reduce the traffic in between VTEPs / Leaf switches, a concept of Anycast Gateway is used. Anycast allows same exact VLAN gateway IP address and associated same mac address to be allocated to all VTEPs in the datacenter, This way any server that belongs to tenant A, will always find gateway in its local Leaf to go out to Internet and not have to go thru another VTEP that has the only VLAN gateway IP address. This helps reducing ARP traffic and other broadcast and unknown unicast and multicast traffic (called BUM traffic). The location of any node attached to a VLAN on any rack in datacentre is learned by VxLAN sharing the information via specialized dynamic routing protocol technology called MP-BGP. We won’t go into further detail on this topic as scope of this tutorial is to provide you enough knowledge to get you started and then you can do further research to satisfy your project or work requirements.

We will continue this series on Networking in subsequent sections and will come back to networking configuration in the Linux and some sample configurations of typical network switches.