Intro to Network Chapter 7: Network Architecture
automatically retrieved from elsewhere in the SAN
If one storage device within a SAN suffers a fault, data is
reasonably possible
In a typical SAN, specialized SAN devices contain multiple storage drives and are designed to make data available to a network of servers. With multiple connections and clusters of storage devices arranged in RAID (Redundant Array of Independent Disks) arrays, this type of architecture is as fault tolerant as
spine
Instead of using three layers, newer networks collapse the core and distribution layers into one layer called the
cabling overall and provides increased flexibility in the network design.
Keeping the bulk of a network's cabling within the rack for very short connections means the network requires less
specialized storage area network connected to their corporate network
Large enterprises that require fast access to data and large amounts of storage often have a
access layer
Layer that consists of workgroup switches connected directly to hosts such as servers, printers, and workstations
defense in depth
Layers of security implemented to protect a network from multiple attack vectors.
difficult to manage when you have dozens of servers
Making space on every server device to maximize its storage is not only bulky in your space-limited racks, but it's also
north-south traffic
Messages that must leave the local segment to reach their destinations.
if someone connects a hub to two unsecured switch ports, the hub creates a loop that generates a broadcast storm connecting both ports on a VoIP phone to the network, or possibly connecting a computer through both a wired and wireless network connection. Controlling who can connect what device to a switch's port can help prevent this type of attack.
Name two methods of conducting a broadcast storm
RSTP (Rapid Spanning Tree Protocol) TRILL (Transparent Interconnection of Lots of Links) SPB (Shortest Path Bridging) MSTP (Multiple Spanning Tree Protocol)
Newer technologies to improve on or replace STP include the following:
middleman between network applications and network hardware to ensure the network can best support the needs of those applications.
Notice the SDN controller serves as the
a security violation occurs. the switch will shut down the port, or it can be configured to restrict data from the rogue device the switch generates a notification to the network administrator
Once the MAC address table is full, if another device tries to connect to the port,
traffic destined for nearby nodes can be handled differently and more efficiently than traffic that must traverse longer paths to its destination.
One of the advantages of this three-tier design is that
Root guard
Prevents switches beyond the configured port from becoming the root bridge.
broadcast storm
Redundant broadcast transmissions that flood a network in switching loops that are not limited by some protective system such as STP (Spanning Tree Protocol).
extremely fast
SANs are not only extremely fault tolerant, but they are also
functions of network devices into different layers, or planes, and then relocates those planes in ways that make network management more effective
SDN abstracts the
disaggregation
SDN relies on a form of abstraction called
Step 1: Select the Root Bridge STP chooses a central point, the root bridge, for path calculations. All bridges start with the same priority; the one with the lowest MAC address becomes the default root bridge. Step 2: Determine Least Cost Paths STP looks at all possible paths from each bridge to the root bridge. It selects the most efficient path (least cost path) for each bridge. Each bridge is allowed only one root port, the port closest to the root bridge, for forwarding frames in that direction. Step 3: Disable Unnecessary Links STP disables unnecessary links to create a shortest path. Only the lowest-cost port on each link between two bridges (designated port) is enabled for transmitting network traffic. Other ports can still receive STP updates for potential future changes.
So how does STP select and enforce switching paths on a network? Consider the following process:
servers and other host devices
Spine switches on the backbone connect in a mesh topology with all leaf switches (but not with each other), and leaf switches connect with
multiple, or redundant, switches at critical junctures
Suppose you design a larger network with several interconnected switches. To make the network more fault tolerant, you install
SATA (Serial Advanced Technology Attachment) cable, between your computer's hard drive and its CPU.
That data travels a very short distance in SANs, probably over a
more MAC addresses per port with the "allowed-mac" command
The MAC table allows only one MAC address to be active on the port; however, a network administrator can allow
APIs defined by an SDN protocol such as the popular and open source OpenFlow.
The SDN controller communicates with the infrastructure plane using
learning the port's approved MAC address so that an attacker can spoof that address.
The biggest challenge in broadcast storm is
layer 2 switches
The features of layer 3 and layer 4 switches vary widely depending on the manufacturer and price point, and they can cost significantly more than
calculating paths that avoid potential loops and by artificially blocking the links that would complete a loop. In addition, STP can adapt to changes in the network. For instance, if a switch is removed, STP will recalculate the best loop-free data paths between the remaining switches.
The first iteration of STP, defined in IEEE standard 802.1D, functions at the data link layer. It prevents traffic loops, also called switching loops, by
east-west traffic
The flow of traffic between peers within a network segment.
Control plane
The process of decision making, such as routing, blocking, and forwarding, that is performed by protocols. the network's brain (intelligence)—it handles the decision-making processes
multipathing
The provision of multiple connections between servers and storage devices in a SAN (storage area network) to ensure quick failover and high-performance load balancing.
root bridge
The single bridge on a network selected by STP (Spanning Tree Protocol) to provide the basis for all subsequent path calculations.
Improved redundancy- Every leaf switch is connected to multiple (or perhaps all) spine switches in a full mesh topology, which provides redundant connections in case one link fails. Decreased latency- each leaf switch is connected to every spine switchs for fewer hops Increased performance- newer path management technologies such as TRILL and SPB. These technologies take advantage of the redundant links to increase performance and redundancy without creating problematic switching loops. Improved scalability- The number of available and usable paths for messages across a network improves scalability. This means a network can support larger numbers of host devices without overwhelming network pathways. Increased security- A spine-and-leaf architecture allows for security inspections of all traffic, including east-west traffic flows. Reduced expense- hardware is generally less expensive for s-a-l
The spine-and-leaf design also provides many benefits over the older, three-tiered architecture:
o create more nuanced rules specific to its network's needs.
The switch simply compares each incoming message to its list of rules from the controller, and it sends the message on its way. If a message doesn't match one of the switch's preconfigured rules, the switch can send the message to the SDN controller for further analysis. This level of insight allows the SDN controller to
Redundancy (if one switch suffers a power supply failure, traffic can reroute through a second switch.)
The use of more than one identical component, device, or connection for storing, processing, or transporting data.
EoR (end of row) switching
This approach requires fewer switches (and, therefore, fewer hops for much of the network's traffic) and less rack space, but more cabling and more work at cable management.
core layer
This layer is considered the center, or backbone, of the network?
FCoE (Fibre Channel over Ethernet)
This preserves much of the higher speed capabilities of FC, along with the convenience and cost-efficiency of using existing Ethernet network equipment
STP (Spanning Tree Protocol)
To eliminate the possibility of this and other types of traffic loops, This protocol was made
FC (Fibre Channel) FCoE (Fibre Channel over Ethernet) iSCSI (Internet SCSI) IB (InfiniBand)
To maximize throughput, SANs rely on one of these networking technologies:
abstracted to an SDN controller, which remotely manages networking devices.
Traditionally, the infrastructure plane and the control plane co-exist on the same device. With SDN, the control plane is
east-west traffic
Traffic from the web server requesting information from a database server within the same data center is what kind of traffic?
ToR (top of rack) switching EoR (end of row) switching
Two rack architectures include the following:
connect leaf switches to spine switches
Very short cable runs make very high-speed cables—supporting 10 GbE (Gigabit Ethernet) or even 40 GbE or 100 GbE—an affordable option to
manage network devices from multiple manufacturers, obtaining consistent management techniques on the network creates the potential to implement more sophisticated network functions while using less-expensive devices. generate more complex rules for managing traffic, such as tables within tables or condition-dependent rules.
While SDN does increase complexity, it also increases performance and efficiency. SDN can often be used to
SSH, Telnet, SNMP (Simple Network Management Protocol), and even HTTP for web-based user interfaces.
While not a typical layer for network communication, this plane could be considered a part of the control plane. Management Plane allows network administrators to remotely manage network devices, monitor those devices, and analyze data collected about the devices. Protocols in this plane include
SAN (storage area network)
a distinct network of storage devices that communicate directly with each other and with other portions of the network
TRILL (Transparent Interconnection of Lots of Links)
a multipath, link-state protocol developed by the IETF.
MSTP (Multiple Spanning Tree Protocol) RSTP (Rapid Spanning Tree Protocol)
can detect and correct for link failures in milliseconds.
Controlling who can connect what device to a switch's port
connecting both ports on a VoIP phone to the network, or possibly connecting a computer through both a wired and wireless network connection. What can prevent this?
Switches
designed to offer lots of ports through which devices can access a network by sending and receiving messages
SPB (Shortest Path Bridging)
differs from earlier iterations of STP in that it keeps all potential paths active while managing the flow of data across those paths to prevent loops. By utilizing all network paths, SPB greatly improves network performance.
The level of support for network virtualization tools The number of switches the SDN controller can support Its ability to function across a WAN connection The way the SDN solution scales as your network grows The types of security filtering offered The ability to provide centralized monitoring of all physical and virtual portions of the network
key differences between SDN controllers from different manufactures include the following:
Layer 3 switch
less expensive than routers and are designed to work on large LANs, providing faster layer 3 traffic management within the confines of a known network architecture.
flood guard
monitors network traffic at one-second intervals to determine if the traffic levels are within acceptable thresholds. A type of flood gaurd.
provide network technicians with more centralized control of network settings and management.
one of the primary advantages to separating the control plane from the data plane is to
Cisco command (which is also used on Arista devices) to secure switch access ports is switchport port-security
protects against MAC flooding
disaggregation
separating into pieces all the functions of a system so each piece can be handled by separate devices
mac-limit command
this command restricts the number of MAC addresses allowed in the MAC address table on juniper switches
core layer
this layer is considered the simplest layer and doesn't need switches with lots of ports. These switches simply need to pass traffic in and out of a few backbone ports as quickly as possible. These switches nearly always function primarily at OSI layer 3.
application layer
you might install an analytics application that monitors network traffic for signs of a security breach. The application plane corresponds to OSI's
SDN (software-defined networking)
A centralized approach to networking that removes most of the decision-making power from network devices and instead handles that responsibility at a software level.
load balancer
A device that distributes traffic intelligently among multiple devices or connections.
core layer
A group of highly efficient multilayer switches or routers that support the network's backbone traffic.
distribution layer
A highly redundant mesh of connections between multilayer switches or routers that provides routing within the corporate network as well as traffic filtering and the network's connection to one or more WANs
traffic loops broadcast storm the high traffic volume will severely impair network performance or possibly disable the network entirely.
A potential problem with the network shown has to do with
SDN controller
A product that integrates configuration and management control of all network devices, both physical and virtual, into one cohesive system that is overseen by the network administrator through a single dashboard. It can even make configuration changes automatically in response to changing network conditions.
EoR (end of row) switching
A rack architecture in which switches in a rack at the end of the row serve as the connection points to the network for all other devices in the row.
ToR (top of rack) switching
A rack architecture where one switch on each rack serves as the connection point to the network for all other devices on the rack.
branch offices
A remote location within the corporation's network that is often connected over a WAN link or the open Internet.
FC (Fibre Channel)
A storage networking architecture that runs separately from Ethernet networks to maximize speed of data storage and access.
Layer 3 switch
A switch capable of interpreting layer 3 data and works much like a router in that it supports the same routing protocols and makes routing decisions.
Layer 4 switch
A switch capable of interpreting layer 4 data, which means it can perform advanced filtering, keep statistics, and provide security functions.
Managed switches
A switch that can be configured via a command-line interface or a webbased management GUI, and sometimes can be configured in groups.
unmanaged switch
A switch that provides plug-and-play simplicity with minimal configuration options and has no IP address assigned to it.
STP (Spanning Tree Protocol)
A switching protocol defined by the IEEE standard 802.1D that functions at the data link layer and prevents traffic loops by artificially blocking the links that would complete a loop.
FCoE (Fibre Channel over Ethernet)
A technology that allows FC to travel over Ethernet hardware and connections.
iSCSI (Internet SCSI)
A transport layer protocol used by SANs that runs on top of TCP to allow fast transmission over LANs, WANs, and the Internet.
spine-and-leaf architecture
A two-layer network architectural design where spine switches organize traffic and network segments using OSI layer 3 technologies while leaf switches manage traffic by either layer 2 or layer 3 principles.
BPDUs (Bridge Protocol Data Units)
A type of network message that transmits STP information between switches.
MAC address table (configured either manually or dynamically)
Acceptable MAC addresses are stored in a
OSI layer 2 technologies.
Access switches typically organize traffic according to
fiber-optic cable is much more commonly used
Although FC can run over copper cables,
Application plane
An SDN (software-defined networking) construct corresponding to the OSI model's application layer where network applications communicate with the network via APIs (application programming interfaces).
data plane
An SDN (software-defined networking) construct made up of physical or virtual devices that receive and send network messages. Also called infrastructure plane. This plane is made up of the physical or virtual devices (switches, routers, firewalls, and load balancers) that receive and send network messages on their way to their destinations. This is the plane where bits cross interfaces. to forward data on to its destination
Management plane
An SDN (software-defined networking) construct sometimes considered part of the control plane that allows network administrators to remotely manage and monitor network devices.
shutdown command (This will prevent an attacker from plugging into an unused port to conduct their attack)
As a first layer of defense of broadcast storm, unused physical and virtual ports on switches and other network devices should be disabled until needed. You can do this on Cisco, Huawei, and Arista routers and switches with the
flexible and responsive network path management
As you read about SDN, you learned that the control function of switches can be abstracted away from the switches and handled by a controller. This centralized, or consolidated, control allows for more
extensive training for IT personnel to support it
Besides being expensive, Fibre Channel requires
BPDU guard
Blocks BPDUs on any port serving network hosts, such as workstations and servers, and thereby ensures these devices aren't considered as possible paths. enhances security by preventing a rogue switch or computer connected to one of these ports from hijacking the network's STP paths.
switchport port-security (command)
Cisco command (which is also used on Arista devices) to secure switch access ports is
SBI (southbound interface)
Communication between the SDN controller and network devices is called an
give an attacker easy and trusted access to your entire network
Depending on how the switch's port, or interface, is configured, this simple vulnerability could
BPDU filter (you might use a BPDU filter on the demarc, where the ISP's service connects with a business's network, to prevent the ISP's WAN topology from mixing with the corporate network's topology for the purpose of plotting STP paths.)
Disables STP on specific ports
contain dozens or hundreds of switches (many of which also function at higher OSI layers) many routers, servers, and firewalls to increase performance and to better protect the network from problems if one or more devices fail.
Enterprise-grade networks might contain many of these things and for what purpose?
MoR (middle of row) switching
EoR switching places several leaf switches in a rack at the end of each row of racks or in the middle of each row—called MoR
A hierarchical network design that organizes switches and routers into three tiers: access layer or edge layer, distribution layer or aggregation layer, and core layer. This design increases both redundancy on the network and network performance.
Explain what is Three tiered architecture and what it accomplishes. What are the tiers does it have?
encapsulated inside an FCoE frame, which is then encapsulated inside an Ethernet frame
FCoE (Fibre Channel over Ethernet) is a newer technology that allows FC to travel over Ethernet hardware and connections. To do this, the FC frame is
expensive storage connection technology
Fibre Channel requires special hardware, which makes it an