 My name is Ken Mayer, I'm going to be your instructor for this course. I want to talk a little bit about my history and experience with a lot of different routing and switching companies. It's really kind of been over two decades. Plus, you know, before this whole world of Cisco came along, I was doing some other things in the high-tech industry. But I've had the opportunity to watch and grow with companies like Cisco, other companies, competitors that I won't mention here as well, which has caused me to be able to have this skill that I need to be able to work with either an enterprise, whether it's small, medium or large, and also in the last, oh, probably 10 years, I've had the opportunity to work with a lot of internet service providers, cellular phone providers, and to be able to fortunately travel around the world, to be able to facilitate not only training, but also in the world of consulting. So when it comes to Cisco, of course, I work with routing and switching. I do work with security, voiceover IP, service provider, routing as well, and probably some other things that I can't even remember. And I do many of those things with other organizations. Now, one of the things that's really great is that a lot of the different types of protocols that we're going to talk about are a lot of open standards, which means that once you understand those quite thoroughly, you can work with almost any provider. It's just a matter of learning the command line. So let's hope that I can do both of that for you during this course, is that you'll be familiar, comfortable with the command lines, and that you have a good understanding of the protocols and the processes, so you understand what it is that you're looking for. And that's kind of my goal is to make sure that you are going to be better at not only working with Cisco's equipment, but, again, having a better understanding of why we implement some of the different types of configurations that we do. Now, in this module, we're going to talk about network design. And what we're going to do is we're going to kind of look at the theory, some hierarchical models, some ideas that help you not just, you know, put a bunch of switches into the closet, wire everything together and call it good. We want to talk about the reasons why we make different choices and how those choices can help you in improving network communications to be able to help you with the scalability or future growth. And we're going to take a look at some of the operations that switches go through in how they can forward packets or frames based on whether or not we're going to be using IP addresses to make decisions or whether they're going to be using MAC addresses. So, yes, our conversation is going to be centric to Ethernet networks. We're not going to talk about any other type of Layer 2 encapsulation model. So that's our focus, and that's what we're going to discuss and show you. Give you some demonstrations about some of the command lines that we use to be able to, if anything, just verify that switching is working the way we intended it to. So we're going to introduce and discuss this whole thing called the Cisco hierarchical model. It's a model that's been around for a while, although over time it has, you know, changed a bit to address other issues, some of which like security, but I'll talk about that. But when we look at the hierarchical model, what we're going to do is we're going to discuss the problems that we have with what we call a flat network. Now, a flat network just simply means that all of your endpoints, the printers, your wireless access points, your laptops, your BYOD, they bring your own devices, computers, desktop servers, they're all on the same subnet, basically, what we would normally call the same broadcast domain. And the problem that we have is that, I mean, you can certainly add more to it, but as you add more and more devices into this flat network, you'll see that you really don't have the scalability you want because of the thing called a broadcast storm. And I'll try to diagram that and make sure we all understand that. And then that's where we're going to move to the Cisco hierarchical network, where we'll talk about things like the access layer, the distribution layer, and the core layer so that you have a good understanding about the benefits that we have, even if you don't think future growth is in the future. Boy, does that sound somewhat redundant? Anyway, let's hope that it is. For your company, for your organization, we always want to be able to think about growth, but we also want to think about application support. If you decide one day to start to converge your traffic and move from just data to voiceover IP, or maybe to video, we're going to see some big problems when it comes to a flat network, and we're going to see how we can address those with the Cisco hierarchical network. So I'm going to build a flat network first, and whenever you see me put these little squares in because I'm not going to take the time to put the little arrows in between each one, that's going to be representing a switch. In this case, a Layer 2 switch. By Layer 2, I mean it's going to make all of its forwarding decisions based on an Ethernet MAC address, the thing we call that, Burned-in address. And let me make some connections between these. Make sure we have some redundancies so we can cause loops without spanning tree. And you can imagine with all of these switches, whether you want to think that I'm drawing multiple floors or, you know, just where they are in the rack, whatever, the case here is, is that each one of these? I mean, at the low end, right, we have switches that are going to be 24 ports, maybe 48 ports. And again, I'm talking about the low end of the product line. And if you think about all these endpoints that are connected to it, they are at least not sharing the bandwidth. These aren't hubs, so they all get their own, you know, gigabit Ethernet speed. Maybe it's 10 gigs between the switches, you know, we're trying to accommodate for aggregation. But once any one of these computers connected here sends a broadcast, that broadcast, by rule, is going to be flooded to every switch in the network, which means all these uplinks that you have are going to be basically used up on their bandwidth from each of the broadcasts traffic that is sent. And you start multiplying that number of broadcasts being flooded amongst all of the different computers and all of the different computers or endpoints that are going to start or initiate these broadcasts. What we end up with here is having what we call a broadcast storm. Now, broadcast storm just simply means that once a broadcast is sent, everybody within this area is going to be hearing that broadcast, whether it was meant for them or not. And so not only is it using these, what we would call trunk links between the switches, but it's also going to be eating up connectivity and communications for all the other endpoints. Now, technically, it's not just broadcast traffic that is going to be sent all over the place. We have to flood what's called bum traffic, where the B stands for broadcast traffic, the one I just mentioned. But there's another type of traffic that switches have to flood. It's called the unknown unicast. That's when the destination MAC address doesn't exist in the switches' cam table. So it has to send a flood out to try to help find that destination machine. And then, of course, there's multicast. So that's the BUM. I just like calling it bum traffic. It sounds fun. All right. So maybe in your network design, and this, by the way, it would be the example of a flat network design because we're all on the same broadcast domain. So when we look at this, you might say, well, right now it's controllable. Maybe you've decided through your own network analysis that this bum traffic isn't causing you that much of a problem. But then I have to ask the question, what happens if you need to expand your network, that you need to expand and add more ports for the computers, the endpoints to connect into? What's going to happen when we add that other switch? How much more broadcast traffic are we going to acquire? In other words, it's very difficult to grow your network when you have a flat network. So then comes the hierarchical design. And in the hierarchical design, I had mentioned three layers. I'm going to talk about each one a little bit more detail as we go. But one of the ideas was, and this is how we originally looked at things, is that when we had this flood or this broadcast storm coming in, one of the implementations we started using was some sort of layer three device. So if I could replace this thing at the top, well, let's say a router, a router would create different broadcast domains. In other words, routers were not allowed to propagate a broadcast from one segment to another. Everything going through the router, with the exception of multicast, of course, had to be a unicast address so that we could control that propagation. But then we would have to redesign these connections that we have, like take away this little connection here, so that we're not circumventing the router by any means. We also used VLANs to help control broadcast traffic. But if you think about it, VLAN where I might choose, let me again get rid of some of these other little lines, let's connect these two. When we had VLANs, it was pretty much the same as having a router. What I mean by that is that we might have created a smaller broadcast domain, and maybe there's another VLAN here for another broadcast domain, but we still had to have a layer 3 device to be able to get from one VLAN to the other. In other words, it was no longer flat once you started implementing those types of solutions. And those solutions are very important because it also facilitated the eventual growth of your network. So when we start looking then at the hierarchical model, and like I said, I'll talk a little bit more about this, we're going to talk about having what we call the access layer. And at the access layer, depending on how you put it together, not all the switches are connected to each other in the access layer. But the access layer gets its name because that is the first point of access for most endpoint devices. So that means that in this access layer that I'll put down here, that I can have my printers, my laptops, my smart phones, or other smart devices all making their first point of entry into this network. Let's see how good my Vizio of a printer is there. And so if the traffic was local, all things were good. They could talk to each other off those local switches that they're all connected to. But the idea was, whether I use VLANs or not, was to limit that broadcast traffic. I didn't want the broadcast traffic to still to flood. And so often what we would do is we would move and we often call these a distribution switch. Some people might call them a multi-layer switch. Multi-layer, right? That means that they can make forwarding decisions at layer two, MAC addresses, and they can make decisions on forwarding at layer three with IP addresses. I'm creating what we call an ether channel, which is later on in our course between those. And so we would send our traffic up here instead of trying to connect them down at the bottom. Whether we use VLANs or not, that is another design issue. But the idea here now is that to get from, let's say, one part of the access layer to another part of the access layer, we would go through the distribution layer and then be able to avoid having those large broadcast domains. And it would be easier to start adding new switches for the access layer because all I would have to do is adding a new switch, is just make sure that it can get to the distribution layer. Would we still use VLANs? Absolutely. VLANs not only created broadcast domains, but they also helped us with a lot of security types of problems. Now, in some cases, in our distribution layer, especially if we had long distances or different buildings in our campus and we might not connect these distribution layers together, we would also have this other layer called the core layer. The core layer would have, of course, a higher performing multi-layer switch. It could use a router, but I'll give you that example here in just a second. But the idea now is that the core layer was designed to move traffic at a very high speed. Why would I use another multi-layer switch, a more powerful one than a router? It just kind of depends because outside of the core layer, if I have to leave to go into the, let's say, the world of the Internet, then in doing so, I'm going through a service provider. If I'm not leaving through what we call Metro Ethernet and maybe taking some other WAN type of technology, a router does good at translating from Ethernet to that other layer 2 encapsulation to get you out to the worldwide web. And so that's where I might generally see a router because we're actually translating from Ethernet to some other type of interface or communications. So those are the three layers of the hierarchical design and as I said, I'll talk about each one in a little more detail as we go into all of those. But I hope what you're seeing here is the ability for your network to grow and to be able to, what we call scaling out without really flooding the whole world with that bum traffic. We want to be able to control it, give us better service, and you know, there's just so many other really cool things we can do here, it's very important for us. But that is what they call a hierarchical design. All right, so let's talk about each of those in a little bit more detail. So let's look at that access layer. That access layer, as I said, we're generally talking about switches. But that's not the only way into the access layer to have a switch. You might also have a wireless access point. We're talking about the wireless, by the way. Our antenna is on the side. And that access point generally is going to a switch in the access layer. All right, so let's talk about that access layer. As I said, it's the entry point of any end point device. By end point, what I mean is that the traffic going to that device is not going to be relayed. I mean, a switch, that's a transit type of device. Traffic coming in, we're expecting it to be forwarded to another end point. So that's what I mean by the end points. So we could, again, like I said, we could have computers hooked up, we could have printers hooked up. You know, in today's day and age, we might have telephones, right? The voice over IP phones hooked into our access layer. Let's put a wireless person over here, right? Making that connection to the access point. So what we see at this access layer, and remember that's going off eventually into the distribution layer, is that we might have a convergence of different types of traffic. As I just got through saying, I could have voice over IP, voice traffic, regular data traffic, maybe some sort of video, if that hopefully looks like a camera on a tripod, could be a video voice over IP phone, but it's a variety of different types of traffic. So that's where we start seeing the convergence. Now, from the time that Cisco first started talking about this hierarchical model, I didn't mention this as another option, which is introducing security at this layer. It used to be it was just the distribution layer where we talked about security. But as we know, in today's world, we need to have security at every layer we can. We talk about when hackers are trying to break into the network. And remember, I'm talking about the OSI model when I talk about layers. So at layer two, that was the data link layer. And that is a type of encapsulation, a way of encoding your data into the way it's going to be transmitted as a bunch of ones and zeros. And then above that was the IP at layer three, called the network layer. And yes, I know if you're in this switch course, you're more than familiar with all of these layers. But the reason I'm taking the time to talk about it here is that in the earlier days, we didn't really see security introduced at this layer. And the idea was that a hacker could break in and take your network over at layer two. That means they generally owned all of the layers that were above it. And so, you know, when it comes to security, this becomes a new place to introduce that security. So I got to be careful. I don't turn this into a security class. Anyway, one of the very common types of security that we're seeing now is this port-based authentication, 802.1x. Remember, this is an IEEE specification. And everything that starts with 802.1 is really the category for switching. I don't want you to confuse this with 802.11, which is all about this wireless access point here. But we can use 802.1x there as well. Anyway, port-based security just meant that if somebody walked into your office and decided to plug their laptop into your network, and hoping that your DHCP server would give them the IP address and gateway information, that they could start moving through your network. And 802.1x basically says, no, you have to authenticate. You have to be able to provide me with a username, password, combination. You or the machine that you plugged in, either one of them, has to be able to authenticate and prove that you have the access privileges to get there. And in some cases, we can even now create security lists with what we call the VLAN access control list. And that's pretty cool, because we can control traffic per VLAN if we wanted to. And later on, you're going to hear us talk about private VLANs, which can add another layer of security. But so that's kind of, like I said, new within... Well, I say new because I've been working with Cisco pretty much since the company was founded in some way or another, and that was never a discussion that we would have before. And also at the access layer, obviously we support multicast. I mean, if you think about it, if I'm going to send out a video stream, that video stream is starting at the access layer. And with multicast, very important that we don't treat it like a broadcast. You know, if there's only a few computers that are in the access layer that want the multicast stream, it'd be nice if our switches can also help to make sure that that's the case. So that's what multicast is all about. So coming from the access layer that I just described is all of this traffic from multiple switches. And as I said, we probably would be using what we call a multi-layer switch. Okay, so a multi-layer switch by its design is actually much faster than a lot of your routers. Remember I said the purpose I might choose routers for is to do some layer two translation, going from Ethernet to whatever else you might be using in the old days technology like HDLC, PPP. Oh, hopefully never frame relay again. But anyway, it acts as a traffic aggregation. We do kind of hope that at the access layer we can keep as much traffic local as we can. But you see, there was this old, you know, in the old days we had what they called the 20-year rule at the access layer that 80% of the traffic stayed local and 20% had to be routed or forwarded to some other location. But with today's cloud services, private or public cloud, with the advent of server farms, with going to the internet, that's changed. Now most everything is the 20-80 rule which is 20% of your traffic stays local, 80% is going out, maybe even more. So that's why we say the first thing that they have there is traffic aggregation because what we have is a lot of streams of data coming in to a central point. You know, maybe we have other distribution components which would be great so they can connect to other access layers and that's where we'll eventually get to the core layer. And so our decisions here are usually what we called routing. The reason I call it forwarding is when we get into kind of the model that's all put together, you get kind of a better picture of why I like the idea of layer 3 forwarding. Routings has simply meant looking at the IP address, assuming that you're using an IP network and then making a routing decision about the outbound interface. But all this traffic is coming in being aggregated from all these other parts of your access layer. So here in the distribution layer, I'm just going to type DIST so I don't have to spell the whole word, we aggregate it, we make the routing decisions and the idea is that our traffic can come in one interface from one part of the access layer. After we look at the IP address then it can go out to whatever the destination part of that traffic is, what's local and that part of the access layer. Another part of our design is redundancy. Because if I did connect it the way you see here we could have a problem with one of those multi-layer switches going down. From now on I'm going to try to call it a distribution switch instead of a multi-layer switch. So what we might see then is in our design at the access layer is having perhaps redundant connections as you see here. So I always have a different method or way to get out. Or as we move on to some other topics later in our course we'll talk about some of these things that call the first hop redundancy protocol which is another set of protocols that we get to that try to get rid of that single point of failure. In any event, what we're trying to do here is have the redundancy in the design so that as I said we don't lose big chunks of our network. But where I told you what was new with the access layer where we started adding in this idea of security this is where security we used to tell people was the first place that security was introduced. In fact it was about the only place that we tried to introduce security so in layer three we could create an access control list and to be able to utilize that access control list as a packet filter firewall. For that matter we might have even had firewalls in there that were stateful and did a little bit more for us. But it was still a way of controlling the traffic to make sure maybe the traffic from our end users might not have access to the part of maybe human resources networks and so we could control that through the distribution layer. Of course I also told you we're adding phones and by the way if you don't recognize this symbol there was a day that phones had this little handset you picked up and a little dial so you could dial the numbers and that's about the best phone I know how to draw so that's what those little things are the little curve is the handset. But one of the things we have a problem with is I said hey we do traffic aggregation that means there might be a competition for the services of the distribution layer to forward packets because it's dealing with a lot of packets and so we also introduced QOS quality of service so we could give preference to traffic who's really if it had latency latency meaning it takes a while for the packets to move could really damage that service. In a phone call we just hate having things sound like they're breaking up we don't like to miss packets or drop packets we don't want to make it sound like they're talking through a blender so we also introduced QOS in there as well and of course we could also filter other types of services from a lot of the needs of somebody else trying to do a service that probably isn't part of what we asked for so and that filtering I'd probably put more with the firewalls there at the distribution layer but that's what we're looking at then of course depending on your design as I said if what I just drew let's say was building A on your campus and I need to get to building B then I would probably go through as I said the core layer and the core layer as you're about to see is got a different designation a different type of what it's trying to accomplish for us so at the core layer and I know you're probably getting tired of seeing me write access hopefully spell it right at the distribution and as I just got through saying I might need to get from building A over here to building B I mean this is one example this could all be in the same building it's just I'm trying to conceptually give you an idea of what's happening here and so what happens is we'll send our traffic from one part of our network or campus building into the core and we're still going to be using a multi-layer switch and here all we're really worried about is high speed when I say high speed that generally means that we're not involved in enforcing security policies at the core layer if you think about it when you start adding your devices to inspect every packet to make sure it's approved you're going to be slowing down that throughput of traffic security services does that and it should do that but it's not more complex it's not just looking at a routing table and saying oh that's where it goes there's more to it takes a little more processing power so we want the core to be high speed and if you think about it you had to pass a security check at the distribution layer to even be able to get your traffic up to the core layer and so it's built for high speed but again it could be an aggregation port of distribution layers and we also should have redundancy just like we did at the distribution layer to avoid a single point of failure now there's a lot of different things we can do to do what's called fast conversion fast conversion simply means if one of my connections goes down and I still want to be able to afford my traffic I have to find the next best route to get there and depending on some of the things we'll talk about when we get into the routing protocols we can do what we can do to do that fast convergence that means I don't want to wait 40 seconds which might happen with some routing protocols for you to find the next best route because 40 seconds is going to end a phone call it's going to break sessions this is not good I want to get this if I could I'd love to get my convergence to less than one second if that's at all possible so at worst I might miss a packet or two if I'm doing a core layer I can move on to maybe a building C and have even that future growth availability so the core layer is all about speed and that's kind of our goal in this hierarchical model