Switching (L2) and routing (L3) topologies

In this section, we will talk about the structure of a campus network.

Switching (L2) and routing (L3)

Layer 2 switches are devices that switch packets between ports, while Layer 3 switches or routers look at the Layer 3 header of the packet and make routing decisions. This can be seen in the following diagram.

At the top left, we can see a single LAN switch. We can see that a frame arrives at the switch. Then, the switch looks at the destination MAC address, makes a forwarding decision, and forwards the frame to the destination port; that is, port 3.

At the bottom left, we can see how a frame crosses a network of switches. The frame enters the left switch, which makes a forwarding decision and forwards it to port 3. Port 3 is connected to port 1 on the right switch, which looks at its MAC address and forwards it to the right switch; that is, port 4. The decision on how to forward the frames is done locally; that is, the decision is made on every switch without any connection to the other.

In routing, as shown to the right of the following diagram, a decision is made at Layer 3. When a packet enters the router, the router looks at the Layer 3 destination address, checks if the packet's destination is valid in the routing table, and then makes a routing decision and forwards the packet to the next hop:

Figure 1.3 – The data center, core, and user network

Important Note

In the packets shown in the preceding diagram, D stands for destination address and S stands for source address. Although in Ethernet the destination address comes before the source, for convenience, it is presented in the same order – D and S for both L2 and L3.

While the basic building blocks of data networks are Layer 2 switches that the users connect to, we can also use Layer 3 switches in the higher levels – that is, the distribution, core, or data center level – to divide the network into different IP networks. Before we move on, let's see what Layer 3 switches are.

The following diagram shows a traditional router to the left and a Layer 3 switch to the right. In a traditional router, we assign an IP address to every physical port – that is, Int1, Int2, Int3, and Int4 – and connect a Layer 2 switch to each when devices, such as PCs in this example, are connected to the external switch.

In a Layer 3 switch, it is all in the same box. The Layer 3 interfaces (called Interface VLAN in Cisco) are software interfaces configured on the switch. VLANs are configured and an L3 interface is assigned to each. Then, the external devices are connected to the physical ports on the switch:

Figure 1.4 – The data center, core, and users network

Dividing the network into different IP subnets provides many advantages: it provides us with more flexibility in the design in that every department can get an IP subnet with access rights to specific servers, routing protocols can be implemented, broadcasts will not cross routers so that only a small part of the network can be harmed, and many more.

L2 and L3 architectures

L3 can be implemented everywhere in the network. When we implement Layer 3 in the core switches, their IP addresses will be the default gateways of the users; when we implement Layer 3 in the data center switches, their addresses will be the default gateways of the servers.

The design considerations for a data network are not in the scope of this book. However, it is important to understand the structure of the network to understand where attacks can come from and the measures to take to achieve a high level of security.

The following diagram shows two common network topologies – L3 on the core and DC switches on the left, and L3 on the DC only on the right:

Figure 1.5 – L2/L3 network topologies

On the left, we have the following configuration:

• Virtual LANs (VLANs) configured on the core switches: VLAN50 and VLAN60 are the user's VLANs. Each user VLAN holds several physical ports and one logical L3 Interface – the Interface VLAN in Cisco terminology. In this example, Interface VLAN50's IP address is 10.50.1.1/16, while Interface VLAN60's IP address is 10.60.1.1/16.
• VLANs configured on the DC switches: VLAN 10 and VLAN 20 are the server's VLANs. Each server VLAN holds several physical ports and one logical L3 Interface – Interface VLAN. For example, Interface VLAN 10's IP address is 10.10.1.1/16, while Interface VLAN 20's IP address is 10.10.1.1/16.
• The default gateways of the users in the 10.50.0.0/16 and 10.60.0.0/16 networks are 10.50.1.1 and 10.60.1.1, respectively.

On the right, we can see a different topology, which is where all the Interface VLANs are on the DC switches:

• All the VLANs are configured on the DC switches.
• The core switches are only used as Layer 2 devices.
• The default gateways of both the user's devices and servers are on the DC switches.

L2 and L3 architecture data flow

For the data flow, let's look at the following diagram:

Figure 1.6 – L2/L3 network topologies

In the left topology, we can see the following:

• When sending packets from the users to the servers, users on VLAN 50 or VLAN 60 send packets to the default gateway; that is, the L3 Interface on the left core switch. From there, packets are routed to the L3 Interface on the left DC switch and the server.
• When sending the packets back, the servers on VLAN 10 or VLAN 20 send packets to the default gateway of 10.10.1.1, which is on the left DC switch. The packets are routed to the L3 Interface on the left core switch and the user.

In the right topology, we can see the following:

• The DC switches are the default gateways for the users and the servers, so packets from both are sent to the DC switches and routed internally in them.

L2 and L3 architecture data flow with redundancy

Now, let's see how packets flow through the network. This example is for the case when the user's L3 Interfaces are on the core switches.

In the following diagram, a PC with an address of 10.60.10.10/16 is sending information to the server on 10.20.1.100/16. Let's look at the main and redundant flows:

Figure 1-7 – Data flowing through the network

In a network under regular conditions – that is, when all the network components are functioning – the data flow will be as follows:

• When PC2 sends packets to a server, they go to its default gateway (1); that is, 10.60.1.1 on the lower left core switch.
• From 10.60.1.1, the packets are forwarded to 10.20.1.1 on the top left DC switch (2).
• From 10.60.1.1, packets are forwarded to the upper server; that is, 10.60.100/16 (3).

When a failure occurs, as in the example in Figure 1.4, when the left DC switch (DC-SW-1) fails, the following happens:

• The MAC address of the S1 server is now learned on the DC switch on the right (DC-SW-2), and from there it will be learned on the core switch on the right (CORE-SW-2).
• Packets that are sent from PC2 to the server will be forwarded to the core switch on the right (a).
• The core switch on the right forwards the packets to the next hop (b), which is the DC switch on the right (DC-SW-2).
• The DC switch on the right forwards the packets to the server (c).

L2 and L3 topologies with firewalls

A common practice in network design is to add firewalls to two locations of the enterprise network – data center firewalls and core firewalls. Data center firewalls are more common and are used to protect the data center, while the core firewalls protect different users and areas in the network.

A typical network is illustrated in the following diagram:

Figure 1.8 – The data center, core, and users network (with firewalls)

In this case, we have firewalls with the following functionality:

• Data center firewalls: These are firewalls that protect the data center. On these firewalls, we will usually have packet filtering, stateful inspection, intrusion detection, and application filtering.

  Important Note

  Packet filtering is a term that refers to filtering packets according to Layer 3 (IP) and Layer 4 (TCP/UDP) information. Stateful inspection is a mechanism that watches the direction of traffic crossing the firewall and allows traffic to be forwarded in the direction where the session started. Intrusion prevention is a mechanism that protects against intrusion attempts to the network. Application filtering is a mechanism that works on Layer 7 and filters sessions based on the application and its content. Further discussions on these mechanisms and others, as well as how to use them and harden them, will be provided later in this book.

• Core firewalls: These are used to protect different areas of the network, such as different departments, different companies on the same campus, and so on.

The data flow in a firewall-protected network is as follows:

Figure 1.9 – Data flowing through the network (with firewalls)

Data can flow in several directions, with several levels of protection:

• In the first example, PC2, which has an address of 10.60.10.10, sends data to its default gateway; that is, the IP interface on its VLAN (1). From there, packets are routed to the DC firewall (FW1) at the top-left (2) and the required server (3).
• A second option is when PC4, which is on the right, sends packets to the server. This happens when the packets go through the first level of security – core firewall FW4. Packets from the PC are sent to the default gateway; that is, the IP interface of the VLAN (a). From there, they are routed to the core firewall (FW4) (b), the DC firewall (FW2) (c), and the required server (d).
• There are many other options here, including routing packets from the users through the core firewall to external networks, routing packets between users through the core firewalls, and so on.

L2 and L3 topologies with overlays

When building a traditional enterprise network, the network structure ensures one thing: that packets are forwarded from the source to the destination as fast as possible.

Important Note

As fast as possible, in terms of a data network, can be achieved with four parameters: bandwidth, delay, jitter, and packet loss. Bandwidth is defined as the number of bits per second that the network can provide. Delay is the Round-Trip Time (RTT) in seconds that it will take a packet to get to the destination and the response to arrive back to the sender. Jitter is defined as variations in delay and measured in percent. Packet loss is the percent of packets that were lost in transmission. Different applications require different parameters – some require high bandwidth; others are sensitive to delay and jitter, while some are sensitive to packet loss. A network attack on a communications line can cause degradation in the performance of one or all these parameters.

Overlay technologies provide additional functionality to the network, in the way that we establish a virtual network(s) over physical ones. In this case, the physical network is referred to as the underlay network, while the virtual network is referred to as the overlay network, as illustrated in the following diagram:

Figure 1.10 – Underlay/overlay network architecture

Here, we can see a standard network that is made up of routers with connectivity between them. The overlay network is made up of end-to-end tunnels that create a virtual network over the real one.

There are various overlay technologies, such as VxLAN, EVPN, and others. The principle is that the packets from the external network that are forwarded through the overlaid tunnels are encapsulated in the underlying packets, forwarded to the destination, and de-capsulated when exiting to the destination.

Since bits are eventually forwarded through the wires, attacks on both the underlay network and the overlay connectivity can influence and cause downtime on the network.

Now that we've talked about the organization network, let's talk about connectivity to the world; that is, the perimeter.