justinkendra - Fotolia


Network designs for dynamic route pacing

The new generation of network devices means network designs based on dynamic routing. But there are pitfalls to keep in mind.

Network devices have become so powerful that worries over hardware resource overutilization have all but disappeared....

The most modern routers, switches and firewalls can handle much more than their predecessors and network designs are changing as a result.

Network designs are shifting from the classic three-tiered model of a switched access layer and routed distribution and core layers to a completely routed model using dynamic routing protocols such as Open Shortest Path First and Enhanced Interior Gateway Routing Protocol placed right in the access layer itself.

The access layer is the point of entry into a network for most end hosts, and traditionally no routing takes place there. Instead, access switches send all traffic destined outside a local subnet over Layer 2 trunk links to large upstream switches that handle routing and the application of security policies.

In networking, Layer 2 refers to the use of media access control addresses in communication among devices within the same subnet, while Layer 3 refers to the use of IP addresses to allow traffic to move among divergent subnets. This is an important distinction because they are very different methods of network communication.

Because even the low-end, enterprise-grade access switches of today have enough processing power and memory to route traffic and apply security policies, engineers are moving away from traditional Layer 2 switched access layer network designs in favor of a fully routed topology. This newer design provides several significant advantages over the three-tiered model and solves several problems of the traditional Layer 2 access layer, but there are also some drawbacks to consider.

VLANs getting bigger, causing problems

In classic network designs, virtual local area networks, or VLANs, are used to segment certain traffic from other traffic for security, management or traffic engineering purposes. Because of the increase in the number of IP-enabled devices connecting to a network, the number of VLANs at a typical organization has increased, but more importantly VLANs themselves have increased in size.

When routing down to the access layer, security policies are still easy to apply, but they are no longer mobile.

This is a concern because of the potential for broadcast storms and other types of Layer 2 flooding problems. A very large VLAN has so many devices in it that a problem at Layer 2 would adversely affect a large part of the production environment. This "failure domain" can grow so large that a single Layer 2 problem could take down an entire production network. Though there are methods to mitigate this risk, many IT departments continue to simply plug in a new switch when needed. This approach, however, continually stretches VLANs -- and, therefore, the failure domain -- further across the organization.

Additionally, the Spanning Tree Protocol (STP) is used at Layer 2 to block redundant physical links among switches in order to prevent loops. This method can be tricky to configure in multivendor networks, and though it is the standard, it does nothing to exploit all available links. Unfortunately, this means that, by design, a significant portion of the network will remain completely idle until there is a failure. Though STP can somewhat manage path selection by choosing to block one port instead of another, it is by no means highly tunable or self-healing.

By contrast, routing to the access layer dramatically reduces the size of the failure domain, makes use of all links and provides a tunable, dynamic network environment.

All links active in properly configured network designs

In a properly configured and fully routed network, all links are active, though only one path is used at a time. An engineer can configure load balancing across many links, proactively manipulate path selection, and design exactly how a network should behave in various failure scenarios. Also, routing protocols can be configured to reconverge very quickly when a link becomes unavailable, which means traffic is rerouted quickly and dynamically.

There are some relatively minor drawbacks to consider with a fully routed network, however. Some applications require Layer 2 adjacencies to function properly, and often there is no workaround. The solution would be to use the classic design or implement a hybrid Layer 2 and Layer 3 access layer. This adds an element of complexity to the design and maintenance of a network.

Some network devices also require Layer 2 adjacencies -- such as the Apple TV that is very popular in schools. In a routed access layer, this can be resolved by using a Bonjour gateway, but similar to the hybrid design, there is additional planning and complexity needed to make it work properly.

Security policies take extra work

A more significant drawback to consider is how security would be implemented in fully routed network designs. In the classic design, a VLAN could be a specific department, device type or geographic location. It's relatively simple to apply security policy to a VLAN, and because the VLAN can be trunked anywhere, the security policies are very mobile.

When routing down to the access layer, security policies are still easy to apply, but they are no longer mobile. For example, an end user with a very specific access control list applied to his or her subnet would not have the same access list applied when moving to a different subnet. There are a variety of options to solve this, such as implementing multiple virtual route-forwarding instances, deploying client-based virtual private networks or experimenting with the latest network access control software, but all of these add extra complexity and, likely, additional cost to the network.

Lastly, access switches that support all the Layer 3 routing features needed in the fully routed network design model tend to be more expensive. Cost may not be an issue for some organizations, but when it is, the benefits of changing the network design may not justify the cost of purchasing all new hardware and licensing.

Especially in a network built from scratch, there are significant advantages to designing a topology with dynamic routing all the way to the access layer. A decreased failure domain, faster convergence and greater control over network traffic are not trivial benefits. If the organization feels the cost and effort is justified, implementing a fully routed LAN topology at the access layer means networks are more dynamic and resilient.

Next Steps

Wireless network designs can't be static

Picking the best Ethernet switch

Network functions virtualization and software-defined networking in network infrastructure design

This was last published in May 2016

Dig Deeper on Network Infrastructure