L2 VPN, OR DISTRIBUTED ETHERNETThe L2 VPN category includes a wide range of services: from emulation of dedicated point-to-point channels (E-Line) to the organization of multipoint connections and emulation of Ethernet switch functions (E-LAN, VPLS). L2 VPN technologies are “transparent” to higher-layer protocols, therefore, they allow, for example, IPv4 or IPv6 traffic to be transmitted, regardless of which version of the IP protocol the operator uses. Their "low-level" nature is also positive in cases where it is necessary to transmit SNA, NetBIOS, SPX/IPX traffic. However, now, in the period of general "ipization", these features are required less and less. Some time will pass, and the new generation of network specialists will probably not know at all that there were times when NetWare OS and SPX / IPX protocols "dominated" networks.
L2 VPN services are usually used to build corporate networks within the same city (or city and its immediate surroundings), so this concept is often perceived almost as a synonym for the term Metro Ethernet. Such services are characterized by high channel speeds at a lower (compared to L3 VPN) connection cost. The advantages of L2 VPN are also support for jumbo frames, the relative simplicity and low cost of client equipment installed at the edge with the provider (L2).
The growing popularity of L2 VPN services is largely due to the needs of fault-tolerant geographically distributed data centers: for "travel" virtual machines requires a direct connection between nodes at the L2 layer. Such services, in fact, allow you to stretch the L2 domain. These are well-established solutions, but often require complex customization. In particular, when connecting a data center to a service provider's network at several points - and this is highly desirable to increase fault tolerance - additional mechanisms are required to ensure optimal loading of connections and eliminate the occurrence of "switching loops".
There are also solutions designed specifically for interconnecting data center networks at the L2 level, such as Overlay Transport Virtualization (OTV) technology implemented in Cisco Nexus switches. It operates over IP networks, using all the advantages of routing at the L3 level: good scalability, high fault tolerance, connection at several points, traffic transmission over multiple paths, etc. solutions/LAN” for 2010).
L2 OR L3 VPN
If in the case of purchasing L2 VPN services, the enterprise will have to take care of routing traffic between its nodes, then in L3 VPN systems this task is handled by the service provider. The main purpose of L3 VPN is to connect sites located in different cities on far away from each other. These services tend to have higher connection costs (because they use a router rather than a switch), high rents, and low bandwidth (typically up to 2 Mbps). The price can increase significantly depending on the distance between connection points.
An important advantage of L3 VPN is the support of QoS functions and traffic engineering, which allows you to guarantee the required level of quality for IP telephony and video conferencing services. They are not transparent to Ethernet services, do not support oversized Ethernet frames, and are more expensive than Metro Ethernet services.
Note that MPLS technology can be used to organize both L2 and L3 VPNs. The VPN service level is determined not by the level of technology used for it (MPLS is generally difficult to attribute to any particular level of the OSI model, rather it is L2.5 technology), but by “consumer properties”: if the operator’s network routes client traffic, then this is L3, if it emulates link layer connections (or Ethernet switch functions) - L2. At the same time, other technologies can be used to form an L2 VPN, for example, 802.1ad Provider Bridging or 802.1ah Provider Backbone Bridges.
802.1ad Provider Bridging, also known by many other names (vMAN, Q-in-Q, Tag Stacking, VLAN Stacking), allows you to add a second 802.1Q VLAN tag to an Ethernet frame. The service provider can ignore the internal VLAN tags set by the client equipment - external tags are sufficient to forward traffic. This technology removes the 4096 VLAN ID limit found in classic Ethernet technology, which greatly improves service scalability. 802.1ah Provider Backbone Bridges (PBB) solutions provide for the addition of a second MAC address to the frame, while the MAC addresses of the end equipment are hidden from the backbone switches. PBB provides up to 16M Service IDs.
RAW Paste Data
L2 VPN, OR DISTRIBUTED ETHERNET The L2 VPN category includes a wide range of services: from emulation of dedicated point-to-point channels (E-Line) to organization of multipoint connections and emulation of Ethernet switch functions (E-LAN, VPLS). L2 VPN technologies are “transparent” to higher-layer protocols, therefore, they allow, for example, IPv4 or IPv6 traffic to be transmitted, regardless of which version of the IP protocol the operator uses. Their "low-level" nature is also positive in cases where it is necessary to transmit SNA, NetBIOS, SPX/IPX traffic. However, now, in the period of general "ipization", these features are required less and less. Some time will pass, and the new generation of network specialists will probably not know at all that there were times when NetWare OS and SPX / IPX protocols "dominated" networks. L2 VPN services are usually used to build corporate networks within the same city (or city and its immediate surroundings), so this concept is often perceived almost as a synonym for the term Metro Ethernet. Such services are characterized by high channel speeds at a lower (compared to L3 VPN) connection cost. The advantages of L2 VPN are also support for jumbo frames, the relative simplicity and low cost of client equipment installed at the edge with the provider (L2). The growing popularity of L2 VPN services is largely due to the needs of fault-tolerant geographically distributed data centers: virtual machines “travel” require a direct connection between nodes at the L2 level. Such services, in fact, allow you to stretch the L2 domain. These are well-established solutions, but often require complex customization. In particular, when connecting a data center to a service provider network at several points - and this is highly desirable for increasing fault tolerance - additional mechanisms are required to ensure optimal loading of connections and eliminate the occurrence of "switching loops". There are also solutions designed specifically for interconnecting data center networks at the L2 level, such as Overlay Transport Virtualization (OTV) technology implemented in Cisco Nexus switches. It operates over IP networks, using all the advantages of routing at the L3 level: good scalability, high fault tolerance, connection at several points, traffic transmission over multiple paths, etc. solutions/LAN” for 2010). L2 OR L3 VPN If an enterprise purchases L2 VPN services and has to take care of routing traffic between its nodes, in L3 VPN systems this task is handled by the service provider. The main purpose of L3 VPN is to connect sites located in different cities, at a great distance from each other. These services tend to have higher connection costs (because they use a router rather than a switch), high rents, and low bandwidth (typically up to 2 Mbps). The price can increase significantly depending on the distance between connection points. An important advantage of L3 VPN is the support of QoS functions and traffic engineering, which allows you to guarantee the required level of quality for IP telephony and video conferencing services. They are not transparent to Ethernet services, do not support oversized Ethernet frames, and are more expensive than Metro Ethernet services. Note that MPLS technology can be used to organize both L2 and L3 VPNs. The VPN service level is determined not by the level of technology used for it (MPLS is generally difficult to attribute to any particular level of the OSI model, rather it is L2.5 technology), but by “consumer properties”: if the operator’s network routes client traffic, then this is L3, if it emulates link layer connections (or Ethernet switch functions) - L2. At the same time, other technologies can be used to form an L2 VPN, for example, 802.1ad Provider Bridging or 802.1ah Provider Backbone Bridges. 802.1ad Provider Bridging, also known by many other names (vMAN, Q-in-Q, Tag Stacking, VLAN Stacking), allows you to add a second 802.1Q VLAN tag to an Ethernet frame. The service provider can ignore the internal VLAN tags set by the client equipment - external tags are sufficient to forward traffic. This technology removes the 4096 VLAN ID limit found in classic Ethernet technology, which greatly improves service scalability. 802.1ah Provider Backbone Bridges (PBB) solutions provide for the addition of a second MAC address to the frame, while the MAC addresses of the end equipment are hidden from the backbone switches. PBB provides up to 16M Service IDs.
L3VPN, which we covered in the last issue, covers a huge number of scenarios that most customers need. Huge, but not all. It allows communication only at the network level and only for one protocol - IP. What about telemetry data, for example, or traffic from base stations working through the E1 interface? There are also services that use Ethernet, but also require link layer communication. Again, data centers like to communicate with each other in the L2 language.
So take out and put L2 to our customers.
Traditionally, everything used to be simple: L2TP, PPTP, and everything by and large. Well, in GRE it was still possible to hide Ethernet. For everything else, they built separate networks, led dedicated lines at the cost of a tank (monthly). However, in this age of converged networks, distributed data centers and international companies, this is not an option, and a certain amount of scalable data-link layer epianation technologies have spilled onto the market.
We will focus on MPLS L2VPN this time.
Before diving into warm MPLS, let's take a look at what kinds of L2VPNs exist.
Why is he a winner? main reason, of course, in the ability of routers transmitting MPLS packets to abstract from their contents, but at the same time distinguish between traffic of different services.
For example, an E1 frame arrives at the PE, is immediately encapsulated in MPLS, and no one along the way will even suspect what is inside - it is only important to change the label in time.
And an Ethernet frame arrives on another port and, using the same LSP, it can pass through the network, only with a different VPN label.
And besides, MPLS TE allows you to build channels, taking into account the traffic requirements for network parameters.
In conjunction with LDP and BGP, it becomes easier to configure VPN and automatically find neighbors.
The ability to encapsulate traffic of any link layer in MPLS is called AToM - Any Transport over MPLS.
Here is a list of protocols supported by AToM:
There are two conceptually different approaches to building any L2VPN.
Traditionally, terms will be introduced as needed. But about some at once.
PE - Provider Edge- edge routers of the provider's MPLS network, to which client devices (CEs) connect.
CE - Customer Edge- client equipment that connects directly to the provider's routers (PE).
AC - Attached Circuit- interface on PE for client connection.
VC - Virtual Circuit- a virtual unidirectional connection through a common network, simulating the original environment for the client. Connects the AC interfaces of different PEs. Together they make up a single channel: AC → VC → AC.
PW - PseudoWire- a virtual bidirectional data link between two PEs - consists of a pair of unidirectional VCs. This is the difference between PW and VC.
VPWS - Virtual Private Wire Service.
At the heart of any MPLS L2VPN solution is the idea of PW - PseudoWire - a virtual cable, thrown from one end of the network to the other. But for VPWS, this PW itself is already a service.
A kind of L2 tunnel, through which you can carelessly transfer anything you want.
Well, for example, the client has a 2G base station in Kotelniki, and the controller is in Mitino. And this BS can only connect via E1. In ancient times, this E1 would have to be stretched with the help of a cable, radio relays and all sorts of converters.
Today, one common MPLS network can be used both for this E1 and for L3VPN, the Internet, telephony, television, etc.
(Someone will say that instead of MPLS for PW, you can use L2TPv3, but who needs it with its scalability and lack of Traffic Engineering "eh?)
VPWS is relatively simple, both in terms of traffic transmission and the operation of service protocols.
Tunnel label - the same as the transport label, just the long word "transport" was not placed in the title.
0.
A transport LSP has already been built between R1 and R6 using the LDP or RSVP TE protocol. That is, R1 knows the transport label and output interface to R6.
1.
R1 receives from the client CE1 a certain L2 frame on the AC interface (it may be Ethernet, TDM, ATM, etc. - it does not matter).
2.
This interface is tied to a specific client identifier - VC ID - in a sense, an analogue of VRF in L3VPN. R1 gives the frame a service tag that will remain unchanged until the end of the path. The VPN label is internal to the stack.
3.
R1 knows the destination - the IP address of the remote PE router - R6, finds out the transport label and inserts it into the MPLS label stack. This will be an external - transport label.
4.
The MPLS packet travels through the operator's network via P-routers. The transport label is changed to a new one on each node, the service label remains unchanged.
5.
On the penultimate router, the transport label is removed - PHP happens. On R6, the package comes with one service VPN label.
6.
PE2, having received the packet, analyzes the service label and determines to which interface the decompressed frame should be sent.
Note: Each CSR1000V node requires 2.5 GB of RAM. Otherwise, the image will either not start, or there will be various problems, such as the fact that ports do not rise or losses are observed.
Let's simplify the topology to four backbone nodes. By clicking, you can open it in a new tab to look at it with Alt + Tab "ohm, and not turn the page up and down.
Our task is to pass Ethernet from Linkmeup_R1 (Gi3 port) to Linkmeup_R4 (Gi3 port).
On the move 0 IP addressing, IGP routing, and basic MPLS are already configured (see how).
Let's see what happened behind the scenes of the protocols (the dump was taken from the GE1 Linkmeup_R1 interface). The main milestones can be identified:
0)
The IGP converged, the LDP determined its neighbors, lifted the session, and handed out transport labels.
As you can see, Linkmeup_R4 allocated transport label 19 for FEC 4.4.4.4.
1) But tLDP began its work.
--A. We first set it up to Linkmeup_R1 and tLDP started periodically sending its Hello to 4.4.4.4
As you can see, this is a unicast IP packet that is sent from the address of the Loopback interface 1.1.1.1 to the address of the same Loopback remote PE - 4.4.4.4.
Packed in UDP and transmitted with one MPLS label - transport - 19. Pay attention to the priority - the EXP - 6 field is one of the highest, since this is a service protocol packet. We'll talk more about this in the QoS issue.
The PW state is still DOWN, because there is nothing on the reverse side.
--B. After we set up xconnect on the Linkmeup_R4 side - immediately Hello and establishing a connection via TCP.
At this point, an LDP neighbor is established.
--IN. Marks exchanged:
At the very bottom, you can see that the FEC in the case of VPWS is the VC ID that we specified in the xconnect command - this is the identifier of our VPN - 127
.
And just below the label allocated to it by Linkmeup_R4 is 0x16 or 22
in the decimal system.
That is, with this message, Linkmeup_R4 told Linkmeup_R1, they say, if you want to send a frame to VPN with VCID 127, then use Service Tag 22.
Here you can also see a bunch of other Label Mapping messages - this is LDP sharing everything that it has gained - information about all FECs. This is of little interest to us, but Lilnkmeup_R1 is even more so.
Linkmeup_R1 does the same - tells Linkmeup_R4 its label:
After that, VCs are raised and we can see the labels and current statuses:
Teams show mpls l2transport vc detail And show l2vpn atom vc detail are generally identical for our examples.
3)
Now everything is ready to transfer user data. At this point, we run ping. Everything is predictably simple: two labels that we have already seen above.
For some reason Wireshark didn't parse the MPLS internals, but I'll show you how to read the attachment:The two blocks highlighted in red are the MAC addresses. DMAC and SMAC, respectively. The yellow block 0800 is the Ethertype field of the Ethernet header - it means inside IP.
Next, the black block 01 - the Protocol field of the IP header - is the ICMP protocol number. And two green blocks - SIP and DIP, respectively.
Now you can in Wireshark!
Accordingly, the ICMP-Reply is returned only with the VPN label, because PHP took place on Linkmeup_R2 and the transport label was removed.
If VPWS is just a wire, then it should safely transmit a frame with a VLAN tag?
Yes, and we do not have to reconfigure anything for this.
Here is an example of a frame with a VLAN tag:
Here you see Ethertype 8100 - 802.1q and VLAN tag 0x3F, or 63 decimal.
If we transfer the xconnect configuration to the subinterface with the VLAN specified, then it will terminate this VLAN and send a frame without the 802.1q header to the PW.
The example considered is EoMPLS (Ethernet over MPLS). It is part of the PWE3 technology, which is the evolution of the VLL Martini Mode. And all this together is VPWS. The main thing here is not to get confused in the definitions. Let me be your guide.
So, VPWS- the general name of solutions for L2VPN type point-to-point.
PW is a virtual L2 channel that underlies any L2VPN technology and serves as a tunnel for data transmission.
VLL(Virtual Leased Line) is already a technology that allows you to encapsulate frames of various link-layer protocols in MPLS and transmit them through the provider's network.
There are the following types of VLL:
VLL CCC - Circuit Cross Connect. In this case, there is no VPN label, and transports are assigned manually (static LSP) on each node, including swap rules. That is, there will always be only one label in the stack, and each such LSP can carry the traffic of only one VC. Never met him in my life. Its main advantage is that it can provide connectivity between two nodes connected to one PE.VLL TCC - Translational Cross Connect. Same as CCC, but allows different link layer protocols to be used from different ends.
This only works with IPv4. The PE removes the link-layer header upon receipt, and inserts a new one upon transmission to the AC interface.
Interesting? Start from here.VLL SVC - Static Virtual Circuit. The transport LSP is built by conventional mechanisms (LDP or RSVP-TE) and the VPN Service Tag is assigned manually. tLDP is not needed in this case. Cannot provide local connectivity (if two nodes are connected to the same PE).
Martini VLL- this is about what we dealt with above. The transport LSP is built in the usual way, VPN labels are allocated by tLDP. Beauty! Does not support local connectivity.
Kompella VLL- Transport LSP in the usual way, for the distribution of labels VPN - BGP (as expected, with RD / RT). Wow! Supports local connectivity. Well, okay.
PWE3 - Pseudo Wire Emulation Edge to Edge. Strictly speaking, the scope of this technology is wider than just MPLS. However, in the modern world, in 100% of cases they work in conjunction. Therefore, PWE3 can be considered as an analogue of Martini VLL with extended functionality - LDP + tLDP are also involved in signaling.
Briefly, its differences from the Martini VLL can be represented as follows:
Now PWE3 is the de facto standard, and it was he who was in the example above.
I'm talking about Ethernet everywhere in order to show the most illustrative example. Everything related to other channel protocols is, please, for independent study.
This is the first article in the "Networks for the little ones" series. Maxim aka Gluck and I thought for a long time where to start: routing, VLANs, equipment configuration. As a result, we decided to start with the fundamental and, one might say, the most important thing: planning. Since the cycle is designed for complete beginners, we will go all the way from start to finish.
It is assumed that you have at least read about reference model OSI, about the TCP / IP protocol stack, you know about the types of existing VLANs, about the most popular now port-based VLAN and about IP addresses. We understand that "OSI" and "TCP/IP" are scary words for beginners. But don't worry, we're not using them to scare you. This is what you will have to deal with every day, so during this cycle we will try to uncover their meaning and relation to reality.
Let's start with setting the task. There is a certain company engaged, for example, in the production of elevators that go only up, and therefore it is called Lift Me Up LLC. They are located in an old building on the Arbat, and rotten wires plugged into burnt and burnt 10Base-T time switches do not expect new servers to be connected via gigabit cards. So, they have a catastrophic need for network infrastructure and chickens do not peck for money, which gives you the opportunity for limitless choice. This is a wonderful dream of any engineer. And you passed the interview yesterday, and in a difficult struggle, you rightfully received the position of network administrator. And now you are the first and only one of its kind in it. Congratulations! What's next?
It is necessary to specify the situation a little:
Having estimated the number of users, required interfaces, communication channels, you prepare a network diagram and an IP plan.
When designing a network, you should try to adhere to a hierarchical network model, which has many advantages compared to a “flat network”:
According to this model, the network is divided into three logical levels: network core(Core layer: high-performance devices, the main purpose is fast transport), distribution level(Distribution layer: provides security policy enforcement, QoS, VLAN aggregation and routing, defines broadcast domains), and access level(Access-layer: usually L2 switches, purpose: connecting end devices, marking traffic for QoS, protection against network rings (STP) and broadcast storms, providing power for PoE devices).
On a scale like ours, the role of each device is blurred, but it is possible to logically separate the network.
Let's make an approximate diagram:
In the presented diagram, the core (Core) will be the router 2811, the switch 2960 will be assigned to the distribution level (Distribution), since all VLANs are aggregated into a common trunk on it. The 2950 switches will be Access devices. End users, office equipment, servers will be connected to them.
We will name the devices as follows: the abbreviated name of the city ( msk) - geographical location (street, building) ( arbat) - the role of the device in the network + serial number.
According to their roles and location, we select hostname:
The entire network must be strictly documented: from the circuit diagram to the name of the interface.
Before proceeding with the setup, I would like to list the necessary documents and actions:
Bold is what we will monitor as part of the simulator program. Of course, all changes to the network must be made to the documentation and configuration to keep them up to date.
When we talk about labels / stickers on cables, we mean this:
This photo clearly shows that each cable is marked, the value of each machine on the shield in the rack, as well as each device.
Let's prepare the documents we need:
Each group will be allocated to a separate vlan. This way we will limit broadcast domains. We will also introduce a special VLAN for device management. VLAN numbers 4 to 100 are reserved for future use.
The allocation of subnets is generally arbitrary, corresponding only to the number of nodes in this local network considering possible growth. IN this example all subnets have a standard /24 mask (/24=255.255.255.0) - these are often used in local networks, but not always. We advise you to read about classes of networks. In the future, we will turn to classless addressing (cisco). We understand that links to technical articles on Wikipedia are bad manners, but they give a good definition, and we, in turn, will try to transfer this to the picture of the real world.
By a Point-to-Point network, we mean the connection of one router to another in point-to-point mode. Usually, addresses with a mask of 30 are taken (returning to the topic of classless networks), that is, containing two host addresses. Later it will become clear what is at stake.
| IP address | Note | VLAN |
|---|---|---|
| 172.16.0.0/16 | ||
| 172.16.0.0/24 | Server farm | 3 |
| 172.16.0.1 | Gateway | |
| 172.16.0.2 | web | |
| 172.16.0.3 | file | |
| 172.16.0.4 | ||
| 172.16.0.5 — 172.16.0.254 | reserved | |
| 172.16.1.0/24 | Control | 2 |
| 172.16.1.1 | Gateway | |
| 172.16.1.2 | msk-arbat-dsw1 | |
| 172.16.1.3 | msk-arbat-asw1 | |
| 172.16.1.4 | msk-arbat-asw2 | |
| 172.16.1.5 | msk-arbat-asw3 | |
| 172.16.1.6 | msk-rubl-aswl | |
| 172.16.1.6 — 172.16.1.254 | reserved | |
| 172.16.2.0/24 | Point-to-point network | |
| 172.16.2.1 | Gateway | |
| 172.16.2.2 — 172.16.2.254 | reserved | |
| 172.16.3.0/24 | VET | 101 |
| 172.16.3.1 | Gateway | |
| 172.16.3.2 — 172.16.3.254 | Pool for users | |
| 172.16.4.0/24 | FEO | 102 |
| 172.16.4.1 | Gateway | |
| 172.16.4.2 — 172.16.4.254 | Pool for users | |
| 172.16.5.0/24 | Accounting | 103 |
| 172.16.5.1 | Gateway | |
| 172.16.5.2 — 172.16.5.254 | Pool for users | |
| 172.16.6.0/24 | Other users | 104 |
| 172.16.6.1 | Gateway | |
| 172.16.6.2 — 172.16.6.254 | Pool for users |
Of course, now there are switches with a bunch of 1Gb Ethernet ports, there are switches with 10G, there are 40Gb on advanced operator hardware that costs a lot of thousands of dollars, 100Gb is in development (and according to rumors, there are even such boards that have gone into industrial production). Accordingly, in the real world, you can choose switches and routers according to your needs, without forgetting your budget. In particular, a gigabit switch can now be bought inexpensively (20-30 thousand) and this is with a margin for the future (if you are not a provider, of course). A router with gigabit ports is already significantly more expensive than one with 100Mbps ports, but it's worth it because FE models (100Mbps FastEthernet) are outdated and their throughput is very low.
But in the emulator / simulator programs that we will use, unfortunately, there are only simple equipment models, so when modeling the network, we will start from what we have: cisco2811 router, cisco2960 and 2950 switches.
| Device name | Port | Name | VLAN | |
|---|---|---|---|---|
| Access | Trunk | |||
| msk-arbat-gw1 | FE0/1 | uplink | ||
| FE0/0 | msk-arbat-dsw1 | 2,3,101,102,103,104 | ||
| msk-arbat-dsw1 | FE0/24 | msk-arbat-gw1 | 2,3,101,102,103,104 | |
| GE1/1 | msk-arbat-asw1 | 2,3 | ||
| GE1/2 | msk-arbat-asw3 | 2,101,102,103,104 | ||
| FE0/1 | msk-rubl-asw1 | 2,101,104 | ||
| msk-arbat-asw1 | GE1/1 | msk-arbat-dsw1 | 2,3 | |
| GE1/2 | msk-arbat-asw2 | 2,3 | ||
| FE0/1 | webserver | 3 | ||
| FE0/2 | Fileserver | 3 | ||
| msk-arbat-asw2 | GE1/1 | msk-arbat-asw1 | 2,3 | |
| FE0/1 | mailserver | 3 | ||
| msk-arbat-asw3 | GE1/1 | msk-arbat-dsw1 | 2,101,102,103,104 | |
| FE0/1-FE0/5 | PTO | 101 | ||
| FE0/6-FE0/10 | FEO | 102 | ||
| FE0/11-FE0/15 | Accounting | 103 | ||
| FE0/16-FE0/24 | Other | 104 | ||
| msk-rubl-asw1 | FE0/24 | msk-arbat-dsw1 | 2,101,104 | |
| FE0/1-FE0/15 | PTO | 101 | ||
| FE0/20 | administrator | 104 | ||
Why VLANs are distributed in this way, we will explain in the following parts.
Based on these data, all three network diagrams can be drawn at this stage. For this you can use Microsoft Visio, any free application, but with reference to its format, or graphics editors (you can also freehand, but it will be difficult to keep up to date :)).
Not for open source propaganda, but for a variety of means, let's use Dia. I consider him one of best apps for working with diagrams under Linux. There is a version for Windows, but, unfortunately, there is no compatibility in Visio.
That is, in the L1 diagram, we reflect the physical devices of the network with port numbers: what is connected where.
In the L2 diagram, we indicate our VLANs.
In our example, the third-layer scheme turned out to be rather useless and not very visual, due to the presence of only one routing device. But over time, it will acquire details.
As you can see, the information in the documents is redundant. For example, VLAN numbers are repeated both in the diagram and in the port plan. It's like someone is on to something. As you feel more comfortable, do it. This redundancy makes it difficult to update in case of a configuration change, because you need to fix it in several places at once, but on the other hand, it makes it easier to understand.
We will return to this first article more than once in the future, just as you will always have to return to what you originally planned. The actual task for those who are just starting to learn and are ready to make an effort for this: read a lot about vlans, ip-addressing, find Packet Tracer and GNS3 programs. As for fundamental theoretical knowledge, we advise you to start reading Cisco press. This is something you absolutely need to know. In the next part, everything will be in an adult way, with a video, we will learn how to connect to equipment, deal with the interface and tell you what to do to a negligent admin who has forgotten the password.
Original article:
With a kind smile, now I remember how humanity anxiously expected the end of the world in 2000. Then this did not happen, but a completely different event happened, and also very significant.
Historically, at that time the world entered a real computer revolution v. 3.0. - start cloud technologies for distributed storage and data processing. Moreover, if the previous "second revolution" was a massive transition to "client-server" technologies in the 80s, then the first can be considered the beginning of simultaneous work of users using separate terminals connected to the so-called. "mainframes" (in the 60s of the last century). These revolutionary changes took place peacefully and imperceptibly for users, but affected the entire world of business along with information technology.
When transferring IT infrastructure to and remote data centers (data processing centers), the organization of reliable communication channels from the client immediately becomes a key issue. On the Web, there are often offers from providers: “physical leased line, optical fiber”, “L2 channel”, “VPN” and so on ... Let's try to figure out what is behind this in practice.
1. Organization " physical line” or “second-level channel, L2” is commonly called the service of providing a dedicated cable (copper or fiber optic) or a radio channel between offices and those sites where data center equipment is deployed. When ordering this service, in practice, most likely you will receive a dedicated fiber optic channel for rent. This solution is attractive because the provider is responsible for reliable communication (and in case of cable damage, it restores the channel on its own). However, in real life, the cable throughout its entire length is not solid - it consists of many interconnected (welded) fragments, which somewhat reduces its reliability. On the path of laying a fiber optic cable, the provider has to use amplifiers, splitters, and modems at the end points.
In marketing materials, this solution is referred to the L2 (Data-Link) level of the OSI or TCP / IP network model conditionally - it allows you to work, as it were, at the Ethernet frame switching level in the LAN, without worrying about many packet routing problems at the next IP network layer. For example, you can continue to use your so-called "private" IP addresses in client virtual networks instead of registered unique public addresses. Since it is very convenient to use private IP addresses in local networks, special ranges have been allocated to users from the main addressing classes:
Such addresses are chosen by users themselves for "internal use" and can be repeated simultaneously in thousands of client networks, so data packets with private addresses in the header are not routed on the Internet - to avoid confusion. To access the Internet, you have to use NAT (or another solution) on the client side.
Note: NAT - Network Address Translation (the mechanism for replacing network addresses of transit packets in TCP / IP networks, is used to route packets from the client's local network to other networks / Internet and in the opposite direction - inside the client's LAN, to the destination).
This approach (and we are talking about a dedicated channel) has an obvious drawback - if the client's office moves, there may be serious difficulties with connecting to a new location and there may be a need to change the provider.
The assertion that such a channel is much safer, better protected from attacks by intruders and errors of low-skilled technical personnel, upon closer examination, turns out to be a myth. In practice, security problems often arise (or are deliberately created by a hacker) right on the client side, with the participation of the human factor.
2. Virtual circuits and VPNs (Virtual Private Networks) built on them are widely distributed and allow solving most of the client's tasks.
The provision by the provider of "L2 VPN" involves the choice of several possible services of the "second layer", L2:
VLAN - the client receives a virtual network between his offices, branches (in fact, the client's traffic goes through the provider's active equipment, which limits the speed);
Point-to-point connection PWE3(in other words, "pseudowire end-to-end emulation" in packet-switched networks) allows Ethernet frames to be passed between two nodes as if they were directly connected by a cable. For the client in this technology, it is essential that all transmitted frames are delivered to the remote point without changes. The same thing happens in the opposite direction. This is possible due to the fact that the client frame arriving at the provider's router is further encapsulated (added) to a higher-level data block (MPLS packet), and retrieved at the endpoint;
Note: PWE3 - Pseudo-Wire Emulation Edge to Edge (a mechanism whereby, from the user's point of view, he receives a dedicated connection).
MPLS - MultiProtocol Label Switching (data transfer technology in which packets are assigned transport / service labels and the transmission path of data packets in networks is determined only based on the value of the labels, regardless of the transmission medium, using any protocol. During routing, new labels can be added (when necessary) or removed when their function has ended (the contents of the packets are not parsed or modified).
VPLS is a LAN simulation technology with multipoint connections. In this case, the provider's network looks from the client side like a single switch that stores a table of MAC addresses of network devices. Such a virtual "switch" distributes the Ethernet frame that came from the client's network, according to its destination - for this, the frame is encapsulated in an MPLS packet, and then extracted.
Note: VPLS - Virtual Private LAN Service (a mechanism by which, from the user's point of view, its geographically dispersed networks are connected by virtual L2 connections).
MAC - Media Access Control (media access control method - a unique 6-byte address-identifier network device(or its interfaces) in Ethernet networks).
3. In the case of deploying "L3 VPN", the provider's network in the eyes of the client looks like a single router with several interfaces. Therefore, the junction of the client's local network with the provider's network occurs at the L3 level of the OSI or TCP/IP network model.
Public IP addresses for network junction points can be determined in agreement with the provider (belong to the client or be obtained from the provider). IP addresses are configured by the client on their routers on both sides (private - from the side of their local network, public - from the provider), further routing of data packets is provided by the provider. Technically, MPLS is used to implement such a solution (see above), as well as GRE and IPSec technologies.
Note: GRE - Generic Routing Encapsulation (tunneling protocol, packaging network packets, which allows you to establish a secure logical connection between two endpoints - using protocol encapsulation at the L3 network layer).
IPSec - IP Security (a set of data protection protocols that are transmitted using IP. Authentication, encryption and packet integrity check are used).
It is important to understand that the modern network infrastructure is built in such a way that the client sees only that part of it that is defined by the contract. Dedicated resources ( virtual servers, routers, live data stores and Reserve copy), as well as running programs and the contents of memory, are completely isolated from other users. Several physical servers can work in concert and simultaneously for one client, from the point of view of which they will look like one powerful server pool. Conversely, on one physical server many virtual machines can be created at the same time (each will look to the user like a separate computer with operating system). In addition to the standard ones, individual solutions are offered, which also meet the accepted requirements regarding the security of processing and storing customer data.
At the same time, the configuration of the "L3 level" network deployed in the cloud allows scaling to almost unlimited sizes (the Internet and large data centers are built on this principle). Dynamic routing protocols, such as OSPF, and others in L3 cloud networks, allow you to choose the shortest paths for routing data packets, send packets simultaneously in several ways to best download and extensions bandwidth channels.
At the same time, it is possible to deploy a virtual network at the “L2 level”, which is typical for small data centers and outdated (or highly specific) client applications. In some of these cases, even "L2 over L3" technology is used to ensure network compatibility and application operability.
To date, the tasks of the user / client in most cases can be effectively solved by organizing virtual private VPN networks using GRE and IPSec technologies for security.
It doesn't make much sense to contrast L2 and L3, just as it doesn't make sense to consider the L2 channel proposal best solution to build reliable communication in your network, a panacea. Modern communication channels and provider equipment allow a huge amount of information to pass through, and many dedicated channels leased by users are, in fact, even underloaded. It is reasonable to use L2 only in special cases when it is required by the specifics of the task, take into account the limitations of the possibility of future expansion of such a network and consult with a specialist. On the other hand, L3 VPNs, other things being equal, are more versatile and easier to operate.
This overview briefly lists modern standard solutions that are used when migrating local IT infrastructure to remote data centers. Each of them has its own consumer, advantages and disadvantages, the correct choice of solution depends on the specific task.
In real life, both levels of the network model L2 and L3 work together, each is responsible for its task and opposing them in advertising, providers are frankly cunning.
A vulnerability (CVE-2019-18634) has been identified in the sudo utility used to organize the execution of commands on behalf of other users, which allows you to elevate your privileges in the system. Problem […]
The release of WordPress 5.3 improves and expands the block editor introduced in WordPress 5.0 with a new block, more intuitive interaction, and improved accessibility. New features in the editor […]
After nine months of development, the FFmpeg 4.2 multimedia package is available, which includes a set of applications and a collection of libraries for operations on various multimedia formats (burning, converting, and […]
Linux Mint 19.2 is a Long Term Support release that will be supported until 2023. It comes with updated software and contains improvements and many new […]
Release Presented Linux distribution Mint 19.2, the second update of the Linux Mint 19.x branch based on Ubuntu 18.04 LTS and supported until 2023. The distribution is fully compatible […]
New service releases of BIND are available that contain bug fixes and feature enhancements. New releases can be downloaded from the downloads page on the developer's website: […]
Exim is a message transfer agent (MTA) developed at the University of Cambridge for use on Internet-connected Unix systems. It is freely available in accordance with […]
After almost two years of development, ZFS on Linux 0.8.0 is released, implementing file system ZFS packaged as a module for the Linux kernel. The module has been tested with Linux kernels from 2.6.32 to […]
The IETF (Internet Engineering Task Force), which develops the protocols and architecture of the Internet, has completed the formation of the RFC for the ACME (Automatic Certificate Management Environment) […]
Let’s Encrypt, a non-profit certification authority controlled by the community and providing certificates free of charge to everyone, summed up the past year and talked about plans for 2019. […]
