My top ten networking rules.
10. Always segment traffic. Storage traffic should be on a storage vlan, Backup traffic on a backup vlan, database traffic - guess where on the database vlan. I even promote farther segregation, prod, stage, test, and dev vlans.
9. Scan your network. If you properly segment traffic, you should never see ssh on your database vlan. This should throw a big red flag and be investigated.
8. Always allow all vlans at the core, filter which vlans are allowed at the aggregation / distro layer. The core should be static. The Core is the backbone upon which your network is built. It should be redundant and bullet proof. Admins should almost never login. The core should be transparent.
7. Create ACL's, some protocols should not transit the network (telnet, netbios). Server administrators should filter out 90% of unnecessary traffic. Network admins should put in rules in case they are lazy and to get the other 10%.
6. There shalt not be more than 5 network devices between the user and the internet ( or the voip phone and the router), not including firewalls. So the worse case, A user pc connects to an access layer switch, to the aggregation layer switch, to the distro switch, to the core switch, to the core router.
5. There shalt not be more than 4 layers of switches between the top and the bottom of any network.(Thanks for your rebuttal Kevin, I Still don't Agree. This rule is sign of good design. I think you should re-evaluate 6 layers is more than excessive. I know I break the cisco mold. The data center stack should be directly connected to the core. but on the client side and the access layer you should not have more than four layers. Core, distro, aggregation, access. How would you name 6 layers?)
4. There shalt never be more than 3 devices between server and server, this includes servers in other data centers. The worse case a server connects to the data center edge switch, to the core, to different data center edge switch.
3. Avoid over subscription. In the Data center the rule is 1.2:1 for 1g, 8.4:1 for 10g
2. The core router should be used for network ingress and egress traffic only.
1. Always route at the access layer if possible. Layer 3 switches provide greater throughput and routing speeds for trivial routing. Voip acts better if you route as close to the user as possible.
The last but not least. Keep it simple. Always err towards simplicity, complexity kills.
10. Always segment traffic. Storage traffic should be on a storage vlan, Backup traffic on a backup vlan, database traffic - guess where on the database vlan. I even promote farther segregation, prod, stage, test, and dev vlans.
9. Scan your network. If you properly segment traffic, you should never see ssh on your database vlan. This should throw a big red flag and be investigated.
8. Always allow all vlans at the core, filter which vlans are allowed at the aggregation / distro layer. The core should be static. The Core is the backbone upon which your network is built. It should be redundant and bullet proof. Admins should almost never login. The core should be transparent.
7. Create ACL's, some protocols should not transit the network (telnet, netbios). Server administrators should filter out 90% of unnecessary traffic. Network admins should put in rules in case they are lazy and to get the other 10%.
6. There shalt not be more than 5 network devices between the user and the internet ( or the voip phone and the router), not including firewalls. So the worse case, A user pc connects to an access layer switch, to the aggregation layer switch, to the distro switch, to the core switch, to the core router.
5. There shalt not be more than 4 layers of switches between the top and the bottom of any network.(Thanks for your rebuttal Kevin, I Still don't Agree. This rule is sign of good design. I think you should re-evaluate 6 layers is more than excessive. I know I break the cisco mold. The data center stack should be directly connected to the core. but on the client side and the access layer you should not have more than four layers. Core, distro, aggregation, access. How would you name 6 layers?)
4. There shalt never be more than 3 devices between server and server, this includes servers in other data centers. The worse case a server connects to the data center edge switch, to the core, to different data center edge switch.
3. Avoid over subscription. In the Data center the rule is 1.2:1 for 1g, 8.4:1 for 10g
2. The core router should be used for network ingress and egress traffic only.
1. Always route at the access layer if possible. Layer 3 switches provide greater throughput and routing speeds for trivial routing. Voip acts better if you route as close to the user as possible.
The last but not least. Keep it simple. Always err towards simplicity, complexity kills.
2 Comments:
I Have worked in networking for 25 years. I started in the tops and bitnet networks. Rule #5 is just wrong. How do you connect 25k users with only 4 layers? simple answer, you can't. On my network we have 6 layers. We have 3 in the data centers as cisco recommends and we have 6 for the client access layers. You do the math, we have 48 ports per switch at the access layer. Each switch is uplinked with 4 10Gbe connections to concentrators. The 48 port concentrators are uplinked with 8 10Gbe to the Floor switches.
The Floor switches , connect with 12 10Gbe connections to the intra floor aggregation switches. The aggregation switches connect with 16 10gbe to the distros and then to the core. Each distro is uplinked to the core with 32 10gbe connections. We are maxing out our Cisco 7018 chassis' (plural) with our connections. If we could get more connections we would use them. Cisco told us we are a unique customer. I doubt that, I just think other businesses have taken shortcuts and have more over subscription. We have a very efficient network, I can get from any desktop to the border router in ~.6ms. I have seen much worse in corporate environments. You try it and tell me how fast your network is.
OK, I finally did the math. I still think your wrong. 523 access switches at least so I will use 600 for my estimates. so 2400 uplinks with 2 going to each switch. If you use Fecs you are limited to a 12 to 1 uplink ratio, so 60 5548's with 8 uplinks a piece, 4 going to each distro switch. two Distros uplinked to the Core with 16 connections. 8 going to each. two core switches. You would have to invest in more single mode probably but its definitely doable and scalable at 4 layers; which is rule #5. So doing the math, I wanted to figure out how many client connections would be required to scale past 4 layers. here you go. Two Nexus 7010 cores, 320 10gbe ports per so 80 Possible distros. A max possiblity of 3200 aggregation switches. A max of 256k access switches. Oh well this is pointless, with 4 layers your could support 12M access layer ports. So, I will again state Rule #5 stands.
Post a Comment
<< Home