Note 1: The switch image used is "Vios_l2-ADVENTERPRISEK9-M - 15.2(20200924:215240)". It does not support stacking and adds more complexity to the design.
Overview
> Building B
The building houses end-users assigned to 16 networks, and each network has a VLAN. The VTP protocol spreads them out, and B-00-SW01 is the domain server. I assumed VLAN adjacency among access switches, meaning all access switches have the same VLANs.
As mentioned in Note 1, we have two separate distribution-layer switches that operate independently, B-00-SW01 and B-00-SW02. For this reason, we need VRRP to ensure connectivity to the first gateway of each VLAN, even in case of failures. We also need RSTP since the design has multiple paths at the Layer 2 - Data link layer.
The first eight VLANs of the 16 user networks are 100 to 107. Their Root Bridge and VRRP master are on B-00-SW01. The other eight VLANs 108 to 116, have their Root Bridge and VRRP master on B-00-SW02. Finally, there is an L2 EtherChannel between the distribution switches. It closes the STP loop and provides a lower-cost path if an access layer link fails.
Note: Sometimes EtherChannel load balancing by source and destination IP can be inefficient. For example, in a data stream where the source and destination don't change, the same physical link will always be used. A more optimal approach would be to balance by source and destination port (L4). Due to software limitations on the switches, they are only configured as L3.
> Data Center
To continue with the study program, I used the service package installed on the routers. A server has more advantages than a router, but its setup is beyond the scope of the project.
Each service has a configured virtual loopback interface to ensure availability. This setup provides fault tolerance, as only one physical interface needs to be up. In other words, if only one of four physical interfaces works, the device stays reachable. Each connection is Layer 3 - Network. This limits broadcast domains and removes the need for STP on redundant paths. OSPF only needs to form adjacencies between devices and then pick the best route for each communication. If a route fails, OSPF will find an alternative and ensure traffic continues uninterrupted. Besides, OSPF is in area 1. This setup provides isolation from another zone and ensures that each problem doesn't affect others. Finally, a key component is the L3 EtherChannel that connects switches A-03-SV01 and A-03-SV02, as it prevents a blackhole scenario. This means that upper devices still have a route to the service, but both switches in charge of redistributing communications to each service don't have a route.
> Building C
Building C is a branch in another area. It has its own independent network and internet connection. Router C-00-RT01 uses PAT or NAT Overload to manage its external connections. It does not use them for connections to resources in the main office. Instead, ACLs classify the traffic and send it through an IPSec tunnel with IKEv2 to router A-00-VPN01. Finally, the core distributes the traffic to the destination resource, which could be a service in the data center. The image below shows the data flow to the internet in blue. The flow to a service in the data center is in light blue.
> Building A
For internal communications, OSPF in area 0 employs the Dijkstra algorithm to find the best route within the core network. Additionally, BFD quickly detects faults in the links connecting two devices. This combination allows OSPF and BDF to minimize the time needed to detect a failure and find a new path to the destination. For internet communications, BGP is on routers A-00-RT01 and A-00-RT02. These routers operate in Dual Multi-homed mode and connect to two service providers: ISP10 and ISP20.
As explained in Note 1, the core switches, A-00-SW01 and A-00-SW02, operate independently. Therefore, to add backup links for higher availability between the core and a new block, we must create two networks for each device added to the layer, one connecting to switch SW01 and another to SW02. To avoid adding more complexity to the network, I decided not to add new blocks and connected them directly to the core
Note 2: The same switch image described in Note 1 has an issue with NAT. I established the configuration by command, but it doesn't do the translation. No ACL counter increases, nor produce any logs visible with debug.
I applied routing policies at the core switches to ensure uniform traffic distribution. These policies guarantee that traffic from router NAT A-00-NAT01 always ends at internet router A-00-RT01, and vice versa, regardless of which core switch it passes through, A-00-SW01 or A-00-SW02. Lastly, both internet routers have a BGP Weigh configuration prioritizing ISP10 for A-00-RT01 and ISP20 for A-00-RT02. Additionally, both have a BGP AS-path prepend configuration to ensure that traffic leaving through one internet provider returns through the same provider.
To address the issue described in Note 2, I added two routers to perform PAT functions that the switches in Building B could not handle. I split an IP address block simulating public addresses into three parts: one for servers and two for NAT. The NAT parts were assigned to the routers A-00-NAT01 and A-00-NAT02.
Traffic from the first eight user VLANs is sent to switch B-00-SW01 as the default gateway. From there, it travels through a GRE tunnel to router A-00-NAT01, which translates the IP to a public IP address. Finally, the traffic reaches router A-00-RT01 and exits to the internet via ISP10.
Note 3: Inconsistent traffic could jumble packets at the receiver, affecting ordered communications like phone calls. However, applying restrictive rules could underutilize multipath use.
If you want to download the configuration files, click here!