Topic: tech juniper jndf prev
tech juniper jndf > 06: Creating the Design - Campus
Campus networks come in all shapes and size. The data centre may or may not be part of the campus.
The traditional 3-Tier design is complex, inefficient, costly, oversubscribed.
Begin to move away from the traditional approach. Centralise security into large or virtualised appliances.
Collapse the distribution and access layers. For instance, use the EX series’ virtual stacking technology to group access switches, reducing management complexity and reducing the number of uplinks.
One access point per 10-15 users, or per 400 square feet (37.2 square metres). As a rule of thumb, reserve 10% of wired ports for wireless access points. AP’s require 1Gbit/s PoE ports.
Good user experience is essential.
One key concern when implementing BYOD is to ensure that the company’s users and assets are protected. Unless a device is properly authenticated, it should be granted no access to the network, or generalised access to the Internet only.
Other considerations include the placement of access points throughout the building. Because the number of users on the network is changing and unknown, the IP subnet scopes for internal and external users must be considered carefully.
A common approach to user isolation is to use an isolated ‘guest’ VLAN for guest users, and ideally a unique routing instance (VRF). The isolated routing instance is usually applied at the first Layer 3 device in the network, and traffic remains in this routing instance until it exits the network at the Internet edge.
For example, use /22 subnets for VLAN’s with many connected devices, such as wired and wireless access networks. Use /24 subnets for VLAN’s with fewer devices, such as the CCTV and server VLAN’s.
Decide where routing between these subnets will occur. In Layer 3 access designs, routing occurs between access layer switches, so the subnets must be unique to each access layer switch. In Layer 2 access designs, the subnets can be stretched across access layer switches, because routing is done in the core.
User 802.1X authentication to assign a device to a VLAN based on user credentials, checked against LDAP.
For devices that do not support 802.1X, such as some legacy IP phones and printers, use MAC address authentication to ensure that only the allowed MAC address can communicate on a port.
LLDP-MED (Media Endpoint Discovery) can assign, for instance, IP phones to a voice VLAN.
EX Series switches support 802.1X authentication in three modes:
CoS is generally needed in the campus network due to the convergence of data and voice networks. Decisions should consider reported packet drops on interfaces, and end user quality of experience (QoE).
Using high bandwidth links between the various layers will meet most of the Unified Communications and Collaboration (UCC) requirements, it is recommended to still define and implement an end-to-end quality of service (QoS) plan for USS traffic, to ensure that the users’ QoE does not degrade when traffic levels spike.
A switch can be categorised as non-blocking, if its internal resources can accommodate ingress and egress traffic flows on all interfaces at their maximum rate. Switches which cannot accommodate such traffic flows are categorised as blocking. In reality, it is unlikely that this matters, as it is unlikely that all interfaces will be maxed out at the same time.
Network oversubscription between layers occurs when the bandwidth demand on the downstream interfaces is higher than the bandwidth available on the upstream interfaces on the same device. The subscription ratio depends on the customer’s requirements. A starting point of 20:1 is often used.
The Layer 2 access with looped topology design can be improved by using a virtual chassis at the aggregation layer. This topology removes loops and puts links into LAG’s, leading to all links forwarding traffic. Convergence is faster, because STP is no longer used. A FHRP is no longer required.
The Layer 2 access with looped topology and virtual chassis at the aggregation layer can be improved by using virtural chassis at the access layer. This reduces the configuration complexity at the access layer.
The design can be improved again by implementing Layer 3 routing at the access layer. There are fewer IP subnets and fewer unique configurations. Juniper switches do not have additional licencing costs for Layer 3 features.
Spanning tree is still required to work with legacy core devices that do not support LAG. The default spanning tree mode for EX Series switches is RSTP. The roto bridge should be placed so as to maintain the MAC addresses for the Layer 2 environment. In practice, this means the root bridge being in the aggregation layer. Spanning tree should be protected with BPDU protection, root protection, and loop protection.