Network security has been the primary concern of most enterprises and commercial organizations. Network security used to be seen as a mere firewall erection between the network and the internet. Nowadays, managers are finding for ways to integrate security end to end all over the organization where policies and capabilities allow every place and device in the network.
Routing and switching are the core technologies behind any network infrastructure. Major implementations such as network implementation, legacy network upgrade, optimization, and others all depend on routing and switching infrastructures to function effectively.
Wally World is a large enterprise comprising of retail chains in the Midwest States. The company has a single corporate campus and 25 distribution centre’s that support 3000 locations. The enterprise network comprises of a core backbone, corporate campus, two data centers, regional distribution centers, internet edge, and DMZ. Corporate campus supports finance, operations, human resources, sales, marketing, technology and corporate executive departments.
This paper will describe a sample troubleshooting and maintenance plan to aid network engineers and other system administrators in their course of network management. The plan considers network redesign methodology and structure that puts into focus VLAN segmentation, port security, VLAN attacks, spoofing attacks and secure network switches.
Routing and Switching Infrastructure
Wally World will implement Virtual LANs, and the best strategy is a deployment of switches and routers. With a VLAN, the network will be segmented to allow Wally World employees to communicate with each other while at the same time enhancing security. VLAN separates LAN without using routers, and distributes LAN’s by use of multiple switches.
Employees in their respective work stations will communicate without routers and hence will not receive any broadcast message from outside of the VLAN. Workstations on a single LAN will serve as a single broadcast domain. Other than security, segregation of the network lead to efficiency as network resources will be controlled more efficiency and congestion will be eliminated. VLAN will work by tagging packets using an identifier header. Tagging permits more control and restriction of the ports that the tagged packets can traverse on the VLAN.
VLAN is favorable since it allows employees to share network resources and optimum performance. For instance, if employees are working on a single project, they can be aggregated on a single VLAN just by alternating VLAN switches.
In terms of security, VLANs allow switches and routers to be configured to drop packets pretending to be originating from inside the network while in reality; they originate from outside the network. This configuration will also eliminate spoofing attacks and provide a mechanism to encrypt the router to establish secure communication between local and trusted hosts only.
Routing infrastructure
Connecting two VLAN’s using a catalyst switch will not achieve the delivery of packets from one VLAN to another. Therefore, routing between VLANs will require a switch with intelligent routing capabilities. The most efficient routing protocol for this communication is InterVLAN routing. InterVLAN routing can be established using router supporting trunk links. The router with one trunk Ethernet interface is utilized to route packets between VLAN’s.
Troubleshooting and Maintenance plan
In a VLAN slow intraVLAN and InterVLAN connectivity is sometimes realized. The reason for slow connectivity is due to multiple factors. There are three categories of causes can be classified as slow collision domain connectivity, slow broadband domain connectivity/ slow VLAN, slow interVLAN connectivity.
Network slowness
A network is termed as slow when higher-layer protocols take an extended amount of time to complete an operation that usually takes less time. The slow pace is attributed to packet loss on the network resulting in higher-level protocols like TCP to time out and starts refreshing again.
Another type of slowness is caused by network equipment where layer 2 or layer 3 forwarding is delayed due to deviation from normal operation thereby switching to low path forwarding. For instance, a multilayer switching that is wrongly-configured that tries to forward L3 packets between VLANs in the hardware but cannot accomplish it prompting forwarding to be done by the router in the software. This will, significantly, impact on interVLAN forwarding.
Troubleshooting
So in case of a slow VLAN, isolating collision problems is the first troubleshooting procedure. Determine whether users on the same collision domain are having the same problems or the problem is in multiple domains. This is done by comparing data transfer rates between computers on the same collision domain or comparison performance with that of other domains or expected rates.
Once it has been established that the problem is on that single collision domain, and performance of other collision domains is normal, analysis of the port counters on the switch determines the cause of the trouble. Common problems include duplex mismatch or overloaded segment. These problems are also applicable when different collision domains exhibit the same performance issues. (Problem arises when a switch is configured to manually have full-duplex on all ports in the VLAN while users connected to the ports are conducting auto-negotiation process).
Another problem is caused by faulty NIC connected to a shared segment making it appear as if the whole shared segment is slow. A troubleshooting procedure for this problem is to conduct a data transfer process between two hosts on the same segment with the suspected NIC or when it is using the suspected host on a separate host. It is important to note the difference between troubleshooting collision domain slowness and VLAN slowness because the two cases involve two different scenarios. With collision slowness, the problem is associated with outside the switch or external factors. Also, it may involve problems such oversubscribed segment, excess segment length, or hub/repeater issues.
Management plan
Establish whether the segment is overloaded or oversubscribed
Establish whether the segment is healthy and that the recommended cable length, attenuation norm, physical damage and other parameters are adhered to
Determine whether the NIC’s or network port connected to the segment exhibit compatible settings
Determine the performance and health of NIC’s including drivers
Establish whether the network port continue to show increased errors and if the network is overloaded
Troubleshooting slow IntraVLAN (broadcast domain)
After confirming that there is no duplex mismatch and collision as illustrated above, intraVLAN is worth troubleshooting. This is done by isolating the origin of slowness by performing data transfer between hosts on the same VLAN yet on the different ports or collision domains. Comparing the performance with similar tests in alternate VLANs will pinpoint the source of the problem. Possible causes includes traffic loop, overloaded VLAN, congestion on the switch inband path, switch management, ingress errors or cut-through switch.
Traffic loop is the common cause of slow VLAN, and is caused by lack of channel configuration on Switch 2 that corresponds to that of Switch 1. MAC addresses are learned on incorrect ports as traffic is incorrectly switched causing packet loss.
An indication that a VLAN is overloaded is if Rx or Tx buffer on the port are oversubscribed. Outdiscards or indiscards on some ports indicates an overloaded port. Overloaded and oversubscribed VLAN scenario and the traffic loop always follow each though they can occur separately. Also, overload can result from backbone ports when the aggregated bandwidth of the traffic underestimated. Other notable problems to troubleshoot include Cisco Express Forwarding, Asymmetric routing and bottleneck.
Congestion on the switch in-band path can also lead to spanning tree loop or other problems on the network. If the in-band path is overloaded, it results in switch experiencing high CPU conditions.
Ingress errors on a cut-through switch are related to slow domain connectivity and because error packets are cumulatively transferred to another segment, the problem appears to switch between segments.
Troubleshooting
Slow InterVLAN connectivity is as a result of user misconfiguration. For instance, incorrectly configured MLS or MMLS will result in packet forwarding by router CPU that subsequently slow path. In order to eliminate misconfigurations and troubleshoot effectively, the network analyst need to understand the mechanism used by L3 forward device.
Another issue to be checked is shortcut-programming failure or the creation of incomplete shortcuts due to software bugs or hardware malfunction. Hardware malfunction leads to incomplete shortcut creation which subsequently causes a slow path or black hole. Hardware malfunction is commonly as a result of memory exhaustion or the equipment is not designed to perform hardware switching.
