Example of the simplest distributed backbone network

Good day to the community and as they say "congratulations on the start" :)

Introduction

For various reasons, I decided to summarize what I have accumulated over the years and share it with this very community

Format: High Level Network/Security Design (exclusively for professionals)

I am counting on criticism and maybe someone will find it useful.

Well, let's take a deep breath and get started!

Layer 1 Core

Topology


Example of a distributed backbone network with three nodes and one central server.

Comments

  • The core is built on the basis of two pairs of MLAG switches with L3 routing support

  • The network perimeter (as well as zoning) is implemented using two NGFW clusters

  • The backbone network is a physical ring with two IP channels from two independent telecom operators

  • External connectivity is provided by 4 IP channels from two independent telecom operators (two for each data center)

Layer 1 Infrastructure

Topology


Diagram of node interaction in a distributed backbone network.

Comments

  • Infrastructure channels are built on the basis of two independent cloud operators

Layer 2 Core

Topology


Diagram of a distributed network with data routes indicated.

Comments

  • Network core redundancy is achieved through LACP-based aggregation

  • All interfaces operate in 802.1Q trunk mode

  • L2 QoS ensures guaranteed delivery of Control Plane protocols

  • Unused ports are logically disabled and moved to an isolated VLAN

Layer 2 Infrastructure

Topology


Example of a distributed backbone network topology.

Comments

  • Fault tolerance is achieved through LACP-based aggregation

STP Core

Topology


Diagram of data transmission in a distributed network.

Comments

  • To ensure network stability, the topology is represented by two isolated STP domains

  • BDPU filters are enabled on all external ports


Example of a distributed network with load balancing.

Comments

  • To ensure L2/L3 fault tolerance, core switches are represented by a pair of logical MLAG switches

  • L3 interfaces are built on the basis of VRRP + BFD

  • L3 peer links are based on SVI

Backhaul Underlay

Topology


Diagram of a distributed network with node redundancy.

Comments

  • Backhaul underlay is built on the basis of a single OSPF Area 0. MP-BGP is not used in this case due to the lack of need for dynamic frame switching

  • Flow control is achieved using OSPF priorities

  • Convergence is ensured using BFD

  • Security is provided by authentication and access control lists for IP interfaces

Backhaul VXLAN

Topology


Diagram of a distributed network using the TCP/IP protocol.

Comments

  • This topology is represented by a pair of logical VTEPs that allow the broadcast domain to be extended to two data centers. Achieved by means of encapsulation in IP

Private VRF BGP

Topology


Example of a distributed network with dynamic routing.

Comments

  • The internal VRF is represented by three BGP ASNs combined into a logical ring

  • One, extended by means of VXLAN and iBGP, between two NGFW clusters and two isolated iBGP ASNs based on L3 switches (one for each data center). The architectural solution is based on minimizing peer links in the core in the absence of BGP RR

  • Flow control is achieved using MED metrics

  • Convergence is ensured using BFD

  • Security is provided by authentication and access control lists for IP interfaces

Public VRF BGP

Topology


Diagram of a distributed network with multiple levels of nodes.

Comments

  • External VRF is also represented by three BGP ASNs combined into a logical ring

  • External connectivity is provided by means of 4 channels from two independent telecom operators

  • Perimeter control is achieved by means of NGFW. Due to the absence of transit traffic, the external address space is studied by means of the 0.0.0.0/0 prefix. The remaining prefixes (except for the local range) are filtered to improve NGFW stability

  • Flow control is achieved by means of the MED metric

  • Convergence - by means of BFD

  • Security - by means of authentication and access control lists to IP interfaces

Private VRF segmentation

Topology


Diagram of a distributed network using VPN.

Comments

  • The internal network is represented by 5 isolated segments (the minimum required number). Each segment is subject to inspection, identification, IP flow filtering, and user identification.

  • Private EDGE additionally performs the following functions: (G)SLB and TLS termination; WAF

  • Private DMZ: WAF, as well as hosting network and front-end services such as Proxy, DNS, SIEM, Web, RADIUS/ISE

  • Back End: (G)SLB, as well as hosting databases such as LDAP, SQL, etc.

  • Util: hosts support services such as Netflow, Monitoring probes, Syslog, etc.

  • RDS: hosts administration services such as RDS

Public VRF segmentation

Topology


Example of a distributed network with data encryption.

Comments

  • The external network is represented by 2 isolated segments (the minimum required number). Each segment is subject to inspection, identification, IP flow filtering, and user identification.

  • Public EDGE additionally performs the following functions: (G)SLB and TLS termination; WAF and VPN termination

  • Public DMZ: WAF, as well as hosting network and front-end services such as Proxy, DNS, Web

Zero Trust

  • The Zero Trust architecture allows you to manage access at the level of individual servers and switch ports, thereby preventing unauthorized access and potential leaks within the broadcast domain.

In conclusion

Thanks to everyone who read to the end. Waiting in the comments :)

Comments