Third Design Challenge Part 1 with Virgilio Spaziani

In this CCDE challenge scenario there are four sets of requirements, and you should recommend and justify the “best” network design solution based on each requirement set. The main goal of this challenge is to demonstrate that there isn’t an absolute, perfect network design solution for all situations, but rather when selecting the most appropriate solution your decision should be the one that meets all or most requirements.

 

The scenario

Rising Sun Corp. is an enterprise company based in the Far East. Their core business is the localization and translation of books, movies, TV series and videogames for the Asian and European markets. In the last 3 years, there was a significant growth in the European market where Rising Sun started to localize products in German, French, Spanish and Italian. At the moment, there are eight European branches based in eight different countries.

 

Rising Sun’s private WAN network is based on a dual stack routing strategy with pure IPv6 on the branches, making it possible to use IPv6 extensively while it is backwards compatible with western customers that continue to use IPv4.

 

In order to keep the network design simple, Rising Sun chose to deploy pure IPv6 on the eight European branches, in spite of the fact that the two European ISPs they use do not actually have an IPv6 Internet, and therefore their private WAN uses two Internet gateways, GW-1 for IPv4 and GW-2 for IPv6.

 

Rising Sun uses their own IPv6-only private cloud for many different applications (desktop roaming, file repository, web and mail services). All services are currently available from the private WAN and 90% of those services are available on the IPv6 Internet branches with IPv6 embedded IPsec security. Even if there is a need to make cloud services reachable from the eight European branches, at the moment only the Secure Web Repository (SWR), a file repository HTTP SSL-based with strong encryption, and certificate-based authentication is reachable through the IPv4 Internet. They are facing two problems; one is that the private cloud is reachable from IPv4 Internet only through a pure IPv6 link, and the second is that the routing inside the private WAN is becoming increasingly complex with IPv6 using RIPNG and IPv4 using EIGRP.

 

Blog35-Current Rising Sun topology.png

Current Rising Sun topology

 

Consider each of the four emails with their unique set of requirements individually. You will then choose the “best match” solution for each one.

 

Requirement Set 1

To: network_designer@ routefirst.com.it

From: architect@ routefirst.com.it

Subject: European Branches Integration

 

Hi,

We have specific requirements for the European branches integration and I need you to recommend a solution. Since you are a CCDE candidate, this design will not be an issue.

 

Rising Sun wants to keep the private WAN data plane dual stack and use a single routing algorithm (Bellman-Ford, Dijkstra, Dual) with their preference being distance vector protocols because they are easy to understand, manage and troubleshoot. They want to make the European braches part of the main network using some VPN strategy in the future, but the priority now is to make those branches reach the SWR securely. They are concerned about MTU-related problems because their contract with the ISP doesn’t mention MTU and also jumbo frames do not seem to work properly, so they want to avoid encapsulation techniques unless there’s no other way. Those European branches should continue to access the IPv4 Internet directly.

 

Best regards,

Archie

 

Requirement Set 2

To: network_designer@ routefirst.com.it

From: architect@ routefirst.com.it

Subject: European Branches Integration

 

Hi,

We have specific requirements for the European branches integration and I need you to recommend a solution. Since you are a CCDE candidate this design will not be an issue.

 

Rising Sun wants to keep the private WAN data plane dual stack and use a single routing protocol for both IPv4 and IPv6 with their preference being distance vector protocols because they are easy to understand, manage and troubleshoot .They can compromise if there’s no other way. They need to integrate the European branches with the private WAN. The number of branches could increase through acquisitions from the 8 they currently have up to 50 by next year alone.  All applications used between Europe and the private WAN have some form of encryption embedded, so there is no need for IPsec but if you think it will be necessary to protect the control plane you can propose it. To enforce policies on their 2 centralized firewalls they want to keep the IPv6 Internet access centralized via GW-2, even if the performance will be poor and IPv4 Internet access will not be allowed.

 

Best regards,

Archie

 

Requirement Set 3

To: network_designer@ routefirst.com.it

From: architect@ routefirst.com.it

Subject: European Branches Integration

 

Hi,

We have specific requirements for the European branches integration and I need you to recommend a solution. Since you are a CCDE candidate this design will not be an issue.

 

Rising Sun wants to keep the private WAN data plane dual stack and use a single routing algorithm (Bellman-Ford, Dijkstra, Dual). Although they have a preference for distance vector protocols since they are easy to understand, manage and troubleshoot, their network is growing and RIPNG is not scaling well. They need to integrate the European branches with the private WAN. The number of branches could increase through acquisitions from 8 they currently have up to 50 next year alone and their IP addressing scheme may change often even though it’s not clear whether the LAN campuses will grow. All applications used between Europe and the private WAN have some form of encryption embedded, so there is no need for IPsec but if you think it will be necessary to protect the control plane you can propose it. Those European branches should continue to access the IPv4 Internet directly.

 

Best regards,

Archie

 

Requirement Set 4

To: network_designer@ routefirst.com.it

From: architect@ routefirst.com.it

Subject: European Branches Integration

 

Hi,

We have specific requirements for the European branches integration and I need you to recommend a solution. Since you are a CCDE candidate this design will not be an issue.

 

Rising Sun wants to keep the private WAN data plane dual stack. They have a preference for distance vector protocols since they are easy to understand, manage and troubleshoot. The number of European branches can increase to more than 200 and they don’t want to have to deal with a routing protocol’s adjacencies or neighbor relationships problem. They need to integrate the 8 European branches with the private WAN. All applications used between Europe and the private WAN have some form of encryption embedded, so there is no need for IPsec but if you think it will be necessary to protect the control plane you can propose it. Those European branches should continue to access the IPv4 Internet directly and they will have access to the IPv6 Internet via GW-2.

 

Best regards,

Archie

 

 

The design solutions

 

 

Blog35-solution 1.png

Design solution 1: NAT-PT translation at GW-1 and NAT64 translation at the branches, no dynamic routing protocol on the branches, and RIPNG for IPv4 and IPv6l on the private WAN

 

Blog35-solution 2.png

Design solution 2: IPv6-IPv4 translation at the branches, DMVPN with OSPFv3 between the branches and GW-1, and OSPFv2 and OSPFv3 on the private WAN

 

Blog35-solution 3.png

Design solution 3: IPv6-IPv4 translation at the branches, DMVPN with EIGRP for IPv6 between the branches and GW-1, and EIGRP for IPv4 and for IPv6 on the private WAN

 

Blog35-solution 4.png

Design solution 4: IPv6-IPv4 translation at GW-1 and at the branches, no dynamic routing protocol at the branches, and RIPv2 and RIPNG on the private WAN

 

Blog35-solution 5.png

Design solution 5: Dynamic 6to4 tunnel between GW-1 and the branches, no IPv6 to IPv4 translation on the branches, and OSPFv2 and OSPFv3 on the private WAN

 

Blog35-solution 6.png

Design solution 6: IPv6-IPv4 translation at the branches, DMVPN with RIPNG between GW-1 and the branches, and EIGRP for IPv4 and RIPNG on the private WAN

 

Blog35-solution 7.png

Design solution 7: No IPv6-IPv4 translation at the branches, DMVPN with OSPFv3 between GW-1 and the branches, and OSPFv2 and OSPFv3 on the private WAN

 

Blog35-solution 8.png

Design solution 8: Dynamic 6RD tunnel between GW-1 and the branches, no IPv6 to IPv4 translation on the branches, and OSPFv3 on the private WAN

 

 

There are eight different design solutions shown above. Your task is to choose the “best” design solution for each requirement set. I’ll provide my perspective on the next blog.

 

About the Author

pic Virgilio.png

 

 

Virgilio Spaziani is CCDE #20140003 and triple CCIE #35471 (R&S, SP, and Security). He’s a network designer and a Cisco official instructor based in Switzerland. He loves to solve complex network requirements using easy network designs, to teach complex technologies using easy examples.

 

 

 

 

Here are a few additional ways for us to engage and keep the conversation going: