As of today, the interconnection of remote LANs at the L2 level has shown its ineffectiveness, especially given the significant increase in the number of equipment. In this article, we will tell you why the traditional approach has ceased to meet the current requirements, and explain what problems we were able to solve by combining projects located at different sites. We invite you to read!
Regular L2 scheme
A local network is a campus network within a single data center. In this case, the access switches are located directly in the server racks. They are combined into one aggregation switch. Let’s give an example of a local network diagram:
You can order a connection to a local network for any of the devices that are hosted or rented in the data center. Data center network diagram (data processing center):
What is L2 connectivity? Its presence means that the hosts must be on the same subnet or broadcast domain. Note that the local network is organized through dedicated access and aggregation switches. In practice, this means that problems specific to the Internet do not affect the local one. The L2 scheme is effective for small data centers as long as not all racks are full. As the number of racks, switches and clients increases, serving the L2 domain becomes much more difficult.
Disadvantages of L2
Initially, the L2 segment was used together with VLAN technology. This identification space is limited, which reduces the number of possible identifiers. Let’s consider the main problems that L2 switching has:
- Incorrect multicast processing.
- Broadcast Storm
- Organization of L2 redundancy.
- The number of MAC addresses.
Also, the human factor, including the transfer of links and VLANs, must not be ignored. Note that common disadvantages of L2 include configuring client servers and client hardware. You will not be able to completely filter STP on access ports. If STP does not work correctly due to the fault of the client equipment, the entire subnet of the access switch may be affected. At the same time, the use of the extended STP protocol does not solve the problem, since the number of ports and switches most often exceeds the architectural scaling capabilities of the STP protocol.
Broadcast
Local networks are often combined using equipment from different manufacturers. Sometimes, even due to slight differences in the software of the switches, they handle STP differently. If the latter is widely used, then the reaction to any changes, including enabling / disabling the port, will exceed all waiting thresholds. This is fraught with problems, for example, when one of the clients turns on the port, the network connectivity will disappear for a while.
Why are there problems with Broadcast? Most often due to:
- wrong actions on the server, including creating one bridge between several ports;
- incorrect configuration of the server software;
- specific breakdowns of the server’s network card.
Multicast
Problems with Multicast are considered quite specific. Most often they occur when ip connectivity is broken, as well as due to incorrect operation of the server software and the switch software. Let’s look at an example of Corosync configured between several servers in multicast mode. Considering that the regular exchange of Hello packets is small, a lot of packets are periodically sent, which requires special configuration of switches or the use of processing mechanisms such as IGMP join.
When working with network equipment, the human factor cannot be completely excluded from the list of potential problems. If the network administrator is alone and competently and responsibly performs his tasks, documents the actions and ponders their possible consequences, the risk of malfunctions is minimal. But if the amount of equipment is constantly increasing, there are more employees, then it is necessary to completely revise the organization of the work process.
Of course, a number of typical actions are automated due to the risk of error. But, on the other hand, many full automation processes do not lend themselves to or the cost of automation is too high. For example, switching patch codes, connecting new links and replacing existing ones are done manually, since the cost of the patch panel is very high, and the functionality is rather limited.
Let’s list the most common mistakes made by employees:
- specifying the wrong port number;
- entering the wrong VLAN number;
- typo when entering a numeric value.
Unknown-unicast
A special place is occupied by problems caused by unknown-unicast traffic. This term means traffic that is transmitted over L2 to all ports belonging to this VLAN. Why does this situation arise?
- Due to receiving DDoS on an unoccupied IP address.
- In case of a typo in the server configuration, when a non-existent backup address is specified, but the server has a static ARP entry at this address.
Let’s take a look at one illustrative example. The port behind which the host with the address is located often goes off. Such traffic is limited by transit switches. But, unlike broadcast or multicast, Unknown-unicast can never be initiated from the Internet in the broad sense of the word, but exclusively from the client’s network. The highest risk of unknown-unicast traffic occurs when the border router filtering rules allow IP addresses to be spoofed from the outside.
Typical L2 use cases
Below we will look at typical L2 use cases in more detail. First of all, we will describe the connection between the front and back-end and backup, consider resource reservation.
Front and back-end communication, backup
The use of a local network is closely related to the separation of the functionality of the front and back-end services. Also, to increase performance, you will need to move the DBMS to a separate server.
L2 servers are included in one VLAN and multiple switches. As the number of equipment grows, more and more servers are included in the switches of the data center racks. Because of this, the L2 domain grows in width. As long as the project is located in the same data center, there are no problems with scaling. Developers don’t have to write separate routing rules. But when some part of the project moves to virtual machines in the cloud or 2 networks are connected via the Internet, everything becomes more complicated. How exactly? Consider in detail below!
Resource reservation
First of all, the width of the L2-domain increases. That is, potential problems of the DC1 local network can also manifest themselves in DC2. Therefore, it is important to take care of VLAN redundancy by backing up each of the points of failure (the aggregation switch and the cable of each of the data centers).
As you can see in the figure, the circuit becomes significantly more complicated due to the increase in the number of components. This is due to the need to reserve every element in the system, duplicating almost every element. But it is virtually impossible to use STP for redundancy in such a large network. Therefore, if you are using the interconnection of two local networks over the Internet, it is very important to reduce the impact of L2 problems on the existing network, while retaining all the possibilities for resource reservation.
Moving to L3
If each link is represented on the network as a separate segment, and each route is represented as a separate router, backup at the L2 level is not required. Redundancy occurs through redundant routing protocols. In this case, access to servers in other data centers will occur through L3. Several routers are installed between data centers for redundancy, which will allow you to separate L2 domains and use its own VLAN space in each data center.
Duplicate IP address ranges are used for each client. L2 and L3 networks are completely isolated from each other, so, for example, one client will not get into the other’s network (unless they both agree to such a connection). A special route is prescribed on all devices of data centers, which allows servers to “see” each other by routing.
This helps to simplify the scaling of the scheme if a third data center appears. In such cases, IP addresses from the following range are assigned to servers in the third data center. Such a scheme has an undeniable advantage – no additional redundancy is required in the event of a data center failure or an external communication channel.
L3 segments within projects
The L3 scheme is often allocated for individual servers in projects that are often implemented using different technologies. First of all, we mean hardware servers in a data center on the same IP subnet. This prevents accidental errors in one of the segments that can cause failure of all servers, which includes L2 L3 routing.
Router redundancy
Summarizing all of the above, let’s say: if we consider the interconnection of two networks through a router, it is he who will be a single point of failure. Note that it is a mistake to believe that there is one router per project. In fact, 2 routers are allocated for each data center, forming Virtual IP .254 (on the VRRP protocol).
Why is it justified to use VRRP between devices that are nearby and connected through an L2 router? Each of the clients connecting to the local network through this scheme is connected to a separate L3VPN.
An approximate view of this diagram:
Note that the gateway address for all Virtual IP .254 segments is reserved between the two routers.
Conclusion
We hope the article was useful and interesting, different L2 from L3 seem obvious. It is the changes made to the unification of two local networks via the Internet from L2 to L3 that retained the scalability, increased the level of fault tolerance and reliability, and made possible additional redundancy.
Typical solutions, given the rapid growth of data centers and projects, are reaching the limit of scalability. Thus, they are no longer an effective solution to problems – the requirements for the stability and reliability of the system are constantly increasing, which has a direct impact on the planning process. In the future, it is planned to obtain a system that will not be scalable.
And if you want to rent a dedicated server abroad, pay attention to the offer of our company. Order a dedicated server from Unihost.com:
- Free administration and storage for backups.
- Servers all over the world. By the way, you can rent a dedicated server in data centers in France.
- Up to 256 IP addresses per server.
- Web interface for server management.
- A hardware firewall that provides robust protection against intruders.
- 24/7 support, 7 days a week.
And also a dedicated server in the data centers of the Netherlands – these are favorable rates and big discounts! To use the services of Unihost.com, contact us by calling the specified contact phone numbers or using a special form. We invite you to cooperate, which will become the basis for the prosperity of your business right now!