Engineering Deathmatch

The Network Design Episode (S3E3)

Brad Edgeworth and Jody Lemoine battle in this, first ever, network design challenge.  Watch as they use a Cisco Spark Board to diagram the network of ABC Company!  See below for Jody’s full run as well as the challenge details:

Scenario Details

Fictitious company ABC is looking to improve the resilience of their corporate WAN by integrating an Internet-based solution. The primary reason for this new upgrade is to improve the quality of the CEO town hall meetings. In the past, brownouts and slow engineering response times from the private MPLS WAN carrier have necessitated the installation of a backup path. To save money, a business class Internet connection has been installed at the main headquarters site, which is also a data center. Most remote sites have also received their Internet upgrades, though the schedule for rolling it out to the remaining sites is spread over the next 6 months. The remaining remote sites are singly connected to the private WAN. There are 200 total sites and about 140 are dual connected to MPLS and the Internet. Each site has a 100 Mbps Internet connection while the main site has a 300 Mbps Internet connection.


Despite the brownouts recently, the MPLS provider has historically maintained four nines of availability. It has also complied with all of its SLA commitments to include jitter and latency. When the carrier was notified that an alternative WAN solution was being proposed to augment ABC’s network, the brownouts became very uncommon. They’ve also offered free add-ons for IPv6 and MVPN as reparation for their transgressions, which the company has accepted and deployed. The MPLS carrier offers 50 Mbps between any two branch sites, and all sites are connected with at least one 100 Mbps Ethernet last-mile connection. The main site has a full 1 Gbps line rate connection over MPLS.


These CEO town hall meetings are streamed from a pair of servers that have an application-level active/standby protocol running between them. The servers exist in the DC and are not capable of any data rate or quality adjustments during transmission. The servers get their IP addresses via DHCP and sometimes their addresses change. The application has a client program that runs on user’s desktops/laptops which does not buffer traffic. This reduces memory consumption on devices and is also suitable for small mobile devices like smartphones and tablets. The application is quite old and only supports IGMPv2. To save bandwidth, the flow sent from the active video server in the DC is about 2 Mbps.


At present, the video servers support multicast transport. The traffic itself isn’t company confidential as, about 2 weeks after the town hall, the video is posted to the company’s public website so that customer’s can see it too. The company prides itself on maximal transparency. During that 2 week period, the only edits made to the video are beautification related, such as wide screen formatting, lighting, and sound effects. The CEO’s main concern is that middle-man attackers are not able to disrupt or replay his message by manipulating his words, body language, or any other facet of the video experience. The network team also wants to ensure that attackers cannot “step on” this video content by flooding the network with bogus video flows, effectively hijacking the town hall session.


The company is still unsure as to which WAN transport (Internet or MPLS) to use for this video service as the primary transport method. In either case, the failure of one transport should provide a way to automatically switch to the alternate path for all north/south traffic. Packet loss, latency changes, and packet duplication should be absolutely minimized. This failover between WAN transports should be both rapid and automatic.


R1 only advertises locally originated DC routes to the PE to prevent any transit network formation. R2 learns an eBGP default route from the ISP router so that it can reach the remote sites as well as any Internet destination. In the event that either the MPLS or Internet based WAN fails, downstream load sharing for downloads must be immediately restored without network administrator interaction. This is achieved by using a pair of HSRP groups on each DC VLAN. 75% of the servers use R1 as their gateway to take advantage of the superior performance of the private WAN. The remaining DC servers will prefer R2 as their gateway once the Internet WAN comes up. The company has a number of traditional enterprise services available to its campus and branch users, including directory services, DNS, VOIP telephony, IM/presence, and video/audio teleconferencing. Nearly all of the collaborative services are used for branch offices to call the main site to troubleshoot the endless onslaught of IT issues that plague their day jobs.


In addition to the CEO town hall, which is the primary and most important application in the business, there are many other VMs across two DCs connected with an L2DCI from a metro Ethernet carrier. A basic EV-LINE service is provisioned between the two, which maps a number of pre-defined customer VLANs into L2 connections across the metro carrier. No routing protocols are enabled across this link yet. The company has struggled with MTU issues and fragmentation over the DCI in the past.


The company runs eBGP between R1 and the MPLS PE at present. R2 has an eBGP connection to an ISP for Internet access which the campus consumes, but is not aggregating any Internet WAN connections yet.


During initial talks with the customer, they’ve suggested that they never want to send multicast over the Internet for fear of poor performance. They also want to use small layer 3 firewall devices as the Internet-facing CE device. Finally, they’d like a WAN that provides confidentiality for traffic accessing DC resources such as personal records but only when being accessed over the Internet. Which option is most suitable given these constraints?

  • IPsec ESP direct encapsulation
  • IPsec AH direct encapsulation
  • MPPE


The customer decided to go with a DMVPN + IPsec ESP approach on small CE routers after some internal meetings.

Which phase of DMVPN is most appropriate for this company?

  • Phase 1
  • Phase 2
  • Phase 3


If phase 1, then why?

  • No requirement for spoke-to-spoke traffic
  • It’s the newest version
  • It’s recommended in the CVD


If phase 2, then why?

  • No requirement for spoke-to-spoke traffic
  • It’s the newest version
  • It’s recommended in the CVD


If phase 3, then why?

  • No requirement for spoke-to-spoke traffic
  • It’s the newest version
  • It’s recommended in the CVD

Over which transport mechanism should the CEO town hall traffic be sent, primarily? Ignore any challenges in multicast routing/RPF adjustment for now.

  • MPLS private WAN
  • Internet based WAN


If MPLS, then why? Choose two.

  • The Internet WAN doesn’t have enough bandwidth right now
  • The Internet WAN is not secure
  • The Internet WAN would become congested as new branches come online
  • MPLS packets are faster than IP packets thanks to label switching technology
  • All remote sites are connected to MPLS, so everyone sees the broadcast


If Internet, then why?

  • The MPLS network is subject to brownouts for the CEO town hall application
  • The MPLS network is not capable of transporting multicast
  • More sites are connected to the Internet than to the MPLS carrier
  • Adding another overlay to protect CEO town hall traffic across MPLS is unnecessarily complex
  • The company is migrating off MPLS, so Internet should be used for critical applications to reduce downtime


The company has chosen to use the MPLS network for video transport.

How would you classify the CEO town hall meeting application?

  • High throughput data
  • Broadcast video
  • Multimedia streaming video
  • Low latency data

What congestion management tool is most appropriate for this deployment?

  • Expedited forwarding
  • Assured forwarding
  • AQM (WRED)
  • Shaping

The MPLS PE-CE link between R1 and the PE has failed (Diagram below). What is the most significant problem that might arise from this failure?

  • Increased latency
  • Bandwidth contention
  • Packet loss
  • Increased jitter


What is the most rapidly deployable solution to restore network operation, keeping in mind the business/technical requirements and constraints?

  • Statically switch the HSRP active router to R2 for all DC VLANs temporarily
  • Enable IP redirects for ICMP and HSRP on R1, enable OSPF on the DC VLANs, and originate a default route on R2 into OSPF
  • Add a new P2P circuit between R1 and R2, enable OSPF routing on it, and originate a default route on R2 into OSPF
  • Configure a new VLAN on the carrier Ethernet provider along the DCI to create a P2P virtual circuit between R1 and R2 (reuse the EV-LINE service). Enable OSPF routing on it, and originate a default route on R2 into OSPF
  • Use 802.1q-tunneling to re-use an existing VLAN by carrying an inner tag to create a new P2P virtual circuit between R1 and R2. Apply the same routing technique as described in option D


What is the most appropriate multicast delivery option for this customer?

  • ASM
  • DM
  • SSM


If ASM, why?

  • The sources have variable IPs; hard to know in advance
  • ASM works natively with IGMPv2 while SSM does not
  • ASM is more secure than SSM
  • ASM will provide superior performance (less jitter, less packet duplication, etc) than SSM


If SSM, why? Choose all that apply.

  • Customer can leverage DNS to easily map groups to sources at the LHR
  • Only SSM can be used for video transport
  • SSM is more secure than ASM
  • SSM will provide superior performance (less jitter, less packet duplication, etc) than ASM

What is the most appropriate combination of tools to secure the CEO town hall over the MPLS private WAN given the security requirements? Choose two answers to construct your solution.

  • IPsec ESP transform
  • IPsec AH transform
  • IPSec ESP + AH transform
  • No IPsec
  • FlexVPN
  • SVTI

The customer has chosen a DMVPN + IPsec ESP overlay atop MPLS after reading some blogs online about it being the most popular choice. What comment would you offer after being told about this decision?

  • This is the best choice for the company’s specific business requirements
  • DMVPN was a good choice, but IPsec was unnecessary since it does not address any requirement
  • Providing encryption is unnecessary as it does not address any requirement
  • Providing encryption provides a constant/fixed encapsulation overhead, simplifying MTU calculations
  • There is not enough bandwidth over MPLS to support this design


Comments are closed.