The scalability of the campus network is especially important in a rapidly growing manufacturing campus. With the continuous investment of new production lines, the expansion of the workforce and the large-scale deployment of IoT devices, the campus network must be able to quickly adapt to the increasing number of devices and bandwidth requirements. Only when the network has good scalability can it ensure that the new devices can be quickly accessed, the production line operation is not affected, and the overall operational efficiency is improved.
Asterfusion produces campus switches that are optimized and designed for this need. With a modular and centrally managed architecture, our products can easily cope with the rapid expansion of campus networks.
Situation of campus network scalability
Based on the switch equipment that provides high port density and supports STP and other protocols, the industry can generally support the expansion of wired endpoints to more than 30,000 and wireless endpoints to more than 8,000. However, since there may be differences in the software systems and unique features of different vendors on the market, which may result in the inability to communicate properly between devices, the same vendor’s equipment is often required for network expansion.
When choosing to introduce new equipment to expand the campus network, open hardware and software can be considered. Compared with proprietary hardware, open hardware has stronger scalability and compatibility, which is conducive to the dynamic expansion of the network, and can simplify network management and operation and maintenance while reducing the cost of network construction and operation.SONiC+ white-boxed access switches and APs is a good choice, open hardware and software architecture provides a broad space for network innovation, and the user is not subject to the restrictions of the vendor, according to their own needs for customized development. Users can customize and develop according to their own needs without vendor constraints.
3200K Endpoint Access
Asterfusion switches apply Spine-Leaf, a commonly used data center network architecture technology, to the campus network. Whether accessing Leaf or Spine switches at all levels, they can provide ultra-high density ports, which can meet the access needs of more end devices.
Topology
Asterfusion is based on the smooth expansion of multi-level Spine-Leaf architecture, the maximum number of access ports is 73,728, and the maximum number of terminals can be accessed is 3200K (wired AC+wireless AP), which is far more than other vendors in the industry. By adopting Super Spine+Spine+Leaf three-layer structure networking, the service distributed gateway is in Spine, which maximizes the function of Asterfusion enterprise campus switch at data center level.
Calculation Method
MAX Access Ports:
A single building (Single POD) can use 2 CX308P-48Y-N (each with 48 downstream interfaces) as Spine switches for essential redundancy backup. Plug each Spine switch downstream interface full, you can plug 48 CX206Y switches (each with 48 downstream interfaces), as a Leaf switch, CX206Y each downstream interface can be used as an access port, then the maximum number of access ports in a single building is 48 * 48 = 2304.
Along the same lines, using the CX564P-N (64 downlink interfaces) as a Super Spine, the maximum number of access ports that can be provided for 64 buildings is:
2*Super Spine (CX564P-N) + 32*Spine (CX308P-48Y-N) + 48*Leaf (CX206Y): 32*48*48=73728
MAX Number Of Access Terminals:
Affected by the chip and CPU capacity, enterprise wireless AP can bring 50 users to surf the Internet at the same time in general mode. If all the access ports of 64 building switches are connected to the AP, the maximum number of access terminals can be 73728*50=3,686,400 users roaming on the Internet at the same time. Of course, this is only in the ideal situation, the real application will be affected by the user’s specific use scenarios and network applications.
From the perspective of chip table entry space capacity, it can be calculated like this:
Take a terminal as an example: (a PC contains 1*MAC address+1*IPv4 address+3*IPv6 address)
Leaf needs to occupy table item resources: 1 MAC, 1 IPv4 host, 3 IPv6 host (1 takes up 2 table item spaces) occupying a total of 8 table item spaces.
Table entry resources to be occupied by Spine: 1 IPv4 route, 2 IPv6 routes (1 occupies 2 table entry spaces) occupying a total of 5 table entry spaces.
Maximum number of terminal accesses that can be met by the CX308P-48Y-N for example: (focus on the FDB table item space when acting as a Leaf role, and focus on the Router LPM table item when acting as a Spine)
CX308P-48Y-N has 128K MAC/IPv4 Host/IPv6 Host shared table entries, so as a Leaf role, the maximum amount of terminal access for a single unit is 128K/8=16K.
CX308P-48Y-N has 504K IPv4 Prefix/IPv6 Prefix shared table entry resources, so the maximum number of terminals to be accessed by a single unit is504K/5=100K when it is used in the role of Spine.
Note: The Profile of Falcon chips (CX308P-48Y-N, CX564P-N) can adjust the table space according to demand.
At this point, some people may question that 100K of the maximum amount of single access terminal is only theoretical value. In the actual application scenario, can table entries support the maximum number of ports (2304)?
CX206Y, as Leaf, can provide 48 PoE interfaces with a total power of 1440W, 1440W/48=30W, a single interface can have a power up to 30W, and wifi6 APs generally have a power of 30W (PoE+) or less, 2304 x 30 (the number of accesses recommended by a general AP) <100K, which proves that the table entries are sufficient to support the maximum port number of ports
When Spine is CX308P-48Y-N and Super Spine is CX564P-M, the maximum number of access terminals = 32*100K.
Technical Challenges and Solutions
In the process of campus network expansion, many technical challenges may be encountered, such as bandwidth, interference, security, etc. Asterfusion switches face these technical challenges and make the following countermeasures:
Responding to network topology expansion challenges with multi-level Closestructure network
In the cloud-based campus network with open network architecture, Asterfusion adopts the Clos structure (e.g., Spine-Leaf architecture) network model. With the scale of the campus ranging from small to large, the multilevel Clos network can be expanded horizontally from one level to many levels, so that the number of terminals that can be accessed by the network ranges from tens of terminals to hundreds of thousands of terminals. The original network architecture remains completely unchanged during the expansion process, and the newly expanded modules are completely consistent with the original module architecture, minimizing the complexity of operation and maintenance.
In order to avoid the risk of broadcast storms in large campus networks, many vendors will choose STP (Spanning Tree Protocol) and a variety of related protocols and protection mechanisms, but this also leads to large-scale deployment of Layer 2 Ethernet structure is becoming more and more complex, and the deployment of STP, another cost is: you must artificially block half of the physical line so that it is inoperative (i.e. Another cost of deploying STP is that half of the physical lines must be artificially blocked to make them inoperative (i.e., half of the physical bandwidth is wasted) to ensure that no loops appear and the L2 network can work normally; and the algorithm of the STP determines that the size of such an L2 network can’t be made larger, and when the number of switches grows to about 100, the network is only theoretically feasible.
Using the Clos structure, the cloud-based campus network is a natural loop-free network, so compared with the same size of the traditional architecture of the campus network, there is no need to waste half of the line resources, i.e., with the same investment in line bandwidth, the number of terminals that can be accessed by the cloud-based campus network is twice as many as that of the traditional campus network (or, with the same number of terminals accessed, the amount of bandwidth needed to be invested in the cloud-based campus network is half of that of the traditional campus network). (or, for the same number of access terminals, the amount of bandwidth needed to be invested in the cloud-based campus network is half that of the traditional campus network).
The technical details of how Asterfusion’s new cloud cluster campus network addresses the shortcomings of traditional stacking architecture and achieves higher reliability and scalability can be found in: Asterfusion Next-Generation Campus Networks: Bye, Stacking! Here is a brief comparison between traditional stacked networks and Asterfusion hyperstacked networks:
| Stacking vs. Cloud Cluster | Stacking | Cloud Cluster |
| Deployment | Interconnect stacked interfaces using dedicated cables | No need for horizontal interconnections |
| Configuration Tasks | Cluster creation, master-slave election, split detection | No additional configuration required |
| Redundancy capacity | Allow single-link or single-device failures | Allow single-link or single-device failures |
| Software Upgrade | Requires stacking group reboot, business will be interrupted | Upgrade without business interruption |
| Stability | Control surfaces are centralized and faults may spread within the cluster | Independent control surfaces for greater stability |
Unified BGP Routing Protocol Keeps Networks Running Efficiently
BGP (Border Gateway Protocol) is an important routing protocol developed by the Internet Engineering Task Force (IETF), which is a highly scalable protocol capable of handling large amounts of routing information.
Asterfusion adopts BGP to unify the routing mechanism of the whole network, and within the whole network, it runs the simplified EVPN (EthernetVPN) or extended MP-BGP (Multi-ProtocolBGP), which is responsible for synchronizing the routing information of different logical networks and delivering the distributed gateway information; EVPN uses BGP to synchronize the routing information of different logical networks and deliver the distributed gateway information. EVPN utilizes BGP to deliver Layer 2 or Layer 3 reachability information, realizing the separation of the forwarding plane and the control plane. This mechanism makes the learning and publishing process of MAC address transfer from data plane to control plane, thus improving the manageability and scalability of the network.
SONiC standard software and open hardware reduce the difficulty of bandwidth expansion
Asterfusion switch consists of standardized modules such as control system, data center grade switching chip, monitoring system, power supply, fan, etc. The design concept is no longer to pursue the large-scale and complex box structure dominated by traditional vendors, but to pursue the standardized, single-chip and simple structure, which allows you to flexibly add high-speed Ethernet port modules according to the demand, such as 10GbE, 25GbE, 40GbE, etc., to realize the rapid upgrade of bandwidth, 40GbE, etc., to realize the rapid upgrade of bandwidth.
All Asterfusion series switches are equipped with AsterNOS operating system, which is based on SONiC as the kernel, relying on containerized system architecture, supporting open network ecosystem, flexible delivery mode, and rapid integration with third-party applications, and supporting more advanced functions, such as link aggregation, load balancing, etc., which all help to improve bandwidth utilization and scalability.
Establishing a security protection system against network attacks and internal threats
Expanding network scale means increasing security risks, and many network security vulnerabilities are exploited by Ethernet broadcasting mechanism. Asterfusion restricts the working range of L2 to the ports between the access terminals and the access Leaf they are connected to, and maximizes the compression of the L2 area to completely eliminate the propagation of Ethernet broadcasting in the network, thus reducing the security risks of the intranet from the root. Reduce the security risks of the intranet from the root.
Asterfusion series switches support DHCPSnooping, Dynamic ARP Detection, NDSnooping, IPSGv4/v6 technology, which prevents address spoofing, source address forgery and other attacks in the network. After the terminal obtains the legal IP through DHCP, SW automatically generates a table of terminal security information for the whole network, and the table is synchronized with the whole network in real time, so any terminal access needs to be detected for legitimacy to guarantee terminal access security.
It supports port isolation technology and ACL policy in outgoing and incoming directions, and the whole system runs in the user space of Linux, with only a few modules interacting with the kernel space, resulting in higher overall stability; each software module runs independently in the Docker container isolated from each other, so that a single point of failure does not affect the system as a whole.
Asterfusion supports 802.1x authentication and MAB authentication for printers, IP phones and other dumb terminals. It uses a strict network access mechanism to check the legitimacy of different access terminals and the user’s identity information, and realizes identity-based control of network access privileges, dividing the access privileges of different users.
The network architecture of Asterfusion’s egress security area has been comprehensively upgraded, with real-time security checking of network equipment and automatic Bypass after the failure of security equipment, so that the service will never be disconnected from the network.
