The biggest single problem I’m seeing when working on enterprise networks is the lack of L3 logical network diagrams. Most of the time I’m facing situations where a customer doesn’t have any logical network diagrams to give. L3 diagrams are vital for troubleshooting or for planning changes. Also, logical diagrams are in many cases more valuable than physical ones. Sometimes I see “Logical-Physical-Hybrid” diagrams that are mostly useless. If you don’t know your network logical topology, you are blind. Generally, it seems it is an uncommon skill to be able to visualize networks logically. For this reason, I’m writing about drawing clear logical network diagrams.
What information should be represented in L3 diagram?
To be able to draw a logical network diagram, you should know exactly what information is presented in which diagram. If you don’t, you’ll start to mix information and end up with those useless hybrid diagrams. Good L3 diagrams consist of the following information:
- VLAN IDs
- Network address and subnet mask
- L3 Devices
- At least Routers, Firewalls, VPN devices
- Most important servers (Such as DNS servers etc.)
- Their IP -addresses
- Logical interfaces
- Routing protocol information
What information should NOT be represented in L3 diagram?
Following information should not be presented in L3 diagrams, because it really belongs to another layer, and therefore should be presented in that level documentation:
- Basically all L2 and L1 information
- L2 switches (Only the management interface can be presented)
- Physical connections
Symbols used in L3 diagrams
Generally, logical symbols are used in logical diagrams. Most of them are self-explanatory, but since I’ve seen mistakes, here are a couple of examples.
- A subnet is represented as a pipe or line:
- A VRF or some area not exactly known is represented as a cloud:
What information do you need to be able to draw L3 diagram?
To be able to create a logical network diagram, you first need to have following information:
- L2 (or L1) diagram – presenting physical connections between L3 devices and switches.
- L3 device configurations – text files or access to GUI, etc.
- L2 device configurations – text files or access to GUI, etc.
In this case study, we are using a simple network as an example. There are Cisco switches and Juniper Netscreen firewalls in the network. A L2 network diagram is provided, as well as the configurations from most of the devices. Configuration files from ISP routers aren’t provided, as many times in real life you won’t get them from the ISP. The L2 topology of the network follows:
Here are configuration files from devices. Only details needed here are included.
Gathering information and Visualizing it into drawings
Okay – now that we have all the information needed, let’s start drawing.
Step-by-Step drawing process
- Collection phase:
- First open the configuration file (ASW1 in this case)
- Pick-up every single IP-address definition for the interfaces. In this case, there is only one address (192.168.10.11) and it has a mask of 255.255.255.128. The name of the interface is vlan250 and the name of vlan 250 is In-mgmt.
- Pick-up every static route from the configuration. In this case, there is only one (ip default-gateway) and it is pointing to 192.168.10.1.
- Drawing phase:
- Now, lets visualize all information we have picked up. First, draw a device that has the name ASW1. ASW1 happens to be switch, so we’ll use the switch symbol.
- Draw a subnet (pipe). Give it the name In-mgmt, VLAN-ID 250 and network address 192.168.10.0/25.
- Connect ASW1 and the subnet symbols together.
- Insert a text field on the line between ASW1 and the subnet symbol. Add a logical interface name and IP-address in the text field. In this case, the interface name is vlan250 and the IP-address last octet is .11. (It is common to write only the last octet of an IPv4 address because the network address is already seen in the drawing.)
- There is another device connected to the subnet: In-mgmt. Or at least, there should be. We don’t yet know the name of the device, but it’s IP-address is 192.168.10.1. This is because ASW1 has a default gateway pointed to that address. So, let’s draw that device in the diagram and give it have a name of “??” for now. Let’s also add its address of .1 into diagram. (BTW, I always mark unclear information in red so that you can immediately see what information requires clarification.)
At this point, we have diagram like this:
Repeat this step-by-step process for every network device. Pick-up all IP-related information and visualize it in the same diagram: every IP-address, every interface and every static route. During the process, your diagram will become increasingly accurate. Be sure to draw devices that you don’t yet know, just like we did above with address 192.168.10.1. Once you have done this for every network device you know, you can start to figure out the unclear information. You can verify from MAC and ARP tables if there is a device in place or not. (I wonder if I should write next blog post around that subject?)
Finally, you will have a logical diagram like this:
It’s so simple to draw logical network diagrams, once you know a suitable method. It is a time-consuming, manual process, but there is no magic. Once you have a complete L3 diagram, it is not hard to keep it up to date. The benefits are well worth the effort.
- You are able to plan changes quickly and accurately.
- Troubleshooting is easier than before. Let’s say someone needs to resolve a problem where service is not working from 192.168.0.200 to 192.168.1.200. By looking at the L3 diagram, you can immediately say that it is not caused by a firewall.
- You can keep your firewall rulebases correct. I’ve seen situations where firewalls have rules for traffic that they are never going to route. That clearly shows that network’s logical topology is not known.
- Usually, once an L3 diagram has been completed, you will see immediately which parts are not logically redundant, etc. In other words, the L3 topology (and redundancy) is as important as physical redundancy.