How to create clear logical (L3) network diagrams

The biggest problem I encounter when working with enterprise networks is the lack of clear and understandable logical network diagrams. In most cases, I am faced with situations where the customer cannot provide any logic diagrams or diagrams. Network diagrams (hereinafter referred to as L3 diagrams) are extremely important when solving problems or planning changes in the enterprise network. Logic circuits are in many cases more valuable than physical circuit diagrams. Sometimes I find “logical-physical-hybrid” schemes that are practically useless. If you do not know the logical topology of your network, you are blind . Typically, the ability to portray network logic is not a common skill. It is for this reason that I am writing this article about creating clear and understandable logical network diagrams.

What information should be presented on L3-schemes?

In order to create a network diagram, you need to have an accurate idea of what information should be present and on which particular schemes. Otherwise, you will mix the information and as a result you will get another useless “hybrid” scheme. Good L3 schemes contain the following information:

• subnet
  
  • VLAN ID (all)
  • VLAN names
  • network addresses and masks (prefixes)
  
  
• L3 devices
  
  • routers, firewalls (ITU) and VPN gateways (at a minimum)
  • the most significant servers (for example, DNS, etc.)
  • ip-addresses of these servers
  • logical interfaces
  
  
• routing protocol information

What information should NOT be on L3-schemes?

The information listed below should not be on network circuits, since it refers to other levels [ OSI models, approx. per. ] and, accordingly, should be reflected in other schemes :

• all information L2 and L1 (in general)
• L2 switches (only management interface can be presented)
• physical connections between devices

Used notation

As a rule, logical symbols are used on logic circuits. Most of them require no explanation, but because I have already seen the errors of their application, then I will allow myself to stop and give a few examples:
')

• Subnet represented as a tube or line:
  
  
• A VRF or other not exactly known zone appears as a cloud:
  
  
  

What information is needed to create an L3 scheme?

In order to create a logical network diagram, you need the following information:

• L2 (or L1) diagram - representing the physical connections between L3 devices and switches
• L3 device configurations - text files or GUI access, etc.
• L2 device configurations - text files or GUI access, etc.

Example

In this example, we will use a simple network. There will be Cisco switches and ITU Juniper Netscreen. We are provided with the L2 scheme, as well as the configuration files of most of the devices presented. ISP border routers configuration files are not provided, because ISP does not transmit such information in real life. Below is the L2 network topology:



And here are the device configuration files. Only the necessary information was left:

Collection of information and its visualization

Good. Now that we have all the necessary information, we can proceed to visualization.

Process mapping step by step

1. Collection of information:
   
   1. First, open the configuration file (in this case, ASW1).
   2. Take from there each ip-address from the interface sections. In this case, there is only one address ( 192.168.10.11 ) with a mask of 255.255.255.128 . The interface name is vlan250 , and the name vlan 250 is In-mgmt .
   3. Take all static routes from configuration. In this case, there is only one (ip default-gateway), and it points to 192.168.10.1 .
   
   
2. Display:
   
   1. Now let's display the information we collected. First, draw an ASW1 device. ASW1 is a switch, so we use the switch symbol.
   2. Draw a subnet (tube). Assign the name In-mgmt , VLAN-ID 250 and address 192.168.10.0/25 .
   3. Connect ASW1 and subnet.
   4. Insert the text box between the ASW1 and subnet symbols. Let's display in it the name of the logical interface and the ip-address. In this case, the interface name will be vlan250 , and the last octet of the ip-address is .11 (this is common practice — display only the last octet of the ip-address, since the ip-address of the network is already on the diagram).
   5. There is also another device on the In-mgmt network. Or, at least, should be. We still do not know the name of this device, but its IP address is 192.168.10.1 . We learned this because ASW1 points to this address as the default gateway. So let's display this device in the diagram and give it a temporary name "??". We also add its address to the scheme - .1 (by the way, I always highlight inaccurate / unknown information in red so that looking at the scheme you can immediately understand what needs clarification on it).
   
   

At this stage, we get a scheme like this:



Repeat this process step by step for each network device . Collect all the information related to IP, and display on the same scheme: every ip-address, every interface and every static route. In the process, your circuit will become very accurate. Make sure that devices that are mentioned but not yet known are displayed in the diagram. Just as we did earlier with the address 192.168.10.1 . Once you have completed all of the above for all known network devices, you can begin to ascertain unknown information. You can use MAC and ARP tables for this (I wonder if you should write the next post telling in detail about this stage?).

Ultimately, we will have a scheme like this:

Conclusion

It is very easy to draw a logical network diagram if you have the relevant knowledge. This is a long manual process, but it’s not magic. Once you have an L3 network diagram, it is easy enough to keep it up to date. The benefits are worth the effort:

• you can plan changes quickly and accurately;
  
• problem solving takes much less time than before. Imagine that someone needs to solve the problem of unavailability of service for 192.168.0.200 to 192.168.1.200. After reviewing the L3 scheme, it is safe to say that ITU is not the cause of this problem.
  
• You can easily follow the correctness of the rules of the ITU. I have seen situations where ITU contained rules for traffic that would never pass through this ITU. This example perfectly shows that the logical network topology is unknown.
  
• Usually, as soon as the L3 network diagram is created, you will immediately notice which parts of the network do not have redundancy, etc. In other words, the L3 topology (as well as redundancy) is just as important as redundancy at the physical layer.