20111013_CHT_TL_教育訓練 Day2

8/2/2019 20111013_CHT_TL_ Day2

http://slidepdf.com/reader/full/20111013chttl-day2 1/67

© 2011 Juniper Networks, Inc. All rights reserved. | www.juniper.net

中華電信研究所網路技術基礎訓練課程

Day 2

Layer 2 Switching(VLAN, Trunk, Spanning Tree)

Johnson Liu

[email protected] Oct. 13, 2011

8/2/2019 20111013_CHT_TL_ Day2



Layer 2 Switching

8/2/2019 20111013_CHT_TL_ Day2


© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 3

Shared LANs Versus Switched LANs (1 of 2)

Shared LANs:• Combine all devices as part of a single collision domain

which can increase the chance of collisions

• Flood traffic out all ports to all devices which can

consume network resources and introduce security risks

Hub

User A User C

User B

Traffic sent from User A to User Cis seen by all other users on

segment

Shared Medium / Collision Domain

8/2/2019 20111013_CHT_TL_ Day2



Bridged (or switched) LANs:• Break a single collision domain into multiple smaller

collision domains; minimizing the chance of collisions

• Perform intelligent forwarding decisions based on the

contents of the forwarding table (or bridge table)

Shared LANs Versus Switched LANs (2 of 2)

SwitchUser A User C

User B

Bridge Table

Traffic sent from User A to UserC is forwarded based on bridge

table

Shared Medium / Collision Domain

8/2/2019 20111013_CHT_TL_ Day2



How Does Bridging Work?

Bridging builds and maintains bridge table usingthe following mechanisms:

Bridging Mechanisms

Learning Forwarding Flooding Filtering Aging

Switch

Bridge Table

User A User C

User B

8/2/2019 20111013_CHT_TL_ Day2



Bridging Mechanisms: Learning

Bridging Mechanisms

Learning ForwardingFlooding

FilteringAging

Pre TypeDA SA FCSData

The switch learns the source MACaddresses of all incoming Ethernet

frames

SwitchUser A

MAC: 00:26:88:02:74:86User C

MAC: 00:26:88:02:74:88

User BMAC: 00:26:88:02:74:87

ge-0/0/6 ge-0/0/8

ge-0/0/7

MAC Address

00:26:88:02:74:86 ge-0/0/600:26:88:02:74:87 ge-0/0/700:26:88:02:74:88 ge-0/0/8

MAC addresses areassociated with an incominginterface

Bridge Table

8/2/2019 20111013_CHT_TL_ Day2

http://slidepdf.com/reader/full/20111013chttl-day2 7/67© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 7

Bridging Mechanisms: Forwarding (1 of 2)

Bridging Mechanisms


FilteringAging


SwitchUser A

MAC: 00:26:88:02:74:86User C

MAC: 00:26:88:02:74:88

User BMAC: 00:26:88:02:74:87

ge-0/0/6 ge-0/0/8

ge-0/0/7

MAC Address00:26:88:02:74:86 ge-0/0/6

00:26:88:02:74:87 ge-0/0/700:26:88:02:74:88 ge-0/0/8

Bridge Table

The switch consults the bridge table to find a forwarding entryfor the destination MAC address of the received Ethernet

frames

8/2/2019 20111013_CHT_TL_ Day2


Bridging Mechanisms: Forwarding (2 of 2)

Bridging Mechanisms


FilteringAging

SwitchUser A

MAC: 00:26:88:02:74:86172.23.10.100/24

User DMAC: 00:26:88:02:74:89

172.23.11.100/24

User BMAC: 00:26:88:02:74:87

172.23.10.200/24

User CMAC: 00:26:88:02:74:88

172.23.11.200/24

Bridge Table

VLAN MAC Address I10

00:26:88:02:74:86 ge-0/0/600:26:88:02:74:87 ge-0/0/7

1100:26:88:02:74:88 ge-0/0/800:26:88:02:74:89 ge-0/0/9

The switch organizes the bridge table by VLAN to ensurethat Layer 2 traffic belonging to one broadcast domain isnot forwarded to devices on another broadcast domain

ge-0/0/6 ge-0/0/9

ge-0/0/7 ge-0/0/8

VLAN 10 VLAN 11

8/2/2019 20111013_CHT_TL_ Day2


Bridging Mechanisms: Flooding

Bridging MechanismsLearning Forwarding

Flooding

FilteringAging


SwitchUser A

MAC: 00:26:88:02:74:86User C

MAC: 00:26:88:02:74:88

User BMAC: 00:26:88:02:74:87

ge-0/0/6 ge-0/0/8

ge-0/0/7

Bridge Table

The switch floods frames out all other ports belonging to thesame VLAN when the destination MAC address is unknown

MAC Address00:26:88:02:74:86 ge-0/0/6

* All

The switch updates the bridgetable when return traffic is

received

8/2/2019 20111013_CHT_TL_ Day2


Bridging Mechanisms: Filtering


Flooding

FilteringAging

SwitchUser A

MAC: 00:26:88:02:74:86User D

MAC: 00:26:88:02:74:89

User BMAC: 00:26:88:02:74:87

User CMAC: 00:26:88:02:74:88

ge-0/0/6 ge-0/0/9

Hub

ge-0/0/7

MAC Address00:26:88:02:74:86 ge-0/0/600:26:88:02:74:87 ge-0/0/7

00:26:88:02:74:88 ge-0/0/700:26:88:02:74:89 ge-0/0/9

Bridge Table

Pre TypeDA SA FCSData DA = 00:26:88:02:74:88

The switch filters (or discards)frames when the destination MAC

address is associated with theingress interface

8/2/2019 20111013_CHT_TL_ Day2


Bridging Mechanisms: Aging


Flooding

FilteringAging

VLAN MAC Address Interface10

00:26:88:02:74:86 ge-0/0/600:26:88:02:74:87 ge-0/0/7

1100:26:88:02:74:88 ge-0/0/800:26:88:02:74:89 ge-0/0/9

To keep bridge table entries current, the switchmonitors activity of MAC addresses and ages out

bridge table entries after a specific amount of time ofinactivity

8/2/2019 20111013_CHT_TL_ Day2


Given the topology and bridge table below, whatdevices will receive the packet sent by User B?

Think About It

SwitchUser A

MAC: 00:26:88:02:74:86User D

MAC: 00:26:88:02:74:89

User BMAC: 00:26:88:02:74:87

User CMAC: 00:26:88:02:74:88

Bridge Table

MAC Address Interface00:26:88:02:74:86 ge-0/0/600:26:88:02:74:87 ge-0/0/700:26:88:02:74:88 ge-0/0/7

00:26:88:02:74:89 ge-0/0/9

ge-0/0/6 ge-0/0/9

Hub

ge-0/0/7

Pre TypeDA SA FCSData DA = 00:26:88:02:74:89

8/2/2019 20111013_CHT_TL_ Day2



Hierarchical Design

Switched networks are often hierarchical and mayconsist of access , aggregation , and core layers

• Benefits of a hierarchical network design include:

• Modularity—facilitates change

• Function-to-layer mapping—isolates faults

Access Layer

Aggregation Layer

Core Layer

WAN Edge Device

8/2/2019 20111013_CHT_TL_ Day2



Access layer switches facilitate end-user and device access and enforceaccess policy

Functions of Layers

Layers are defined to aid successful networkdesign and to represent functionality found within anetwork

Core layer switches relay packets between

aggregation switches and function as thegateway to the WAN edge device

Aggregation layer switches connectaccess switches and often provide inter-VLAN routing and policy-based

connectivity

WAN Edge Device

Note: All three layers support

CoS

8/2/2019 20111013_CHT_TL_ Day2



Simplify large complex switched networks• Juniper’s 3-2-1 architectural solutions

• Virtual Chassis is a technology that can be implemented tocombine functions of various layers into a single manageddevice

• QFabric is another technology that is being developed tosimplify and combine all of the functions of a multitieredswitched network into a single managed device

Consolidation of Layers

Virtual Chassis

Qfabric

8/2/2019 20111013_CHT_TL_ Day2



Virtual Local Area Networks(VLAN)

8/2/2019 20111013_CHT_TL_ Day2



What Is a VLAN?

A logical LAN that allows you to assign users to acommon broadcast domain based on businessneeds and regardless of physical location

Switch-1 Switch-2

Switch-3

User A172.23.10.86/24

User B172.23.20.86/24

User C172.23.10.87/24

User D172.23.20.87/24

User E172.23.10.88/24

User F172.23.20.88/24

VLAN 10 is associated with the172.23.10.0/24 broadcast

domain


domain

8/2/2019 20111013_CHT_TL_ Day2



Switch ports operate in either access or trunk mode• By default all switch ports are access ports and belong to

the default VLAN, which is an untagged VLAN

Trunk Ports

Switch Port Designations

Switch-1 Switch-2

Switch-3

Access Ports Access Ports

8/2/2019 20111013_CHT_TL_ Day2



Access Ports

Access ports typically connect to end-user devicessuch as computers, IP phones, and printers

• Access ports typically carry untagged traffic

Switch-1 Switch-2

Access Ports Access Ports

Switch-3

8/2/2019 20111013_CHT_TL_ Day2



Trunk ports typically connect switches to otherswitches or a router with VLAN tagging configured

• Trunk ports typically carry tagged traffic

Trunk Ports

Trunk Ports

Switch-1 Switch-2

Switch-3

8/2/2019 20111013_CHT_TL_ Day2



User A sends traffic toward User C through anaccess port on Switch-1; the traffic is received bySwitch-1 as untagged frames:

Example of Tagging Traffic: Step 1

Switch-1 Switch-2User A

172.23.10.86/24MAC: 00:26:88:02:74:86

User B172.23.20.86/24

MAC: 00:26:88:03:78:86

User C172.23.10.87/24

MAC: 00:26:88:02:74:87

User D172.23.20.87/24

MAC: 00:26:88:03:78:87


domain


domain


Trunk PortsAccess Ports Access Ports

8/2/2019 20111013_CHT_TL_ Day2




Switch-1 performs a lookup in its bridge table, tagsthe Ethernet frames with VLAN ID 10 and forwardsthe frames out its trunk port:


172.23.10.86/24MAC: 00:26:88:02:74:86

User C172.23.10.87/24

MAC: 00:26:88:02:74:87Trunk PortsAccess Ports Access Ports

Pre DA SA FCSDataTypeTag

User B172.23.20.86/24

MAC: 00:26:88:03:78:86

User D172.23.20.87/24

MAC: 00:26:88:03:78:87


domain


domain

8/2/2019 20111013_CHT_TL_ Day2



Switch-2 performs a lookup in its bridge table,removes the VLAN tag and forwards the frames outthe appropriate access port toward User C:



172.23.10.86/24MAC: 00:26:88:02:74:86

User C172.23.10.87/24

MAC: 00:26:88:02:74:87Trunk PortsAccess Ports Access Ports


User B172.23.20.86/24

MAC: 00:26:88:03:78:86

User D172.23.20.87/24

MAC: 00:26:88:03:78:87


domain


domain

8/2/2019 20111013_CHT_TL_ Day2



What If…?

What if an IP phone and a PC are connected to thesame switch port and you want the traffic sourcedfrom those devices associated with different VLANs?

Voice

Switch-1

ge-0/0/6.0 Network

Data

Access Port

MAC:00:26:88:02:74:86

MAC:00:26:88:02:72:13

8/2/2019 20111013_CHT_TL_ Day2



Voice VLAN

The voice VLAN feature enables access ports toaccept both untagged (data) and tagged (voice) traffic and separate that traffic into different VLANs

• Used with CoS to differentiate data and voice traffic

• Voice VLAN and CoS values can be communicated to IPphones through Link Layer Discovery Protocol (LLDP-MED)

Note: Detailed coverage of CoS and LLDP are outside the scope of this material.

Voice

Switch-1

ge-0/0/6.0 Network

DataUntagged

Tagged

MAC:00:26:88:02:74:86

MAC:00:26:88:02:72:13

8/2/2019 20111013_CHT_TL_ Day2



What If …?

The default behavior for trunk ports is to only sendand receive tagged traffic. What if you needed topass untagged Layer 2 traffic through trunk ports?

ge-0/0/12.0

Switch-1 Switch-2

host-a1: 172.23.0.10/24VLAN: default (untagged)

host-b1: 172.23.14.10/24VLAN: v14 / VLAN ID: 14

host-c1: 172.23.15.10/24VLAN: v15 / VLAN ID: 15




Untagged Traffic

Trunk Ports

Access Ports

8/2/2019 20111013_CHT_TL_ Day2



Thenative-vlan-id

option enables trunk portsto accept untagged traffic in addition to taggedtraffic

• Configured on trunk ports of all switches expected to

process untagged traffic

The native-vlan-id Option

ge-0/0/12.0

Switch-1 Switch-2







The native-vlan-id option should

be added to the ge-0/0/12.0 interface onboth switches for the default VLAN

Untagged Traffic

8/2/2019 20111013_CHT_TL_ Day2



A routed VLAN interface (RVI) is a logical Layer 3interface defined on an EX Series switch thatfacilitates inter-VLAN routing

What Is It?

User-group AVLAN: v14

172.23.14.0/24

User-group BVLAN: v15

172.23.15.0/24

User-group CVLAN: v16

172.23.16.0/24

Switch-1

Note: Host devices require a default gateway which points to RVI defined on the switch.

8/2/2019 20111013_CHT_TL_ Day2



Implementing RVIs

RVIs are typically defined on aggregation or accessswitches, depending on the implementation

• All EX Series switches support RVIs as well as otherLayer 3 routing operations

CoreLayer

Aggregation

Layer

Access Layer

WAN Edge Device

8/2/2019 20111013_CHT_TL_ Day2



Case Study: Topology and Objectives

Define three RVIs, one for each VLAN shownbelow, to function as the gateway for the respectiveVLAN

• Use an IP address of 172.23.1x .1/24, where x is the

unique value assigned to the corresponding subnetSwitch-1

User-group AVLAN: v14 / VLAN ID: 14

User-group BVLAN: v15 / VLAN ID: 15

User-group CVLAN: v16 / VLAN ID: 16

vlan.14 vlan.16

vlan.15

host-a1: 172.23.14.10/24

host-a2: 172.23.14.20/24

host-c1: 172.23.16.10/24

host-c2: 172.23.16.20/24

host-b1: 172.23.15.10/24 host-b2: 172.23.15.20/24

8/2/2019 20111013_CHT_TL_ Day2



Spanning Tree Protocol(STP)

8/2/2019 20111013_CHT_TL_ Day2



Test Your Knowledge

What will Switch-1 and Switch-2 do if they receivea broadcast frame or a frame destined to anunknown MAC address?


MAC: 00:26:88:02:74:86

User BMAC: 00:26:88:02:74:87

User CMAC: 00:26:88:02:74:88

User DMAC: 00:26:88:02:74:89

Example: Source MAC: 00:26:88:02:74:86 / Destination MAC: 00:26:88:02:74:95

Both switches would flood the frames out allports except the port on which the frames

arrived

8/2/2019 20111013_CHT_TL_ Day2



What if a broadcast frame or a frame with anunknown destination MAC address were sent into aLayer 2 network with redundant paths?

Switch-1 Switch-2

Switch-3

User AMAC: 00:26:88:02:74:86

User BMAC: 00:26:88:02:74:87

User CMAC: 00:26:88:02:74:88

User DMAC: 00:26:88:02:74:89

User EMAC: 00:26:88:02:74:90

User FMAC: 00:26:88:02:74:91

What If …?

Example: Source MAC: 00:26:88:02:74:86 / Destination MAC: 00:26:88:02:74:95

Layer 2 LoopFlood Flood

Flood

8/2/2019 20111013_CHT_TL_ Day2



Spanning Tree Protocol

STP• Defined in the IEEE 802.1D-1998 specification

• Builds loop-free paths in redundant Layer 2 networks

• Automatically rebuilds tree when topology changes

Switch-2 Switch-3

Switch-1

Loop FreeEnvironment

No User Traffic

User TrafficUser Traffic

Host A Host B

8/2/2019 20111013_CHT_TL_ Day2



How Does it Work?

Steps for creating a spanning tree include:1. Switches exchange bridge protocol data units (BPDUs)

2. Root bridge is elected

3. Port role and state are determined

4. Tree is fully converged

Switch-2 Switch-3

Switch-1 (Root Bridge)

Loop FreeEnvironment

No User Traffic

User Traffic

Switch-2 Switch-3

Switch-1

BPDUs

8/2/2019 20111013_CHT_TL_ Day2



Terms and Concepts (1 of 2)

Key terms and concepts of STP:

: Unique identifier for each switch

: Switch with the lowest bridge ID

: The port on each bridge closest to the rootbridge

: A bridge’s calculated cost to get from

itself to the root bridge

• Equal to the received root path cost from configuration BPDUsplus the port cost of the root port on the bridge

: Every interface on a bridge has an assignedport cost value

• Used in the calculation of the root path cost for the local bridge

• Configurable value (1 –200000000)

• The default value is 20000 for 1 Gigabit Ethernet

8/2/2019 20111013_CHT_TL_ Day2



Terms and Concepts (2 of 2)

Key terms and concepts of STP (contd.):: A switch representing the LANsegment

: A unique identifier for each port on each switch

: The designated bridge’s forwardingport on a LAN segment

• The port used by a designated bridge to send traffic from thedirection of the root to the LAN or from the LAN toward the root

: Packets used toexchange information between switches

• Configuration BPDU

• Topology change notification BPDU

8/2/2019 20111013_CHT_TL_ Day2



Port States

Each individual port of each bridge can be in one of

four states:

• The port drops all data packets and listens to BPDUs• The port is not used in active topology

• The port drops all data packets and listens to BPDUs• The port is transitioning and will be used in active topology

• The port drops all data packets and listens to BPDUs• The port is transitioning and the switch is learning MAC

addresses

• The port receives and forwards data packets and sends andreceives BPDUs

• The port has transitioned and the switch continues to learn MAC

addresses

8/2/2019 20111013_CHT_TL_ Day2



Building a Spanning Tree (1 of 3)

Switches exchange configuration BPDUs:• They do not flood—instead each bridge uses informationin the received BPDUs to generate its own

Root bridge is elected based on BPDU information:• Criterion for election is the bridge ID

• The election process reviews priority first—lowest priority wins• If the priority values are the same, bridge addresses (MAC) are

compared—the lowest identifier wins

Switch-2 Switch-3


Host A Host B

Switch-1 is elected as the rootbridge based on the received

configuration BPDUinformation.Switches initially exchange

configuration BPDUs,claiming themselves as the

root bridge.

8/2/2019 20111013_CHT_TL_ Day2




Least-cost path calculation to root bridgedetermines port role; port role determines portstate: Port Role and State Designations

All ports on root bridge assume designated port role and forwarding state

Root ports on switches are placed in the forwarding state; root bridge has no rootports

Designated ports on designated bridges are placed in the forwarding state

All other ports are placed in the blocking state

Switch-2 Switch-3


Host A Host BBF,DF,D

F,D

F,RF,R

F,D

= Forwarding and root port

= Forwarding and designatedport

= Blocking

F,R

B

F,DF,D

8/2/2019 20111013_CHT_TL_ Day2



The tree is fully converged

• All traffic between Host A to Host B flows through the rootbridge (Switch-1)


Switch-2 Switch-3


Host A Host BF

F

F

F

F

F

8/2/2019 20111013_CHT_TL_ Day2



STP Drawbacks

Slow convergence time• STP uses timers to transition between port states

• STP can take 30 to 50 seconds to respond to a topologychange (20 seconds for a BPDU to age out, 15 seconds for thelistening state, and 15 seconds for the learning state)

• Root bridge is responsible for communicating the currenttree topology

8/2/2019 20111013_CHT_TL_ Day2



Rapid Spanning TreeProtocol(RSTP)

8/2/2019 20111013_CHT_TL_ Day2



Rapid Spanning Tree Protocol

RSTP was first defined in IEEE 802.1w and laterincorporated into IEEE 802.1D-2004

Convergence improvements:

• Point-to-point link designation

• Edge port designation• A port that connects to a LAN with no other bridges attached

• It is always in the forwarding state

• Allows for rapid recovery from failures

• A new root port or designated port can transition to forwardingwithout waiting for the protocol timers to expire

• Direct and indirect link failure and recovery

8/2/2019 20111013_CHT_TL_ Day2



RSTP Port Roles

RSTP introduces new port roles:• Alternate port:

• Provides an alternate path to the rootbridge (essentially a backup root port)

• Blocks traffic while receiving superior

BPDUs from a neighboring switch

• Backup port:

• Provides a redundant path to a segment(on designated switches only)

• Blocks traffic while a more preferredport functions as the designated port

RSTP continues to use the rootand designated port roles

RRoot Port =

Designated Port =

Alternate Port =

Backup Port =

D

A

B

Switch-2 Switch-3


R A R A

D D

D B A A

D D

8/2/2019 20111013_CHT_TL_ Day2



STP and RSTP Port States

RSTP uses fewer states than STP but has thesame functionality

Blocking

Listening

LearningLearning

ForwardingForwarding

Discarding

802.1D-2004

RSTP

802.1D-1998

STP

Alternate Backup,

and Disabled Ports

Root and Designated Ports

8/2/2019 20111013_CHT_TL_ Day2



Rapid Spanning Tree BPDUs

Rapid Spanning Tree BPDUs:• Act as keepalives

• RSTP-designated ports send Configuration BPDUs every hellotime (default of 2 seconds)

• Provide faster failure detection

• If a neighboring bridge receives no BPDU within 3 times thehello interval (3 x 2 = 6 seconds), connectivity to the neighbor isfaulty

Switch-2 Switch-3


R A R A

D D

D B A A

D D

8/2/2019 20111013_CHT_TL_ Day2



Transitioning to the Forwarding State

STP:

• Takes 30 seconds before the ports start forwarding trafficafter port enablement

• 2x forwarding delay (listening + learning)

RSTP:• Uses a proposal-and-agreement handshake on point-to-

point links instead of timers

• Exceptions are alternate ports that immediately transition to root,and edge ports that immediately transition to the forwardingstate

• Nonedge-designated ports transition to the forwarding stateonce they receive explicit agreement

8/2/2019 20111013_CHT_TL_ Day2



Indirect Link Failure

When an indirect link failure occurs:

• Switch-2’s root port fails—it assumes it is the new root

• Switch-3 receives inferior BPDUs from Switch-2—itmoves the alternate port to the designated port role

• Switch-2 receives superior BPDUs, knows it is not theroot, and designates the port connecting to Switch-3 astheroot port

Switch-2 Switch-3


R F

FD

BA

R F

F F

Switch-2 Switch-3


RF

R F

F

Inferior PDUDF

Superior PDU

R

Forwarding =

Blocking =

Root Port =

Designated Port =

Alternate Port =

D

A

B

F

Before After

Note: The failure is fromthe perspective of Switch-3

8/2/2019 20111013_CHT_TL_ Day2



Direct Link Failure

When a direct link failure occurs:

• Alternate port transitions to forwarding state andassumes root port role following the failure of the old rootport

• Switch-3 signals upstream switches to flush their MACtables by sending RSTP TCNs out new root port

• Upstream switches only flush MAC entries that they learned onactive ports that did not receive the RSTP TCNs (except edgeports)

Switch-2 Switch-3


R F

FD

BA

R F

F F

R

Forwarding =

Blocking =

Root Port =

Designated Port =

Alternate Port =

D

A

B

F

Switch-2 Switch-3


R F

FD R

F

F

Before AfterNote: The failure is fromthe perspective of Switch-3

8/2/2019 20111013_CHT_TL_ Day2



RSTP Interoperability with STP

STP and RSTP interoperability considerations:

• If a switch supports only the STP protocol, it discards anyRSTP BPDUs it receives

• If an RSTP-capable switch receives BPDUs, it reverts to

STP mode on the receiving interface only and sends STPBPDUs

Protocol Version—0(STP)

Switch-1 Switch-2

Protocol Version—0x02(RSTP)

Switch-3

Protocol Version—0x02(RSTP)

STP RSTP

8/2/2019 20111013_CHT_TL_ Day2



Given the topology below, what if User A connectsa personal (unauthorized) switch running thespanning tree protocol to Switch-2?

BPDUs

What If…?

Switch-2 Switch-3


User A

Switch-2 Switch-3

Switch-1

User A

BPDUs would be exchanged, a new STP calculationwould occur, and the rogue switch would become partof the spanning tree, potentially leading to a network

outage

Part of the spanning tree

8/2/2019 20111013_CHT_TL_ Day2



BPDU Protection

BPDU protection prevents rogue switches fromconnecting to the network and causing undesiredLayer 2 topology changes and possible outages• If a BPDU is received on a protected interface, the

interface is disabled and transitions to the blocking state

Switch-2 Switch-3


User A

Edge port is disabled if BPDU isreceived on protected interface

8/2/2019 20111013_CHT_TL_ Day2



Given the topology below, what if BPDUs sent bySwitch-2 were not received by Switch-3?

What If…?

Switch-2 Switch-3


R

D A

R

D D

Switch-2 Switch-3


R

D A

R

D D

D

Layer 2 Loop

Switch-3 waits until the max-age timer expiresthen transitions its alternate port to the

designated port role and the forwarding statethus removing the blocked port and causing a

Layer 2 loop

BPDUs not received due toa uni-directional link failureor a software configuration

issue

8/2/2019 20111013_CHT_TL_ Day2



Loop Protection

The loop protection feature provides additionalprotection against Layer 2 loops by preventing non-designated ports from becoming designated ports• Enable loop protection on all non-designated ports

• Ports that detect the loss of BPDUs transition to the ―loop

inconsistent‖ role which maintains the blocking state • Port automatically transitions back to previous or new role when

it receives a BPDU

Switch-2 Switch-3


R

D A

R

D D

LoopProtection

8/2/2019 20111013_CHT_TL_ Day2



Given the topology and details below, what if arogue switch with a bridge priority of 4K wasconnected to the Layer 2 network?

BPDUs

What If…?

Switch-2 Switch-3

Switch-1

BPDUs would be exchanged, a new STP calculationwould occur, and the rogue switch would become

the new root bridge potentially leading to a network

outage

Switch-2

Priority = 32k

Switch-3

Priority = 32k

Switch-1 (Root Bridge)Priority = 8k

Access

Aggregation

New rootbridge

8/2/2019 20111013_CHT_TL_ Day2



Enable root protection to avoid unwanted STPtopology changes and root bridge placement• If a superior BPDU is received on a protected interface,

the interface is disabled and transitions to the blockingstate

Root Protection

Switch-3Priority = 32k


Switch-1 (Root Bridge)Priority = 4k



Access

Aggregation

Root protection is typicallyconfigured on the ports of

aggregation switches that connectto access switches

8/2/2019 20111013_CHT_TL_ Day2



Multiple Spanning TreeProtocol (MSTP)

8/2/2019 20111013_CHT_TL_ Day2



What If …?

Refer to the topology below and assume nospanning tree protocol is currently in use; whatwould happen if User A sent traffic to User Z?

DS-1 DS-2

AS-2

All switch ports belong to vlan-10which is associated with

172.23.10.0/24

AS-1

User A172.23.10.86/24

AS-3

User Z172.23.10.88/24

The traffic would be flooded repeatedly through a Layer 2 loop

C

8/2/2019 20111013_CHT_TL_ Day2



By default, RSTP is enabled on EX Series switcheswhich helps ensure a loop-free Layer 2 topology

Understanding the Default Configuration

DS-1 (Root bridge) DS-2

AS-2

All switch ports belong to vlan-10which is associated with 172.23.10.0/24

AS-1

User A172.23.10.86/24

AS-3

User Z172.23.10.88/24

Traffic will be forwarded through the root bridge towards the destination

One of the participatingswitches is selected as the

root bridge

A Li i i f STP d RSTP

8/2/2019 20111013_CHT_TL_ Day2



A Limitation of STP and RSTP

STP and RSTP provide no load-balancingfunctionality which means some links will not beused

DS-1 (Root bridge) DS-2

AS-2

User C172.23.10.87/24

User D172.23.20.87/24

vlan-10 is associated with the172.23.10.0/24 broadcast domain


AS-1

User A172.23.10.86/24

User B172.23.20.86/24

AS-3

User E172.23.10.88/24

User F172.23.20.88/24

All links connected to DS-2 willnot be used unless a failure

occurs

M l i l S i T P l

8/2/2019 20111013_CHT_TL_ Day2



Multiple Spanning Tree Protocol

MSTP provides extensions to RSTP which allowyou to:

Create multiple spanning tree instances (MSTIs)in order to balance traffic flows over all available

links

DS-1 DS-2

AS-2

User C172.23.10.87/24

User D172.23.20.87/24



AS-1

User A172.23.10.86/24

User B172.23.20.86/24

AS-3

User E172.23.10.88/24

User F172.23.20.88/24

(Root bridge for Instance-1) (Root bridge for Instance-2)

M l i l S i T R i

8/2/2019 20111013_CHT_TL_ Day2



Multiple Spanning Tree Region

A group of switches with the same region name,revision level, and VLAN-to-instance mapping

• You can configure a maximum of 64 MSTIs per MSTregion with one regional root bridge per instance

DS-1 DS-2

AS-2AS-1

(Root bridge for Instance-1) (Root bridge for Instance-2)

AS-3

Region-1Instance-1 = VLANs 10-19 Instance-2 = VLANs 20-29

VLAN S i T P t l

8/2/2019 20111013_CHT_TL_ Day2



VLAN Spanning Tree Protocol

VSTP maintains a separate spanning-tree instancefor each VLAN allowing load balancing of Layer 2traffic

• Proprietary protocol that is compatible with similar

protocols from other vendors including PVST+ and Rapid-PVST+Vlan-1Vlan-2Vlan-3Vlan-4Vlan-5

VSTP instance 1VSTP instance 2VSTP instance 3VSTP instance 4VSTP instance 5

DS-1 DS-2

AS-2AS-1 AS-3

VSTP C id ti (1 f 2)

8/2/2019 20111013_CHT_TL_ Day2



VSTP Considerations (1 of 2)

Some VSTP considerations include:

• Supports up to 253 different spanning-tree topologies

• You selectively determine which VLANs participate in VSTP

• We recommend that you enable RSTP in addition to VSTP toaccount for any VLANs above and beyond 253

Vlan-1Vlan-2… Vlan-253

Vlan-1Vlan-2… Vlan-253VSTP

Vlan-254Vlan-255…

Vlan-254Vlan-255…

RSTP

VSTP C id ti (2 f 2)

8/2/2019 20111013_CHT_TL_ Day2



Some VSTP considerations include (contd):

• As you add VLANs, more CPU resources are consumed

• A separate BPDU is sent out for each configured VLAN

VSTP Considerations (2 of 2)

DA SAVLANTAG

L LLC SNAP BPDU FCS

Vlan-1

Vlan-2Vlan-3…

VSTP BPDU format is the same as RSTP format with an added type,length, and value that advertises the same VLAN ID found in the

VLAN tag

8/2/2019 20111013_CHT_TL_ Day2


20111013_CHT_TL_教育訓練 Day2

Documents

Transcript of 20111013_CHT_TL_教育訓練 Day2