Documente Academic
Documente Profesional
Documente Cultură
Layer 2 Switching
(VLAN, Trunk, Spanning Tree)
Johnson Liu
johnsonl@juniper.net reserved. 2011 Juniper Networks, Inc. All rights
| www.juniper.net
Layer 2 Switching
User A Hub
User C
Traffic sent from User A to User C is seen by all other users on segment
www.juniper.net | 3
User B
www.juniper.net | 4
Floodin Filtering g
Agin g
Bridge Table
User A
Switch
User C
User B
www.juniper.net | 5
The switch learns the source MAC addresses of all incoming Ethernet frames
Pre DA
SA Type
Data
FCS
Switch
ge-0/0/6 ge-0/0/8 ge-0/0/7
www.juniper.net | 6
The switch consults the bridge table to find a forwarding entry for the destination MAC address of the received Ethernet frames Bridge Table
Pre DA SA Type Data FCS
Switch
ge-0/0/6 ge-0/0/8 ge-0/0/7
www.juniper.net | 7
Agin g
In
The switch organizes the bridge table by VLAN to ensure that Layer 2 traffic belonging to one broadcast domain is not forwarded to devices on another broadcast domain
11 00:26:88:02:74:88 00:26:88:02:74:89
VLAN 11
Switch
ge-0/0/6 ge-0/0/7
ge-0/0/9
ge-0/0/8
The switch floods frames out all other ports belonging to the same VLAN when the destination MAC address is unknown
Pre DA
SA Type
Data
FCS
Bridge Table
The switch updates the bridge table when return traffic is received
User C MAC: 00:26:88:02:74:88
Switch
ge-0/0/6 ge-0/0/8 ge-0/0/7
www.juniper.net | 9
The switch filters (or discards) frames when the destination MAC address is associated with the ingress interface
User A MAC: 00:26:88:02:74:86
Bridge Table
Switch
ge-0/0/6 ge-0/0/9 ge-0/0/7
Hub
User B MAC: 00:26:88:02:74:87 User C MAC: 00:26:88:02:74:88
Pre DA
SA Type
Data
FCS
DA = 00:26:88:02:74:88
www.juniper.net | 10
To keep bridge table entries current, the switch monitors activity of MAC addresses and ages out bridge table entries after a specific amount of time of inactivity
VLAN 10 MAC Address 00:26:88:02:74:86 00:26:88:02:74:87 11 00:26:88:02:74:88 00:26:88:02:74:89
2011 Juniper Networks, Inc. All rights reserved.
Think About It
Given the topology and bridge table below, what devices will receive the packet sent by User B?
Bridge Table
MAC Address 00:26:88:02:74:86 00:26:88:02:74:87 00:26:88:02:74:88 00:26:88:02:74:89 Interface ge-0/0/6 ge-0/0/7 ge-0/0/7 ge-0/0/9
Switch
ge-0/0/6 ge-0/0/9 ge-0/0/7
Hub
User B MAC: 00:26:88:02:74:87 User C MAC: 00:26:88:02:74:88
Pre DA
SA Type
Data
FCS
DA = 00:26:88:02:74:89
www.juniper.net | 12
Hierarchical Design
Switched networks are often hierarchical and may consist of access, aggregation, and core layers
Benefits of a hierarchical network design include:
Modularityfacilitates change Function-to-layer mappingisolates faults
WAN Edge Device
Core Layer
Aggregation Layer
Access Layer
www.juniper.net | 13
Functions of Layers
Layers are defined to aid successful network design and to represent functionality found within a network
Core layer switches relay packets between aggregation switches and function as the gateway to the WAN edge device Aggregation layer switches connect access switches and often provide interVLAN routing and policy-based connectivity Access layer switches facilitate enduser and device access and enforce access policy Note: All three layers support CoS
2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 14
Consolidation of Layers
Simplify large complex switched networks
Junipers 3-2-1 architectural solutions
Virtual Chassis is a technology that can be implemented to combine functions of various layers into a single managed device QFabric is another technology that is being developed to simplify and combine all of the functions of a multitiered Qfabric switched network into a single managed device
Virtual Chassis
www.juniper.net | 15
What Is a VLAN?
A logical LAN that allows you to assign users to a common broadcast domain based on business needs and regardless of physical location
User A 172.23.10.86/24
Switch-1
Switch-2
User C 172.23.10.87/24
User B 172.23.20.86/24
User D 172.23.20.87/24
Switch-3
Switch-1
Switch-2
Trunk Ports
Switch-3
Access Ports
Access Ports
www.juniper.net | 18
Access Ports
Access ports typically connect to end-user devices such as computers, IP phones, and printers
Access ports typically carry untagged traffic
Switch-1
Switch-2
Switch-3
Access Ports
Access Ports
www.juniper.net | 19
Trunk Ports
Trunk ports typically connect switches to other switches or a router with VLAN tagging configured
Trunk ports typically carry tagged traffic
Switch-1
Switch-2
Trunk Ports
Switch-3
www.juniper.net | 20
User A 172.23.10.86/24 MAC: 00:26:88:02:74:86 Access Ports User B 172.23.20.86/24 MAC: 00:26:88:03:78:86
Switch-1
Trunk Ports
Switch-2
Access Ports
User A 172.23.10.86/24 MAC: 00:26:88:02:74:86 Access Ports User B 172.23.20.86/24 MAC: 00:26:88:03:78:86
Switch-1
Trunk Ports
Switch-2
Access Ports
User A 172.23.10.86/24 MAC: 00:26:88:02:74:86 Access Ports User B 172.23.20.86/24 MAC: 00:26:88:03:78:86
Switch-1
Trunk Ports
Switch-2
Access Ports
What If?
What if an IP phone and a PC are connected to the same switch port and you want the traffic sourced from those devices associated with different VLANs?
Switch-1
Network
Data
Voice
www.juniper.net | 24
Voice VLAN
The voice VLAN feature enables access ports to accept both untagged (data) and tagged (voice) traffic and separate that traffic into different VLANs
Used with CoS to differentiate data and voice traffic Voice VLAN and CoS values can be communicated to IP phones through Link Layer Discovery Protocol (LLDPMED)
MAC: MAC: 00:26:88:02:72:13 00:26:88:02:74:86 ge-0/0/6.0
Switch-1
Network
Voic e Data
Tagged Untagged
Note: Detailed coverage of CoS and LLDP are outside the scope of this material.
2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 25
What If ?
The default behavior for trunk ports is to only send and receive tagged traffic. What if you needed to pass untagged Layer 2 traffic through trunk ports?
Untagged Traffic
host-a1: 172.23.0.10/24 VLAN: default (untagged) host-a2: 172.23.0.20/24 VLAN: default (untagged)
Switch-1
host-b1: 172.23.14.10/24 VLAN: v14 / VLAN ID: 14
Switch-2
host-b2: 172.23.14.20/24 VLAN: v14 / VLAN ID: 14
ge-0/0/12.0
Trunk Ports
Access Ports
www.juniper.net | 26
Switch-1
host-b1: 172.23.14.10/24 VLAN: v14 / VLAN ID: 14
Switch-2
host-b2: 172.23.14.20/24 VLAN: v14 / VLAN ID: 14
ge-0/0/12.0
The native-vlan-id option should be added to the ge-0/0/12.0 interface on both switches for the default VLAN
2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 27
What Is It?
A routed VLAN interface (RVI) is a logical Layer 3 interface defined on an EX Series switch that facilitates inter-VLAN routing
Switch-1 User-group A VLAN: v14 172.23.14.0/24 User-group C VLAN: v16 172.23.16.0/24
Note: Host devices require a default gateway which points to RVI defined on the switch.
2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 28
Implementing RVIs
RVIs are typically defined on aggregation or access switches, depending on the implementation
All EX Series switches support RVIs as well as other Layer 3 routing operations
WAN Edge Device
Core Layer
Aggregation Layer Access Layer
www.juniper.net | 29
host-c1: 172.23.16.10/24
host-a2: 172.23.14.20/24
vlan.15
host-c2: 172.23.16.20/24
host-b1: 172.23.15.10/24
www.juniper.net | 30
Switch-1
Switch-2
Both switches would flood the frames out all ports except the port on which the frames arrived
2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 32
What If ?
What if a broadcast frame or a frame with an unknown destination MAC address were sent into a Layer 2 network with redundant paths?
Example: Source MAC: 00:26:88:02:74:86 / Destination MAC: 00:26:88:02:74:95
Switch-1
Switch-2
Flood
Layer 2 Loop
Flood
Switch-3
Flood
User E MAC: 00:26:88:02:74:90
2011 Juniper Networks, Inc. All rights reserved.
User Traffic
User Traffic
Host B
No User Traffic
2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 34
BPDUs
User Traffic
Switch-2
Switch-3
Switch-2
No User Traffic
Switch-3
www.juniper.net | 35
Port States
Each individual port of each bridge can be in one of four states:
The port drops all data packets and listens to BPDUs The port is not used in active topology The port drops all data packets and listens to BPDUs The port is transitioning and will be used in active topology The port drops all data packets and listens to BPDUs The port is transitioning and the switch is learning MAC addresses The port receives and forwards data packets and sends and receives BPDUs The port has transitioned and the switch continues to learn MAC addresses
2011 Juniper Networks, Inc. All rights reserved.
www.juniper.net | 38
Switch-1 is elected as the root bridge based on the received configuration BPDU information.
Host B Switch-3
www.juniper.net | 41
port = Blocking
F,R F,R F,D
B
Host A
F,D
F,D
Host B
Switch-2
2011 Juniper Networks, Inc. All rights reserved.
Switch-3
www.juniper.net | 42
F F
Host A
Host B
Switch-2
Switch-3
www.juniper.net | 43
STP Drawbacks
Slow convergence time
STP uses timers to transition between port states
STP can take 30 to 50 seconds to respond to a topology change (20 seconds for a BPDU to age out, 15 seconds for the listening state, and 15 seconds for the learning state)
www.juniper.net | 44
R A
R A
Switch-2
D B
Switch-3
A A
Backup port:
Provides a redundant path to a segment (on designated switches only) Blocks traffic while a more preferred port functions as the designated port
www.juniper.net | 47
802.1D-2004 RSTP
www.juniper.net | 48
RA
R A A A
Switch-2
DB
Switch-3
www.juniper.net | 49
RSTP:
Uses a proposal-and-agreement handshake on point-topoint links instead of timers
Exceptions are alternate ports that immediately transition to root, and edge ports that immediately transition to the forwarding state Nonedge-designated ports transition to the forwarding state once they receive explicit agreement
www.juniper.net | 51
Before
After
R F D F Inferior PDU A B
R F R F D Superior PDU F
R F
Switch-2
2011 Juniper Networks, Inc. All rights reserved.
Switch-3
Switch-2
Switch-3
www.juniper.net | 52
R F D F A B
R F
R F D F R F
Alternate Port = A
Switch-2
2011 Juniper Networks, Inc. All rights reserved.
Switch-3
Switch-2
Switch-3
www.juniper.net | 53
STP
RSTP
www.juniper.net | 54
What If?
Given the topology below, what if User A connects a personal (unauthorized) switch running the spanning tree protocol to Switch-2?
Switch-1 (Root Bridge)
Part of the spanning tree Switch-1
BPDUs would be exchanged, a new STP calculation would occur, and the rogue switch would become part of the spanning tree, potentially leading to a network outage
2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 55
BPDU Protection
BPDU protection prevents rogue switches from connecting to the network and causing undesired Layer 2 topology changes and possible outages
If a BPDU is received on a protected interface, the interface is disabled and transitions to the blocking state
Edge port is disabled if BPDU is received on protected interface
Switch-1 (Root Bridge)
www.juniper.net | 56
What If?
Given the topology below, what if BPDUs sent by Switch-2 were not received by Switch-3?
Switch-1 (Root Bridge) Switch-1 (Root Bridge)
Layer 2 Loop
R D A R R D A D R
Switch-2
Switch-3
Switch-2
Switch-3
BPDUs not received due to a uni-directional link failure or a software configuration issue
2011 Juniper Networks, Inc. All rights reserved.
Switch-3 waits until the max-age timer expires then transitions its alternate port to the designated port role and the forwarding state thus removing the blocked port and causing a Layer 2 loop www.juniper.net | 57
Loop Protection
The loop protection feature provides additional protection against Layer 2 loops by preventing nondesignated ports from becoming designated ports
Enable loop protection on all non-designated ports
Ports that detect the loss of BPDUs transition to the loop inconsistent role which maintains the blocking state Port automatically transitions back to previous or new role when it receives a BPDU Switch-1 (Root Bridge)
D D
R D
Loop Protection
A
Switch-2
2011 Juniper Networks, Inc. All rights reserved.
Switch-3
www.juniper.net | 58
What If?
Given the topology and details below, what if a rogue switch with a bridge priority of 4K was connected to the Layer 2 network?
Switch-1 (Root Bridge) Priority = 8k New root bridge Switch-1
Aggregation
Access BPDUs
Switch-2
Switch-3
BPDUs would be exchanged, a new STP calculation would occur, and the rogue switch would become the new root bridge potentially leading to a network outage
2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 59
Root Protection
Enable root protection to avoid unwanted STP topology changes and root bridge placement
If a superior BPDU is received on a protected interface, the interface is disabled and transitions to the blocking state
Switch-1 (Root Bridge) Priority = 4k Root protection is typically configured on the ports of aggregation switches that connect to access switches Switch-2 Priority = 8k
Aggregation Access
www.juniper.net | 60
What If ?
Refer to the topology below and assume no spanning tree protocol is currently in use; what would happen if User A sent traffic to User Z?
DS-1 DS-2
AS-1
AS-2
AS-3
User A 172.23.10.86/24
User Z 172.23.10.88/24
AS-1
AS-2
AS-3
User A 172.23.10.86/24
User Z 172.23.10.88/24
Traffic will be forwarded through the root bridge towards the destination
2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 63
AS-1
AS-2
AS-3
User A 172.23.10.86/24
User B 172.23.20.86/24
User C 172.23.10.87/24
User D 172.23.20.87/24
User E 172.23.10.88/24
User F 172.23.20.88/24
User A 172.23.10.86/24
User B 172.23.20.86/24
User C 172.23.10.87/24
User D 172.23.20.87/24
User E 172.23.10.88/24
User F 172.23.20.88/24
DS-2
(Root bridge for Instance-2)
AS-1
AS-2
AS-3
www.juniper.net | 66
AS-1
2011 Juniper Networks, Inc. All rights reserved.
AS-2
AS-3
www.juniper.net | 70
VSTP Considerations (1 of 2)
Some VSTP considerations include:
Supports up to 253 different spanning-tree topologies
You selectively determine which VLANs participate in VSTP We recommend that you enable RSTP in addition to VSTP to account for any VLANs above and beyond 253
Vlan-1 Vlan-2 Vlan-253 Vlan-254 Vlan-255 Vlan-1 Vlan-2 Vlan-253 Vlan-254 Vlan-255
VSTP RSTP
www.juniper.net | 71
VSTP Considerations (2 of 2)
Some VSTP considerations include (contd):
As you add VLANs, more CPU resources are consumed
A separate BPDU is sent out for each configured VLAN
Vlan-1 Vlan-2 Vlan-3
VLAN TAG
DA
SA
LLC SNAP
BPDU
FCS
VSTP BPDU format is the same as RSTP format with an added type, length, and value that advertises the same VLAN ID found in the VLAN tag
www.juniper.net | 72