Section 2 - Layer 2 Network Design.pdf

Full Transcript

LAYER 2 TECHNOLOGIES Agenda Ethernet and it’s control planes What is control and data plane? Vlan and Flow Based Load Balancing Spanning Tree CST, PVST+, RSTP, RPVST+, MST LAG, MC-LAG, VSS, VPC VLAN, VTP and Trunking First Hop Redundancy Protocols HSRP, VRRP, GLBP HSRP, VRRP and GLBP Comparison Layer 2 and Layer 3 interaction Layer 2 Traffic Engineering Layer 2 and 3 access design Case Studies Layer 2 Technologies in the CCDE Exam Summary ag en da Agenda Bonus Materials Bonus - TRILL, Fabricpath, PB, PBB, SPB Bonus - Layer 2 Fast recovery mechanisms: G.8032, REP Bonus - TSN – Time Sensitive Networking IEEE 802.1AS Bonus - First Hop Security Mechanisms Ag en da Ethernet and it’s control planes Ethernet is a most common layer 2 protocol in today Campus, datacenter and WAN networks. Spanning tree its legacy control plane. Although today there are many control plane for Ethernet such as SPB, Trill, SPB-TE, Fabric path, spanning tree is by far mostly used control plane mechanism. That’s why it is important to understand spanning tree from the design point of view. eth ern et Ethernet and it’s control planes Is Spanning Tree really the most common control plane? Ethernet and it’s control planes Hyper giant datacenters, as an example, FAMGA, uses IGP or BGP in the datacenter due to scale. If Layer 3 fabric is not needed, then LAG and MC-LAG is the most common control plane for link bundling mechanism in any decent size datacenter. Spanning tree is used as a backup mechanism even if LAG and MC-LAG is used. eth ern et Control and Data Plane Control plane refers to all the functions and processes that determine which path to use in the network. Routing protocols, spanning tree, LDP etc. are examples. Control plane packets are destined to or locally originated by the networking devices, such as routers, switches itself. Data plane refers to all the functions and processes that forward packets/frames from one interface to another. pla ne Control and Data Plane As for the data plane, sometimes called the Forwarding Plane, this is basically anything that goes ‘through’ the networking device, and not ‘to’ the networking device. Management plane is all the functions you use to control and monitor devices. Data plane is usually called user plane in the mobile network business. Also, the term forwarding plane is occasionally used pla ne Control and Data Plane Control Plane learning is using control plane protocols to advertise reachability information. Data plane learning is used in Layer 2 in general, networking devices examine the packets/frames and learn MAC to interface binding. pla ne Vlan and Flow Based Load Balancing Vlan based load balancing allow the switch to be active layer 3 gateway for only some set of Vlans and other switch stays as standby, and for the different set of Vlans standby switch acts as an active switch and active switch acts as standby. STP Root FHRP Active Network Service Active Distribution Layer Access Layer Triangle Spanning Tree Topology Vlan and Flow Based Load Balancing STP Root FHRP Active Network Service Active Flow based load balancing mean is to allow both gateway switches and the links to the gateway switches to be used as an activeactive for the same Vlan. Distribution Layer Access Layer Triangle Spanning Tree Topology Vlan and Flow Based Load Balancing In VPLS and EVPN, Vlan and flow based load balancing concepts will be revisited For flow based load balancing, Multi Chassis Link Aggregation (MC-LAG) should be enabled. In that case, all of the links between the switches is placed in a bundle and can be utilized regardless of spanning tree’s existence. Spanning tree behaves as one link to the logical link aggregation bundle. Vlan and Flow Based Load Balancing In flow-based load balancing, hosts in the same Vlan can use both links at the same time. In spanning tree this is not possible. From the access layer switches to the distribution layer switches Multi-chassis Link aggregation group bundle can be activated, in that case flow based load balancing can be possible. Spanning Tree STP Secondary Root HSRP Standby Vlan 100, 200 STP Root HSRP Active Vlan 100, 200 Spanning tree is a control plane mechanism for Ethernet. It is used to create a layer 2 topology (A tree) by placing the root switch on top of the tree. Layer2 Distribution STP Blocks Layer2 Links Access Vlan 100 Vlan 200 Vlan 100 Vlan 200 Spanning Tree STP Secondary Root HSRP Standby Vlan 100, 200 STP Root HSRP Active Vlan 100, 200 Since classical Ethernet works based on data plane learning and Ethernet frames don’t have TTL for loop prevention, loop is prevented by blocking the links by the spanning tree. Layer2 Distribution STP Blocks Layer2 Links Access Vlan 100 Vlan 200 Vlan 100 Vlan 200 Spanning Tree Loop has to be mitigated but blocking links don’t allow using all the links actively. Spanning tree doesn’t provide multipathing. As soon as spanning tree detects a loop, it blocks some links in the topology to prevent the loop. Spanning Tree Root Switch Selection STP Secondary Root HSRP Standby Vlan 100, 200 STP Root HSRP Active Vlan 100, 200 One switch is selected as root switch. Layer2 Distribution STP Blocks Root switch is selected based on priority, if priority is not set manually, switch has the lowest MAC address becomes root switch. Layer2 Links Access Vlan 100 Vlan 200 Vlan 100 Vlan 200 Spanning Tree Root Switch Selection Setting root switch priority manually provides determinism and it is good thing. If it is configured manually Newly added switch don’t change the forwarding topology. STP Secondary Root HSRP Standby Vlan 100, 200 STP Root HSRP Active Vlan 100, 200 Layer2 Distribution STP Blocks Layer2 Links Access Vlan 100 Vlan 200 Vlan 100 Vlan 200 Spanning Tree and Load Balancing Capability Two common load balancing techniques are in the Layer 2 networks; Vlan based and Flow based load balancing Spanning tree doesn’t allow the flow based load balancing Some implementations of spanning tree allows only Vlan based load balancing. Some of them allow only activestandby redundancy Spanning Tree and Load Balancing Capability CST (Common Spanning Tree) 802.1d which is classical/legacy spanning tree; supports only one instance for all vlans. It doesn’t support Vlan load balancing. STP Secondary Root HSRP Standby Vlan 100, 200 STP Root HSRP Active Vlan 100, 200 Layer2 Distribution STP Blocks Layer2 Links CST supports only Active – Standby redundancy, all Vlans have one root switch and one backup root switch Access Vlan 100 Vlan 200 Vlan 100 Vlan 200 Spanning Tree and Load Balancing Capability Take advantage of Vlan load balancing instead of ActiveStandby, with Vlan load balancing you can use your available uplink capacity. It is called bisectional bandwidth as well Vlan load balancing can be cumbersome, operationally hard but gives advantage of using all uplinks. Spanning Tree Toolkit The following enhancements to 802.1(d,s,w) comprise the spanning-tree toolkit: PortFast—Allows the access port bypass the listening and learning phases UplinkFast-Provides 3-to-5 second convergence time after a link failure. Spanning Tree Toolkit Backbone Fast—Cuts convergence time by MaxAge for indirect failure. Loop Guard—Prevents the alternate or root port from being elected unless Bridge Protocol Data Units (BDPUs) are present. Root Guard—Prevents external switches from becoming the root. Provides determinism. Spanning Tree Toolkit BPDU Guard—Disables a PortFast-enabled port if a BPDU is received. BPDU Filter—Prevents sending or receiving BPDUs on PortFast-enabled ports. Spanning Tree Toolkit Placement Loop Guard STP Root HSRP Active Root Guard Loop Guard Access BPDU Guard Root Guard Portfast Port Security Spanning Tree Toolkit Placement PVSTP+ Cisco’s 802.1d implementation, supports one to one instance to Vlan mapping. Enhancements to PVSTP provide good optimizations, but it has slow convergence compared to MST and RSTP and cannot scale as MST. Spanning Tree Toolkit Placement MST 802.1s is the industry standard. Convergence is like RSTP, proposal and agreement mechanism. Group of vlans are mapped to spanning tree instance. So if you have 100 Vlans you don’t need to have 100 Instance as in the case of RPVST+ thus reduces CPU and memory requirements on the switches, so provides scalability. Spanning Tree Toolkit Placement With the region support, MST can be used between data centers. But still spanning tree domain is limited to local data center. Think of it as an OSPF multi area. MST supports large number of VLANs so that’s why it might be suitable to large data centers or service provider access networks if uses QinQ, 802.1ah Provider bridging PB or Mac in Mac 802.1aq Provider Backbone Bridging PBB. Spanning Tree Toolkit Placement MST is used still in many datacenters because of its large scale layer 2 support. Also capability of having different MST regions on different datacenter allows spanning tree BPDU’s to be limited to individual data center. pla ce me nt Spanning Tree Best Practices Use RSTP or RPVST+ for fast convergence for direct and indirect failures. Use MST for scaling. If you have large scale Vlan deployment and CPU is a concern, you can take advantage of grouping vlans to MST instance. Don’t use 802.1d, CST. If you will deploy standard base spanning tree mechanism, use RSTP or MST. Spanning Tree Best Practices Always enable spanning tree on the access facing ports to protect the network from intentional or unintentional attacks. Port-security is used as a spanning tree loop avoidance mechanism at the edge of the layer 2 campus Ethernet networks. For multipath support, enable LAG with Spanning Tree Odd – Even Vlan Load Balancing For ease of troubleshooting, you can use one distribution switch as primary root switch for odd Vlans; other distribution as primary root switch for even Vlans, it gives predictability. od d ev en LAG, MC-LAG, VSS and VPC LAG (Link Aggregation Group) is an IEEE 802.1AX-2008 standard. It is used to place multiple Ethernet links in a bundle. Allows one or more links to be aggregated together to form a Link Aggregation Group, such that a network device can treat the Link Aggregation Group as if it were a single link. LAG, MC-LAG, VSS and VPC A A1 A2 B B (1) LAG (2) MLAG+LAG A1 A2 A1 A2 B1 B2 B1 B2 (3) MLAG+MLAG (4) High Availability Caveats: Flows are mapped to the physical link by the hashing algorithm of the network device in per flow load balancing. Per packet load balancing can cause reordering problem at the destination due to jitter. Each Individual flow can reach up to physical link speed, for example if flow generates 1,5 Gbps traffic but it is mapped to 1 Gbps physical link, capacity need to be increased. VENDOR IMPLEMENTATION NAME Cisco NEXUS VPC Cisco Catalyst 6500 VSS Juniper MC-LAG Ericsson MC-LAG VSS and VPC VSS – Virtual Switching System switches work as single control plane. Thus you don’t have to run HSRP in VSS but run in VPC. VPC – Virtual Port Channel switches work as individual control plane. Both VSS and VPC provides multipathing, flow based load balancing and eliminates blocked links. Both provides device level redundancy to the downstream switches or hosts. VSS and VPC Single Control Panel Independant Control Panel VSL Peer VSS Member 1 VSS Member 2 VPC Member 1 VPC Member 2 PortChannel PortChannel Host Host VSS Client VPC Host VSS and VPC VSS and VPC enabled switches use Cisco Preparatory protocol between to send control messages such as system IDs Downstream switch sees two VSS or VPC switches as one switch Single Control Panel Independant Control Panel VSL Peer VSS Member 1 VSS Member 2 VPC Member 1 VPC Member 2 PortChannel PortChannel Host Host VSS Client VPC Host VSS and VPC Downstream switch is not aware that it is connected to two different switches, because VSS or VPC members send a logical system ID instead of each individual switch physical System ID Single Control Panel Independant Control Panel VSL Peer VSS Member 1 VSS Member 2 VPC Member 1 VPC Member 2 PortChannel PortChannel Host Host VSS Client VPC Host VSS and VPC Both of these technologies are Cisco preparatory but as it is shown before other networking vendors provide the same functionality with the different names vs s & vp c VLAN, VTP and TRUNKING Best Practices VTP is not recommended anymore because of configuration complexity and the catastrophic failure. In other word, small mistake on the VTP configuration can take whole network down. So benefits of VTP might be too costly. Risk of VTP based incident is greater than benefit of VTP. If VTP will be used, VTP Transparent mode is recommended practice because it decreases the potential for operational error. VLAN, VTP and TRUNKING Best Practices Always configure VTP Domain name & Password when VTP is used. Manually prune unused VLANs from trunked interfaces to avoid broadcast propagation. Don't keep default VLAN as native VLAN, it protects from VLAN hopping attacks. Disable trunks on host ports. VLAN, VTP and TRUNKING Best Practices Don’t put so many host in one Vlan, keep it small to provide manageable fault domain. In the same Vlan all broadcast, unknown unicast packets have to be processed by all the nodes. If fast convergence is the requirement don’t use Dynamic Trunking Protocol, it slows down the convergence since switches negotiate the trunking mode. First Hop Redundancy Protocols Three commonly used first hop redundancy protocols are HSRP, VRRP and GLBP. All of them provide device level redundancy in Layer 2 access networks, if topology is layer 3, we don’t have any of these protocols. HSRP and GLBP are the Cisco preparatory protocols but VRRP is IETF standard, so use VRRP if you need multivendor or interoperability. First Hop Redundancy Protocols HSRP and VRRP use 1 Virtual IP and 1 Virtual MAC address for gateway functionality. Hosts always have the same Virtual IP address in HSRP, VRRP and GLBP. Virtual MAC address doesn’t change in HSRP, VRRP and GLBP in case of a failure. HSRP Virtual IP 192.168.0.1 HSRP-VRRP IP 192.168.0.1 Vmac 0000.0000.0001 HSRP-VRRP IP 192.168.0.1 Vmac 0000.0000.0001 2. 3. HSRP VIP and VMAC 10. 11.. Gateway MAC 0000.0000.0001 Gateway MAC 0000.0000.0001 VRRP Virtual IP 192.168.0.1 HSRP-VRRP IP 192.168.0.1 Vmac 0000.0000.0001 HSRP-VRRP IP 192.168.0.1 Vmac 0000.0000.0001 2. 3. VRRP VIP and VMAC 10. 11.. Gateway MAC 0000.0000.0001 Gateway MAC 0000.0000.0001 GLBP GLBP uses 1 Virtual IP and several Virtual MAC address. For the clients ARP requests, different virtual MAC addresses are given thus network based load balancing can be achieved. But still each individual client uses same device as its default gateway. Different clients use different device as their default gateway. GLBP There are two terminologies. AVF – Active Virtual Forwarder and AVG – Active Virtual Gateway. Each member of GLBP is AVF. GLBP AVG assigns a virtual MAC address to each member of GLBP group. The AVG also answers ARP requests for the Virtual IP address. Each router is an AVF which forwards traffic received on VIP and vMAC. Different deployment options, by default Round Robin but it supports Weight as well. So AVG can send different amount of traffic to the different AVFs based on the configuration. GLBP Operation – How it works GLBP on Leaf and Spine Topology One popular design with GLBP and fabricpath which can provide up to 4 active virtual forwarder on spine switches Spine switches AVF AVG AVF AVF Fabricpath Leaf switches AVF GLBP Operation - How it works GLBP might be suitable for campus but not for Internet Edge since the firewall uses same IGW as its default gateway by using same IP address. glb p HSRP - VRRP - GLBP Comparison Layer 2 and Layer 3 Interaction One important factor to take into account when tuning HSRP is its preemptive behavior. Preemption causes the primary device to retake the primary role when it comes back online after a failure or maintenance event. But HSRP by default is not preemptive, manually needs to be configured. VRRF by default comes with preemption. Layer 2 and Layer 3 Interaction STP Secondary Root HSRP Standby Vlan 100, 200 STP Root HSRP Active Vlan 100, 200 Layer2 Distribution STP Blocks Layer2 Links Access Vlan 100 Vlan 200 Vlan 100 Vlan 200 Layer 2 and Layer 3 Interaction Preemption is the desired behavior because the STP/RSTP root should be the same device as the HSRP primary for a given subnet or VLAN. If HSRP and STP/RSTP are not synchronized, the interconnection between the distribution switches can become a transit link, and traffic takes a multihop L2 path to its default gateway. Layer 2 and Layer 3 Interaction HSRP preemption needs to be aware of switch boot time and connectivity to the rest of the network. It is possible for HSRP neighbor relationships to form and preemption to occur before the primary switch has L3 connectivity to the core. If this happens, traffic can be dropped until full connectivity is established. This is HSRP to Layer 3 interaction. lay er 2a nd 3 Layer 2 and Layer 3 Interaction Summary We have two interactions here, one for Spanning Tree and HSRP, another HSRP and Layer 3. lay er 2a nd 3 Layer 2 Traffic Engineering Traffic engineering is a mechanism to utilize network bandwidth efficiently. Mostly used in MPLS Traffic Engineering. Engineers may not aware that they are doing TE in Layer 2 networks. There is no layer 2 traffic engineering topic in the books but it is done in the networks intentionally or unintentionally. Layer 2 Traffic Engineering BGP, IGP, MPLS, Layer 2, we always try to do traffic engineering to use bandwidth efficiently, send different traffic to different links etc. Voice traffic towards low latency links, data traffic through high capacity high latency links Vlan load balancing, VTP pruning, HSRP Groups are the examples of Layer 2 Traffic Engineering Layer 2 Access Design If access and distribution layer connection is based on layer 2, then this topology is called as layer 2 access designs. It can be implemented as looped or loop free topology. Layer 2 Access Design In loop free design, the link between distribution layer switches is layer 3 and same Vlan is not used in different access switches thus there is no loop in the topology so spanning tree doesn’t block any link. Layer 2 Access Design In both Layer 2 Looped and Layer 2 Loop free design, We need to have FHRP since we want to have more than one distribution switch for redundancy. Layer 2 Loop Free Topology HSRP Active Vlan 10, 100 HSRP Active Vlan 20, 200 Layer3 Distribution Layer2 Links Access 10.10.10.0 Vlan 10 Data 10.10.100.0 Vlan 100 Voice 10.10.20.0 Vlan 20 Data 10.10.200.0 Vlan 200 Voice Layer 2 Loop Free Topology HSRP Active Vlan 10, 100 HSRP Active Vlan 20, 200 Layer3 Distribution Layer2 Links Access 10.10.10.0 Vlan 10 Data 10.10.100.0 Vlan 100 Voice 10.10.20.0 Vlan 20 Data 10.10.200.0 Vlan 200 Voice For loop free topology FHRP BPDUs travel through access switch links. Layer 2 Loop Free Topology In looped design, the link between distribution layer switches is layer 2 and same Vlan is used on different access switches so spanning tree will block one of the links to prevent loop. Layer 2 Looped Topology STP Secondary Root HSRP Standby Vlan 100, 200 STP Root HSRP Active Vlan 100, 200 Layer2 Distribution STP Blocks Layer2 Links Access Vlan 100 Vlan 200 Vlan 100 Vlan 200 We want to align STP Root with FHRP active and if we have network services device such as Firewalls, we want to align active firewalls with STP and FHRP Layer 2 Looped Topology STP Secondary Root HSRP Standby Vlan 100, 200 STP Root HSRP Active Vlan 100, 200 Layer2 Distribution STP Blocks Layer2 Links Access Vlan 100 Vlan 200 Same Vlan can be used on every access switch. Bi-sectional bandwidth usage is low Vlan 100 Vlan 200 Layer 3 Access Design/Routed Access Design It is also known as routed access design. The connections between access and distribution layer switches are layer 3, so first hop gateway of clients is access layer switch. Core Layer3 Distribution Access Vlan 10 Data Vlan 100 Voice Vlan 20 Data Vlan 200 Voice Unique Voice and Data Vlans Vlan 30 Data Vlan 300 Voice Layer 3 Access Design/Routed Access Design No need to have any first hop redundancy protocol since the access layer switch is the first hop gateway. There is no spanning tree in this design as there is no layer 2 link between the network devices Core Layer3 Distribution Access Vlan 10 Data Vlan 100 Voice Vlan 20 Data Vlan 200 Voice Vlan 30 Data Vlan 300 Voice Layer 3 Access Design/Routed Access Design We can take advantage of fast convergence since we can use any IGP protocols between access and distribution layer and we can tune it, of course tuning protocol convergence time comes with its cost. Core Layer3 Distribution Access Vlan 10 Data Vlan 100 Voice Vlan 20 Data Vlan 200 Voice Vlan 30 Data Vlan 300 Voice Layer 3 Access Design/Routed Access Design Tuning routing protocol for faster convergence, may impact overall stability of the network. You might have false positive. Core Layer3 Distribution Access Vlan 10 Data Vlan 100 Voice Vlan 20 Data Vlan 200 Voice Vlan 30 Data Vlan 300 Voice Layer 3 Access Design/Routed Access Design Also configuration will be much more complex. Core Layer3 Distribution Access Vlan 10 Data Vlan 100 Voice Vlan 20 Data Vlan 200 Voice Vlan 30 Data Vlan 300 Voice Layer 3 Access Design/Routed Access Design Although, there is no spanning tree anymore, still you may want to protect user site loop by enabling spanning tree at the edge towards user. Core Layer3 Distribution Access Vlan 10 Data Vlan 100 Voice Vlan 20 Data Vlan 200 Voice Vlan 30 Data Vlan 300 Voice Layer 3 Access Design/Routed Access Design The drawback of this design, same Vlan cannot be used on the different access layer switches, at least for the campus network. Core Layer3 Distribution Access Vlan 10 Data Vlan 100 Voice Vlan 20 Data Vlan 200 Voice Vlan 30 Data Vlan 300 Voice Layer 3 Access Design/Routed Access Design Host based overlays can be considered as similar to routed access design, in that case, since it is targeted for the datacenter and the vlan extension might be the requirement, host based overlays such as Vxlan, NvGRE, STT and Geneve support this. Host based overlays such as VXLAN, NvGRE, STT and Geneve will be explained in the VPN Design Course. LAYER 2 CASE STUDIES HSR P GLB Which one is more suitable for the internet edge, HSRP or GLBP? P HSRP Group 1 192.168.0.1 PRIMARY HSRP Group 2 192.168.0.2 PRIMARY Layer 2 Switch HSRP Group 2 SECONDARY HSRP Group 1 SECONDARY Firewall Create two HSRP Groups both routers; each router is active for one of the HSRP Groups egress from firewall: Static routes on FW to HRSP Group; BGP handles outbound forwarding. On the firewall default route is pointed to the both internet getaways. (We divide the default route to the half actually.) First half of the default route is sent to the HSRP Group 1 address route outside 0.0.0.0 128.0.0.0 192.168.0.1 Second half of the default route is sent to the HRSP Group 2 address route outside 128.0.0.0 128.0.0.0 192.168.0.2 Virtual MAC 0000.0000.0001 Virtual MAC 0000.0000.0002 Layer 2 Switch Default Gateway MAC 0000.0000.0002 Firewall What about Gateway Load Balancing Protocol (GLBP)? GL BP The firewall will perform ARP and the AVG (Active Virtual Gateway) will respond with Virtual MAC of either R1 or R2. Traffic is now polarized to a single link. More specific routes and use of local Preference is required for forwarding on both links. From the case study above, we can see that although HSRP might seem configuration wise more complex, traffic will not be polarized as in the case of GLBP. In the GLBP case, one of the links from firewall to the Internet Gateway is not used. Only one link will be used. This may not be seen as a problem, because it also provides predictability. STP Secondary Root HSRP Standby Vlan 100, 200 STP Root HSRP Active Vlan 100, 200 Layer2 Distribution STP Blocks Layer2 Links Access Vlan 100 Vlan 200 Vlan 100 Vlan 200 Q1: What is the name of this topology? Q2: Is HRRP or GLBP more suitable. Why? The topology is called Layer 2 looped topology since the connection between two distribution layer switches is layer2. Once it is layer2, spanning tree has to block one link which is far from the root switch to prevent forwarding loop. Otherwise if you create a loop in Ethernet networks, since Ethernet doesn’t have TTL field in the header, unless you take manual action to stop loop, it continues to increase CPU of the device and the utilize the links. Different layer 2 protocols on Ethernet layer 1 media can work differently. Trill, Fabric path, SPB are some of them which you can find an article about on the website can use all the links without blocking. GLBP provides flow based load-balancing. If you are working in design field, you might heard this term often. Two common load balancing techniques are in the Layer 2 networks; Vlan based and Flow based load balancing. Vlan based load balancing allow the switch to be active layer 3 gateway for only some set of Vlans and other distribution stays as standby, and for the different set of Vlans standby switch acts as an active switch and active switch acts as standby. HSRP and VRRP works in this way. Van 100 HSRP active gateway can be the left distribution switch, different Vlan let’s say Vlan 101 can be the right distribution switch. Flow based load balancing mean is to allow both distribution switches to be used as an active-active for the same Vlan. Some users from the particular vlan use one distribution switch as an active default gateway and other users within the same vlan use previously standby switch as an active switch. In this way you can use both distribution switches as active-active and you can utilize all the links in the layer 2 networks but supporting this configuration instead of using GLBP is more complex from the design point of view. If you want both right and left distribution switches to be used active-active for the same Vlan, let’s say Vlan 100, then you need to use GLBP. But spanning tree shouldn’t block the Layer 2 links. How you can achieve this? One way to change the inter distribution link to Layer 3. In that way none of the access layer links between access and distribution layer switches will be block, thus you can use all the uplinks. sho uld n’t blo ck STP Secondary Root HSRP Standby Vlan 100, 200 STP Root HSRP Active Vlan 100, 200 Layer2 Distribution STP Blocks Layer2 Links Access Vlan 100 Vlan 200 Vlan 100 Vlan 200 On the above topology if you use GLBP, since the right access to distribution link will be blocked, all the user traffic from the right access switch will go first to left distribution switch then through the interconnect link traffic will go to the right distribution switch since right distribution switch as an Active GLBP virtual forwarder replies to the ARP packets. That’s why in this way always sub optimal path is used. Why root switch is placed in the distribution layer instead of access? STP ROOT BRIDGE FHRP ACTIVE NETWORK SERVICE ACTIVE Distribution Layer Access Layer Triangle Spanning Tree Topology In the figure above Access and Distribution layer switches are shown. QUESTION Why do we always place Spanning tree root bridge and First hop redundancy protocol gateway at the distribution layer? Is it better if spanning tree root switch would be placed in the access layer? SOLUTION Traffic pattern in the campus networks always in North-South direction. In two or three layer designs, layer 2 and layer 3 is placed on the distribution layer. Distribution layer is used for scalability, modularity and hierarchy. With distribution layer, any access layer switches can be upgraded smoothly. Also functions are shared between the access and distribution layer devices. Access layer provides edge functions such as filtering, client access, QoS, security features. Distribution layer responsible from the route and traffic/speed aggregation. Layer 3 starts at the distribution layer. Thus first hop redundancy protocols are enabled at the distribution layer. Since the user traffic from the campus environment reach to Internet, Servers are in the datacenter network which is a centralize place, traffic pattern is in north south direction, not east-west. Thus it is logical to place spanning tree root, first hop redundancy protocol gateway at the top position at the network. One can question then in the three layer hierarchy, can we put the root functionality into the Core layer? Answer is yes but it may not be a good design. In that case, layer 2 domain would be much larger and we always want to keep layer 2 domain small unless the application requires it to be much larger such as Vmotion, layer 2 extension and so on. First Hop Redundancy Protocol Damage An Enterprise company will implement first hop redundancy protocol on their distribution switches. The requirement is if the failure happen at the distribution switches, they don’t want all the users in a given vlan is effected from the failure. Some users in that Vlan should still be able to operate. Question: Which first hop redundancy company should use and why? As it is indicated in the book earlier, only one device is used as an active gateway with HSRP and VRRP. If failure happens standby device takes responsibility and even with fast hellos and BFD still will be down time. During convergence clients traffic will be effected. But with GLBP, in a given Vlan, there can be more than 2 active gateways. That’s why clients traffic can be divided among the active gateways. If failure happens in a GLBP enabled network, only some of the clients traffic in a given vlan is effected. If there is two active gateways, only half of them will be affected. Thus for the requirements given in the question, GLBP is the best choice. Port-Security comes to the rescue In the conference room of the company, contractors connected a device, which doesn’t generate spanning tree BPDU with two ports to the existing switch environment. QUESTION 1: What would be the implication of this? QUESTION 2: How can future problems be mitigated? This problem has happened in the early days of networking. Hubs don’t generate a spanning tree BPDUs. If you connect a hub with two ports to a switch, forwarding loop occurs. In order to stop it, you can remove one of the cable for sure. But if the contractor would know the implication probably they wouldn’t connect it at the first place. That’s why a future which can prevent a loop should be in place in advance. BPDU Guard and BPDU Filter are the two features, which react based on bpdu. BPDU Guards shutdown the switch port if spanning tree bpdu is received from the port. BPDU Guard doesn’t shutdown the port but can give some information about the bpdu. But in the requirement of this case study it is clearly told that bpdu is not generated. In this case Port-security helps. Port-security doesn’t allow two mac addresses to be shown on the two ports of a given switch. If it happens, port-security feature shutdown the ports. That’s why it is one of the best practices to enable port-security not only as security feature but spanning tree feature as well. Layer 2 Looped Design Use Case Loo ped Where would Layer2 looped design be better from the Layer 2 campus network design point of view? Answer : In an environment where layer 2 Vlan needs to be spanned. Classical example is the datacenter. In the data centers hosts (Specifically Virtual Machines) can move between access switches. Vlans should be spread on those switches. Also it is very common in the campus environment where WLAN is used commonly on every access switches. In these environments where layer 2 needs to be extended on many access switches, layer 2 looped design is the only design option.