Layer 2: Redundancy and High Availability Part 1: General Overview on Assignment 1.
-
Upload
marylou-horn -
Category
Documents
-
view
226 -
download
1
Transcript of Layer 2: Redundancy and High Availability Part 1: General Overview on Assignment 1.
Overview : Next Four weeks Part 1: VLAN design
Cisco design principles Private VLANs
Part 2: Redundancy at Layer 1 and Layer2 Issues with Redundant Links
Spanning Tree Protocol RSPT MST
Part3: High Availability Etherchannel at layer 2 and layer 3
Part 4: Security at Layer 2
Part1 Overview Extent of VLAN VLAN concepts
Native VLAN Untagged Frames VTP Pruning DTP Layer 3 Switching
Review: VLANs Number of VLANs dependent on
traffic patterns, application types, segmenting common workgroups, and network management requirements
Cisco recommends One-to-one correspondence between VLANs and IP
subnets VLANs not extend beyond the Layer 2 domain of the
distribution switch Keep broadcasts and unnecessary movement of
traffic out of the core block Two major approaches
Local End-to-End or Campus wide
5
What Is an End-to-End VLAN?
Users are grouped into VLANs independent of physical location.
Every VLAN is made available to every access switch across the network. If users are moved within the campus, their VLAN
membership remains the same. The 80/20 rule The 20/80 rule
VLAN Types
Computer
Computer
Computer
ManagementVLAN 99172.17.99.10/24
DataVLAN 20172.17.20.22/24
DataVLAN 20172.17.20.25/24
VoiceVLAN 30172.17.30.26/24
VoiceVLAN 30172.17.30.23/24
Fa0/1
Fa0/1
Fa0/4
Fa0/3
Fa0/3Fa0/18 Fa0/18
Fa0/6 Fa0/6
•Data – user data, with the switching block•Voice – VoIP telephony•Management – device management for administrators•Native – supports untagged traffic (802.1q only)
Untagged Frames
Native VLAN frames are carried over the trunk link untagged.
Untagged frames on 802.1Q trunk forwarded to any ports in the native VLAN, which could be a security issue
VTP Virtual Trunk Protocol
Centralized VLAN management
VTP server switch propagates VLAN database to VTP client switches
Four modes: Server: updates clients
and servers Client: receive updates—
cannot make changes Transparent:
V1: let updates pass through
V2: Forwards updates
Off: ignores VTP updates
VTP issues: VLANs Disappear from Network
VTP Bomb occurs when a VTP Server with a Higher Revision of the VTP Database (Albeit Loaded with Potentially Incorrect Information) Is Inserted into the Production VTP Domain Causing the Loss of VLAN Information on All Switches in That VTP Domain
Dynamic Trunk Protocol (DTP)
• DTP synchronizes the trunking mode on link ends
• Switchport Mode Trunk permanent trunking mode, regardless of neighbouring interface settings.
• Switchport Mode Dynamic Desirable –• actively tries to convert the port to a
trunk if the neighbouring interface is set to trunk, desirable or auto.
• Switchport Mode Dynamic Auto – • port is willing to convert to a trunk if
neighbouring interface is set to trunk or desirable.
• Switchport Nonegotiate – • port does not generate DTP frames,
and must be manually configured.
VTP Pruning
Fa0/1
Fa0/1 Fa0/2
S1
Computer
PC1VLAN 10 Fa0/11
Fa0/6
Computer
PC2VLAN 20
PC3VLAN 10
Fa0/18S2
Computer
Computer
PC4VLAN 20
Fa0/11
Fa0/6
Computer
PC5VLAN 20
PC6VLAN 20
Fa0/18S3
Fa0/2
•Prevents unnecessary flooding of broadcast information from one VLAN across all trunks in a VTP domain. • Permits switches to negotiate which VLANs are assigned to ports at the other end of a trunk and, hence, prune the VLANs that are not assigned to ports on the remote switch. • Pruning is disabled by default. •Enabled on server• S2(config) # vtp pruning
VLAN Design: Best Practices
For the local VLANs model, limit 1-3 VLANs per access switch and limit those VLANs to only a couple access switches and the distribution switches.
Avoid using VLAN 1 as the “blackhole” for all unused ports.
Try to separate voice, data, management, default, and blackhole VLANs
In the local VLANs model, avoid VTP (use transparent mode).
Turn off DTP on trunk ports and configure them manually Manually configure access ports that are not intended to
be trunks by using the switchport mode host command. disables EtherChannel, disables trunking, and enables PortFast)
Prevent all data traffic from VLAN 1. Avoid Telnet on management VLANs, use SSH instead.
Multilayer Switching
Switch that operates at multiple layers of OSI model:• Layer 2 switching
• Layer 3 switching
• Layer 4 switching
• Low latency
• High-speed scalability
• Supports QoS
• Supports VoIP
Layer-3 Switch
Fa0/1
S2
PC1172.17.10.21/24(VLAN 10)
Fa0/11
Computer
PC2172.17.20.22/24(VLAN 20)
Computer
PC3172.17.30.23/24(VLAN 30)
Fa0/18
S3 S1Fa0/1
Fa0/6
Computer
Fa0/2 Fa0/2
Fa0/3
Fa0/1
Fa0/4Fa0/3Fa0/4
Fa0/4
Fa0/2 Fa0/3
•Some switches can perform Layer 3 functions, replacing the need for dedicated routers to perform basic routing on a network.
•Multilayer switches are capable of performing inter-VLAN routing.
•To enable routing functions:
•VLAN interfaces on the switch need to be configured with the appropriate IP addresses that match the subnet that the VLAN is associated with on the network. •The multilayer switch also must have IP routing enabled.
Inter VLAN Routing Using L3 Switch
Computer
Computer
Computer
Computer
Computer
ManagementVLAN 99172.17.99.10/24
StudentVLAN 20172.17.20.22/24
StudentVLAN 20172.17.20.25/24
GuestVLAN 30172.17.30.26/24
GuestVLAN 30172.17.30.23/24
Fa0/1
Fa0/1 Fa0/3
Fa0/3Fa0/18 Fa0/18
Fa0/6 Fa0/6
SVI VLAN20
SVI VLAN30
SVI VLAN99
•Switch Virtual Interface (SVI) is a logical interface configured for a specific VLAN, and is used by layer 3 switches to route between VLANs or to provide IP host connectivity to a switch.
S1 VLAN Interfaces
172.17.99.1 – Default Gateway to VLAN 99
172.17.20.1 – Default Gateway to VLAN 20
172.17.30.1 – Default Gateway to VLAN 30
Layer-3 Switch SVI Configuration
Fa0/1
S2
PC1172.17.10.21/24(VLAN 10)
Fa0/11
Computer
PC2172.17.20.22/24(VLAN 20)
Computer
PC3172.17.30.23/24(VLAN 30)
Fa0/18
S3 S1Fa0/1
Fa0/6
Computer
Fa0/2 Fa0/2
Fa0/3
Fa0/1
Fa0/4Fa0/3Fa0/4
Fa0/4
Fa0/2 Fa0/3
S1(config)#int vlan 10S1(config-if)#ip add 172.17.10.1 255.255.255.0S1(config-if)#int vlan 20S1(config-if)#ip add 172.17.20.1 255.255.255.0S1(config-if)#int vlan 30S1(config-if)#ip add 172.17.30.1 255.255.255.0S1(config)#ip routing
S1(config)#exitS1#sh ip route
172.17.0.0/24 is subnetted, 3 subnetsC 172.17.10.0 is directly connected, Vlan10C 172.17.20.0 is directly connected, Vlan20C 172.17.30.0 is directly connected, Vlan30
Configure SVI Addresses:
Configure Routing:
Layer-3 Switch Routed Port Configuration
Fa0/1
S2
PC1172.17.10.21/24(VLAN 10)
Fa0/11
Computer
PC2172.17.20.22/24(VLAN 20)
Computer
PC3172.17.30.23/24(VLAN 30)
Fa0/18
S3 S1Fa0/1
Fa0/6
Computer
Fa0/2 Fa0/2
Fa0/3
Fa0/1
Fa0/4Fa0/3Fa0/4
Fa0/4
Fa0/2 Fa0/3
Configure Routed Port:
Fa0/0172.17.40.1/30
R1Fa0/5172.17.40.2/30
S1(config)#int fa0/5S1(config-if)#no switchportS1(config-if)#ip add 172.17.40.2 255.255.255.0S1(config-if)#no shS1(config-if)#exitS1(config)#router eigrp 1S1(config-router)#network 172.17.40.0 0.0.0.3
• Physical switch port with Layer 3 capability • Not associated with any VLAN • Serves as the default gateway for devices out that switch port • Layer 2 port functionality must be removed before it can be
configured