Presentation on theme: "Layer 2: Redundancy and High Availability Part 1: General Overview on Assignment 1."— Presentation transcript:
Layer 2: Redundancy and High Availability Part 1: General Overview on Assignment 1
Overview : Next Four weeks Part 1: VLAN design Cisco design principles Private VLANs Part 2: Redundancy at Layer 1 and Layer2 Issues with Redundant Links Spanning Tree Protocol RSPT MST Part3: High Availability Etherchannel at layer 2 and layer 3 Part 4: Security at Layer 2
Review: VLANs Number of VLANs dependent on traffic patterns, application types, segmenting common workgroups, and network management requirements Cisco recommends One-to-one correspondence between VLANs and IP subnets VLANs not extend beyond the Layer 2 domain of the distribution switch Keep broadcasts and unnecessary movement of traffic out of the core block Two major approaches Local End-to-End or Campus wide
What Is an End-to-End VLAN? 5 Users are grouped into VLANs independent of physical location. Every VLAN is made available to every access switch across the network. If users are moved within the campus, their VLAN membership remains the same. The 80/20 rule The 20/80 rule
VLAN Types Management VLAN 99 172.17.99.10/24 Data VLAN 20 172.17.20.22/24 Data VLAN 20 172.17.20.25/24 Voice VLAN 30 172.17.30.26/24 Voice VLAN 30 172.17.30.23/24 Fa0/1 Fa0/4 Fa0/3 Fa0/18 Fa0/6 Data – user data, with the switching block Voice – VoIP telephony Management – device management for administrators Native – supports untagged traffic (802.1q only)
Different Native VLANs A native VLAN mismatch will merge traffic between VLANs.
Untagged Frames Native VLAN frames are carried over the trunk link untagged. Untagged frames on 802.1Q trunk forwarded to any ports in the native VLAN, which could be a security issue
VTP Virtual Trunk Protocol Centralized VLAN management VTP server switch propagates VLAN database to VTP client switches Four modes: Server: updates clients and servers Client: receive updates— cannot make changes Transparent: V1: let updates pass through V2: Forwards updates Off: ignores VTP updates
VTP issues: VLANs Disappear from Network VTP Bomb occurs when a VTP Server with a Higher Revision of the VTP Database (Albeit Loaded with Potentially Incorrect Information) Is Inserted into the Production VTP Domain Causing the Loss of VLAN Information on All Switches in That VTP Domain
Dynamic Trunk Protocol (DTP) DTP synchronizes the trunking mode on link ends Switchport Mode Trunk permanent trunking mode, regardless of neighbouring interface settings. Switchport Mode Dynamic Desirable – actively tries to convert the port to a trunk if the neighbouring interface is set to trunk, desirable or auto. Switchport Mode Dynamic Auto – port is willing to convert to a trunk if neighbouring interface is set to trunk or desirable. Switchport Nonegotiate – port does not generate DTP frames, and must be manually configured.
VTP Pruning Fa0/1 Fa0/2 S1 PC1 VLAN 10 Fa0/11 Fa0/6 PC2 VLAN 20 PC3 VLAN 10 Fa0/18 S2 PC4 VLAN 20 Fa0/11 Fa0/6 PC5 VLAN 20 PC6 VLAN 20 Fa0/18 S3 Fa0/2 Prevents unnecessary flooding of broadcast information from one VLAN across all trunks in a VTP domain. Permits switches to negotiate which VLANs are assigned to ports at the other end of a trunk and, hence, prune the VLANs that are not assigned to ports on the remote switch. Pruning is disabled by default. Enabled on server S2(config) # vtp pruning
VLAN Design: Best Practices For the local VLANs model, limit 1-3 VLANs per access switch and limit those VLANs to only a couple access switches and the distribution switches. Avoid using VLAN 1 as the “blackhole” for all unused ports. Try to separate voice, data, management, default, and blackhole VLANs In the local VLANs model, avoid VTP (use transparent mode). Turn off DTP on trunk ports and configure them manually Manually configure access ports that are not intended to be trunks by using the switchport mode host command. disables EtherChannel, disables trunking, and enables PortFast) Prevent all data traffic from VLAN 1. Avoid Telnet on management VLANs, use SSH instead.
Multilayer Switching Switch that operates at multiple layers of OSI model: Layer 2 switching Layer 3 switching Layer 4 switching Low latency High-speed scalability Supports QoS Supports VoIP
Layer-3 Switch Fa0/1 S2 PC1 172.17.10.21/24 (VLAN 10) Fa0/11 PC2 172.17.20.22/24 (VLAN 20) PC3 172.17.30.23/24 (VLAN 30) Fa0/18 S3S1 Fa0/1 Fa0/6 Fa0/2 Fa0/3 Fa0/1 Fa0/4Fa0/3 Fa0/4 Fa0/2Fa0/3 Some switches can perform Layer 3 functions, replacing the need for dedicated routers to perform basic routing on a network. Multilayer switches are capable of performing inter-VLAN routing. To enable routing functions: VLAN interfaces on the switch need to be configured with the appropriate IP addresses that match the subnet that the VLAN is associated with on the network. The multilayer switch also must have IP routing enabled.
Inter VLAN Routing Using L3 Switch Management VLAN 99 172.17.99.10/24 Student VLAN 20 172.17.20.22/24 Student VLAN 20 172.17.20.25/24 Guest VLAN 30 172.17.30.26/24 Guest VLAN 30 172.17.30.23/24 Fa0/1 Fa0/3 Fa0/18 Fa0/6 SVI VLAN20 SVI VLAN30 SVI VLAN99 Switch Virtual Interface (SVI) is a logical interface configured for a specific VLAN, and is used by layer 3 switches to route between VLANs or to provide IP host connectivity to a switch. S1 VLAN Interfaces 172.17.99.1 – Default Gateway to VLAN 99 172.17.20.1 – Default Gateway to VLAN 20 172.17.30.1 – Default Gateway to VLAN 30
Layer-3 Switch SVI Configuration Fa0/1 S2 PC1 172.17.10.21/24 (VLAN 10) Fa0/11 PC2 172.17.20.22/24 (VLAN 20) PC3 172.17.30.23/24 (VLAN 30) Fa0/18 S3S1 Fa0/1 Fa0/6 Fa0/2 Fa0/3 Fa0/1 Fa0/4Fa0/3 Fa0/4 Fa0/2Fa0/3 S1(config)#int vlan 10 S1(config-if)#ip add 172.17.10.1 255.255.255.0 S1(config-if)#int vlan 20 S1(config-if)#ip add 172.17.20.1 255.255.255.0 S1(config-if)#int vlan 30 S1(config-if)#ip add 172.17.30.1 255.255.255.0 S1(config)#ip routing S1(config)#exit S1#sh ip route 172.17.0.0/24 is subnetted, 3 subnets C 172.17.10.0 is directly connected, Vlan10 C 172.17.20.0 is directly connected, Vlan20 C 172.17.30.0 is directly connected, Vlan30 Configure SVI Addresses: Configure Routing:
Layer-3 Switch Routed Port Configuration Fa0/1 S2 PC1 172.17.10.21/24 (VLAN 10) Fa0/11 PC2 172.17.20.22/24 (VLAN 20) PC3 172.17.30.23/24 (VLAN 30) Fa0/18 S3S1 Fa0/1 Fa0/6 Fa0/2 Fa0/3 Fa0/1 Fa0/4Fa0/3 Fa0/4 Fa0/2Fa0/3 Configure Routed Port: Fa0/0 172.17.40.1/30 R1 Fa0/5 172.17.40.2/30 S1(config)#int fa0/5 S1(config-if)#no switchport S1(config-if)#ip add 172.17.40.2 255.255.255.0 S1(config-if)#no sh S1(config-if)#exit S1(config)#router eigrp 1 S1(config-router)#network 172.17.40.0 0.0.0.3 Physical switch port with Layer 3 capability Not associated with any VLAN Serves as the default gateway for devices out that switch port Layer 2 port functionality must be removed before it can be configured
Next Week Work posted on web page Work on your group project