Layer 2: Redundancy and High Availability
Download
Report
Transcript Layer 2: Redundancy and High Availability
Layer 2:
Redundancy and High Availability
Part 1: General Overview on Assignment 1
Overview : Next Four weeks
Part 1: VLAN design
Cisco design principles
Private VLANs
Part 2: Redundancy at Layer 1 and Layer2
Issues with Redundant Links
Spanning Tree Protocol
Part3: High Availability
RSPT
MST
Etherchannel at layer 2 and layer 3
Part 4: Security at Layer 2
Part1 Overview
Extent of VLAN
VLAN concepts
Native VLAN
Untagged Frames
VTP Pruning
DTP
Layer 3 Switching
Review: VLANs
Number of VLANs dependent on
traffic patterns,
application types,
segmenting common workgroups,
and network management requirements
Cisco recommends
One-to-one correspondence between VLANs and IP subnets
VLANs not extend beyond the Layer 2 domain of the distribution
switch
Keep broadcasts and unnecessary movement of traffic out of the
core block
Two major approaches
Local
End-to-End or Campus wide
What Is an End-to-End VLAN?
5
Users are grouped into VLANs independent of physical location.
Every VLAN is made available to every access switch across the network.
If users are moved within the campus, their VLAN membership remains
the same.
The 80/20 rule
The 20/80 rule
.
End-to-End or Campus-wide VLANs
6
.
Geographic or Local VLANs
7
VLAN Types
•Data – user data, with the switching block
•Voice – VoIP telephony
•Management – device management for administrators
•Native – supports untagged traffic (802.1q only)
Management
VLAN 99
172.17.99.10/24
Computer
Fa0/4
Fa0/1
Data
VLAN 20
172.17.20.22/24
Voice
VLAN 30
172.17.30.23/24
Fa0/18
Computer
Fa0/6
Fa0/3
Fa0/1 Fa0/3
Fa0/18
Computer
Fa0/6
Data
VLAN 20
172.17.20.25/24
Voice
VLAN 30
172.17.30.26/24
Different Native VLANs
A native VLAN mismatch will merge traffic between VLANs.
Untagged Frames
Native VLAN frames are carried over the trunk link untagged.
Untagged frames on 802.1Q trunk forwarded to any ports in
the native VLAN, which could be a security issue
VTP Virtual Trunk Protocol
Centralized VLAN management
VTP server switch propagates
VLAN database to VTP client
switches
Four modes:
Server: updates clients
and servers
Client: receive updates—
cannot make changes
Transparent:
V1: let updates
pass through
V2: Forwards updates
Off: ignores VTP updates
VTP issues: VLANs Disappear from Network
VTP Bomb occurs when a VTP Server with a Higher
Revision of the VTP Database (Albeit Loaded with
Potentially Incorrect Information) Is Inserted into the
Production VTP Domain Causing the Loss of VLAN
Information on All Switches in That VTP Domain
Dynamic Trunk Protocol (DTP)
•
DTP synchronizes the trunking mode on link
ends
•
Switchport Mode Trunk permanent trunking
mode, regardless of neighbouring interface
settings.
•
Switchport Mode Dynamic Desirable –
• actively tries to convert the port to a trunk if
the neighbouring interface is set to trunk,
desirable or auto.
•
Switchport Mode Dynamic Auto –
• port is willing to convert to a trunk if
neighbouring interface is set to trunk or
desirable.
•
Switchport Nonegotiate –
• port does not generate DTP frames, and
must be manually configured.
VTP Pruning
•Prevents unnecessary flooding of broadcast information from one VLAN across
all trunks in a VTP domain.
• Permits switches to negotiate which VLANs are assigned to ports at the other
end of a trunk and, hence, prune the VLANs that are not assigned to ports on
the remote switch.
• Pruning is disabled by default.
•Enabled on server
• S2(config) # vtp pruning
S1
Fa0/1
PC1
VLAN 10
Fa0/11
Fa0/18
S2
PC4
VLAN 20
Fa0/2
Fa0/1 Fa0/2
S3
Computer
Fa0/11
Fa0/18
Computer
PC2
VLAN 20
PC3
VLAN 10
Computer
PC5
VLAN 20
Computer
Fa0/6
Fa0/6
Computer
PC6
VLAN 20
VLAN Design: Best Practices
For the local VLANs model, limit 1-3 VLANs per access switch and
limit those VLANs to only a couple access switches and the distribution
switches.
Avoid using VLAN 1 as the “blackhole” for all unused ports.
Try to separate voice, data, management, default, and blackhole VLANs
In the local VLANs model, avoid VTP (use transparent mode).
Turn off DTP on trunk ports and configure them manually
Manually configure access ports that are not intended to be trunks by
using the switchport mode host command.
disables EtherChannel, disables trunking, and enables PortFast)
Prevent all data traffic from VLAN 1.
Avoid Telnet on management VLANs, use SSH instead.
Multilayer Switching
Switch that operates at multiple
layers of OSI model:
•
•
•
•
•
•
•
Layer 2 switching
Layer 3 switching
Layer 4 switching
Low latency
High-speed
scalability
Supports QoS
Supports VoIP
Layer-3 Switch
S3
S1
Fa0/3
Fa0/1
Fa0/1
Fa0/2
Fa0/2
Fa0/4
Fa0/3
Fa0/2
Fa0/1
•Multilayer switches are capable of
performing inter-VLAN routing.
Fa0/3
S2
Fa0/11
Fa0/4
Fa0/4
Fa0/6
•To enable routing functions:
Fa0/18
Computer
PC1
172.17.10.21/24
(VLAN 10)
Computer
PC2
172.17.20.22/24
(VLAN 20)
•Some switches can perform Layer 3
functions, replacing the need for
dedicated routers to perform basic
routing on a network.
Computer
PC3
172.17.30.23/24
(VLAN 30)
•VLAN interfaces on the switch need
to be configured with the
appropriate IP addresses that
match the subnet that the VLAN is
associated with on the network.
•The multilayer switch also must have
IP routing enabled.
Inter VLAN Routing Using L3 Switch
•Switch Virtual Interface (SVI) is a logical interface configured for a
specific VLAN, and is used by layer 3 switches to route between
VLANs or to provide IP host connectivity to a switch.
S1 VLAN Interfaces
172.17.99.1 – Default Gateway to
VLAN 99
SVI VLAN99
Management
VLAN 99
172.17.99.10/24
SVI VLAN30
172.17.20.1 – Default Gateway to
VLAN 20
SVI VLAN20
Computer
172.17.30.1 – Default Gateway to
VLAN 30
Fa0/1
Student
VLAN 20
172.17.20.22/24
Guest
VLAN 30
172.17.30.23/24
Fa0/18
Computer
Computer
Fa0/6
Fa0/3
Fa0/1 Fa0/3
Fa0/18
Computer
Fa0/6
Computer
Student
VLAN 20
172.17.20.25/24
Guest
VLAN 30
172.17.30.26/24
Layer-3 Switch SVI Configuration
S3
S1
Fa0/3
Fa0/1
Fa0/1
Fa0/2
Fa0/2
Fa0/4
Fa0/3
Fa0/2
Fa0/1
Fa0/3
S2
Fa0/11
Fa0/4
Fa0/4
Fa0/6
Fa0/18
Computer
PC1
172.17.10.21/24
(VLAN 10)
Computer
PC2
172.17.20.22/24
(VLAN 20)
Configure SVI Addresses:
S1(config)#int vlan 10
S1(config-if)#ip add 172.17.10.1 255.255.255.0
S1(config-if)#int vlan 20
S1(config-if)#ip add 172.17.20.1 255.255.255.0
S1(config-if)#int vlan 30
S1(config-if)#ip add 172.17.30.1 255.255.255.0
Configure Routing:
Computer
PC3
172.17.30.23/24
(VLAN 30)
S1(config)#ip routing
S1(config)#exit
S1#sh ip route
172.17.0.0/24 is subnetted, 3 subnets
C
172.17.10.0 is directly connected,Vlan10
C
172.17.20.0 is directly connected,Vlan20
C
172.17.30.0 is directly connected,Vlan30
Layer-3 Switch Routed Port
Configuration
Fa0/0
172.17.40.1/30
R1
Fa0/5
172.17.40.2/30
S3
S1
Fa0/3
Fa0/1
Fa0/1
Fa0/2
Fa0/2
Fa0/4
Fa0/3
Fa0/2
Fa0/1
Fa0/3
S2
Fa0/11
Fa0/4
Fa0/4
Fa0/6
Fa0/18
Computer
PC1
172.17.10.21/24
(VLAN 10)
Computer
PC2
172.17.20.22/24
(VLAN 20)
Computer
PC3
172.17.30.23/24
(VLAN 30)
Configure Routed Port:
S1(config)#int fa0/5
S1(config-if)#no switchport
S1(config-if)#ip add 172.17.40.2
255.255.255.0
S1(config-if)#no sh
S1(config-if)#exit
S1(config)#router eigrp 1
S1(config-router)#network 172.17.40.0
0.0.0.3
•Physical switch port with Layer 3 capability
•Not associated with any VLAN
•Serves as the default gateway for devices out that switch port
•Layer 2 port functionality must be removed before it can be
Next Week
Work posted on web page
Work on your group project