210 likes | 355 Views
Layer 2: Redundancy and High Availability. Part 1: General Overview on Assignment 1. Overview : Next Four weeks. Part 1 : VLAN design Cisco design principles Private VLANs Part 2: Redundancy at Layer 1 and Layer2 Issues with Redundant Links Spanning Tree Protocol RSPT MST
E N D
Layer 2: Redundancy and High Availability Part 1: General Overview on Assignment 1
Overview : Next Four weeks • Part 1: VLAN design • Cisco design principles • Private VLANs • Part 2: Redundancy at Layer 1 and Layer2 • Issues with Redundant Links • Spanning Tree Protocol • RSPT • MST • Part3: High Availability • Etherchannel at layer 2 and layer 3 • Part 4: Security at Layer 2
Part1 Overview • Extent of VLAN • VLAN concepts • Native VLAN • Untagged Frames • VTP Pruning • DTP • Layer 3 Switching
Review: VLANs • Number of VLANs dependent on • traffic patterns, • application types, • segmenting common workgroups, • and network management requirements • Cisco recommends • One-to-one correspondence between VLANs and IP subnets • VLANs not extend beyond the Layer 2 domain of the distribution switch • Keep broadcasts and unnecessary movement of traffic out of the core block • Two major approaches • Local • End-to-End or Campus wide
What Is an End-to-End VLAN? • Users are grouped into VLANs independent of physical location. • Every VLAN is made available to every access switch across the network. • If users are moved within the campus, their VLAN membership remains the same. • The 80/20 rule • The 20/80 rule
. End-to-End or Campus-wide VLANs
. Geographic or Local VLANs
VLAN Types • Data – user data, with the switching block • Voice – VoIP telephony • Management – device management for administrators • Native – supports untagged traffic (802.1q only) Management VLAN 99 172.17.99.10/24 Fa0/4 Fa0/1 Fa0/3 Data VLAN 20 172.17.20.22/24 Data VLAN 20 172.17.20.25/24 Fa0/18 Fa0/18 Fa0/1 Fa0/3 Voice VLAN 30 172.17.30.23/24 Voice VLAN 30 172.17.30.26/24 Fa0/6 Fa0/6
Different Native VLANs • A native VLAN mismatch will merge traffic between VLANs.
Untagged Frames • Native VLAN frames are carried over the trunk link untagged. • Untagged frames on 802.1Q trunk forwarded to any ports in the native VLAN, which could be a security issue
VTP Virtual Trunk Protocol • Centralized VLAN management • VTP server switch propagates VLAN database to VTP client switches • Four modes: • Server: updates clientsand servers • Client: receive updates—cannot make changes • Transparent: • V1: let updates pass through • V2: Forwards updates • Off: ignores VTP updates
VTP issues: VLANs Disappear from Network VTP Bomb occurs when a VTP Server with a Higher Revision of the VTP Database (Albeit Loaded with Potentially Incorrect Information) Is Inserted into the Production VTP Domain Causing the Loss of VLAN Information on All Switches in That VTP Domain
Dynamic Trunk Protocol (DTP) • DTP synchronizes the trunking mode on link ends • Switchport Mode Trunk permanent trunking mode, regardless of neighbouring interface settings. • Switchport Mode Dynamic Desirable – • actively tries to convert the port to a trunk if the neighbouring interface is set to trunk, desirable or auto. • Switchport Mode Dynamic Auto – • port is willing to convert to a trunk if neighbouring interface is set to trunk or desirable. • SwitchportNonegotiate– • port does not generate DTP frames, and must be manually configured.
VTP Pruning • Prevents unnecessary flooding of broadcast information from one VLAN across all trunks in a VTP domain. • Permits switches to negotiate which VLANs are assigned to ports at the other end of a trunk and, hence, prune the VLANs that are not assigned to ports on the remote switch. • Pruning is disabled by default. • Enabled on server • S2(config) # vtp pruning S1 PC4 VLAN 20 Fa0/1 Fa0/2 PC1 VLAN 10 Fa0/11 Fa0/11 S2 S3 Fa0/2 Fa0/1 Fa0/18 Fa0/18 PC5 VLAN 20 PC2 VLAN 20 Fa0/6 Fa0/6 PC6 VLAN 20 PC3 VLAN 10
VLAN Design: Best Practices • For the local VLANs model, limit 1-3 VLANs per access switch and limit those VLANs to only a couple access switches and the distribution switches. • Avoid using VLAN 1 as the “blackhole” for all unused ports. • Try to separate voice, data, management, default, and blackhole VLANs • In the local VLANs model, avoid VTP (use transparent mode). • Turn off DTP on trunk ports and configure them manually • Manually configure access ports that are not intended to be trunks by using the switchport mode host command. • disables EtherChannel, disables trunking, and enables PortFast) • Prevent all data traffic from VLAN 1. • Avoid Telnet on management VLANs, use SSH instead.
Multilayer Switching • Switch that operates at multiple layers of OSI model: • Layer 2 switching • Layer 3 switching • Layer 4 switching • Low latency • High-speed scalability • Supports QoS • Supports VoIP
Layer-3 Switch • Some switches can perform Layer 3 functions, replacing the need for dedicated routers to perform basic routing on a network. • Multilayer switches are capable of performing inter-VLAN routing. S3 S1 Fa0/1 Fa0/1 Fa0/2 Fa0/2 Fa0/3 Fa0/4 Fa0/3 Fa0/4 Fa0/2 Fa0/3 S2 Fa0/1 Fa0/4 Fa0/11 Fa0/6 • To enable routing functions: • VLAN interfaces on the switch need to be configured with the appropriate IP addresses that match the subnet that the VLAN is associated with on the network. • The multilayer switch also must have IP routing enabled. Fa0/18 PC1 172.17.10.21/24 (VLAN 10) PC2 172.17.20.22/24 (VLAN 20) PC3 172.17.30.23/24 (VLAN 30)
Inter VLAN Routing Using L3 Switch • Switch Virtual Interface (SVI) is a logical interface configured for a specific VLAN, and is used by layer 3 switches to route between VLANs or to provide IP host connectivity to a switch. S1 VLAN Interfaces 172.17.99.1 – Default Gateway to VLAN 99 172.17.20.1 – Default Gateway to VLAN 20 172.17.30.1 – Default Gateway to VLAN 30 SVI VLAN99 SVI VLAN30 Management VLAN 99 172.17.99.10/24 SVI VLAN20 Fa0/1 Fa0/3 Student VLAN 20 172.17.20.22/24 Student VLAN 20 172.17.20.25/24 Fa0/18 Fa0/18 Fa0/1 Fa0/3 Guest VLAN 30 172.17.30.23/24 Guest VLAN 30 172.17.30.26/24 Fa0/6 Fa0/6
Layer-3 Switch SVI Configuration Configure SVI Addresses: S1(config)#intvlan 10 S1(config-if)#ip add 172.17.10.1 255.255.255.0 S1(config-if)#intvlan 20 S1(config-if)#ip add 172.17.20.1 255.255.255.0 S1(config-if)#intvlan 30 S1(config-if)#ip add 172.17.30.1 255.255.255.0 S3 S1 Fa0/1 Fa0/1 Fa0/2 Fa0/2 Fa0/3 Fa0/4 Fa0/3 Fa0/4 Fa0/2 Fa0/3 S2 Fa0/1 Fa0/4 Fa0/11 Fa0/6 Fa0/18 Configure Routing: S1(config)#ip routing S1(config)#exit S1#sh ip route 172.17.0.0/24 is subnetted, 3 subnets C 172.17.10.0 is directly connected, Vlan10 C 172.17.20.0 is directly connected, Vlan20 C 172.17.30.0 is directly connected, Vlan30 PC1 172.17.10.21/24 (VLAN 10) PC2 172.17.20.22/24 (VLAN 20) PC3 172.17.30.23/24 (VLAN 30)
R1 Layer-3 Switch Routed Port Configuration Fa0/0 172.17.40.1/30 Fa0/5 172.17.40.2/30 Configure Routed Port: S3 S1 Fa0/1 Fa0/1 S1(config)#int fa0/5 S1(config-if)#no switchport S1(config-if)#ip add 172.17.40.2 255.255.255.0 S1(config-if)#no sh S1(config-if)#exit S1(config)#router eigrp 1 S1(config-router)#network 172.17.40.0 0.0.0.3 Fa0/2 Fa0/2 Fa0/3 Fa0/4 Fa0/3 Fa0/4 Fa0/2 Fa0/3 S2 Fa0/1 Fa0/4 Fa0/11 Fa0/6 Fa0/18 PC1 172.17.10.21/24 (VLAN 10) PC2 172.17.20.22/24 (VLAN 20) PC3 172.17.30.23/24 (VLAN 30) • Physical switch port with Layer 3 capability • Not associated with any VLAN • Serves as the default gateway for devices out that switch port • Layer 2 port functionality must be removed before it can be configured
Next Week • Work posted on web page • Work on your group project