Upload
johnson-liu
View
230
Download
0
Embed Size (px)
Citation preview
8/2/2019 20111013_CHT_TL_ Day2
http://slidepdf.com/reader/full/20111013chttl-day2 1/67
© 2011 Juniper Networks, Inc. All rights reserved. | www.juniper.net
中華電信研究所 網路技術基礎訓練課程
Day 2
Layer 2 Switching(VLAN, Trunk, Spanning Tree)
Johnson Liu
[email protected] Oct. 13, 2011
8/2/2019 20111013_CHT_TL_ Day2
http://slidepdf.com/reader/full/20111013chttl-day2 2/67
© 2011 Juniper Networks, Inc. All rights reserved. | www.juniper.net
Layer 2 Switching
8/2/2019 20111013_CHT_TL_ Day2
http://slidepdf.com/reader/full/20111013chttl-day2 3/67
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 3
Shared LANs Versus Switched LANs (1 of 2)
Shared LANs:• Combine all devices as part of a single collision domain
which can increase the chance of collisions
• Flood traffic out all ports to all devices which can
consume network resources and introduce security risks
Hub
User A User C
User B
Traffic sent from User A to User Cis seen by all other users on
segment
Shared Medium / Collision Domain
8/2/2019 20111013_CHT_TL_ Day2
http://slidepdf.com/reader/full/20111013chttl-day2 4/67
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 4
Bridged (or switched) LANs:• Break a single collision domain into multiple smaller
collision domains; minimizing the chance of collisions
• Perform intelligent forwarding decisions based on the
contents of the forwarding table (or bridge table)
Shared LANs Versus Switched LANs (2 of 2)
SwitchUser A User C
User B
Bridge Table
Traffic sent from User A to UserC is forwarded based on bridge
table
Shared Medium / Collision Domain
8/2/2019 20111013_CHT_TL_ Day2
http://slidepdf.com/reader/full/20111013chttl-day2 5/67
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 5
How Does Bridging Work?
Bridging builds and maintains bridge table usingthe following mechanisms:
Bridging Mechanisms
Learning Forwarding Flooding Filtering Aging
Switch
Bridge Table
User A User C
User B
8/2/2019 20111013_CHT_TL_ Day2
http://slidepdf.com/reader/full/20111013chttl-day2 6/67
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 6
Bridging Mechanisms: Learning
Bridging Mechanisms
Learning ForwardingFlooding
FilteringAging
Pre TypeDA SA FCSData
The switch learns the source MACaddresses of all incoming Ethernet
frames
SwitchUser A
MAC: 00:26:88:02:74:86User C
MAC: 00:26:88:02:74:88
User BMAC: 00:26:88:02:74:87
ge-0/0/6 ge-0/0/8
ge-0/0/7
MAC Address
00:26:88:02:74:86 ge-0/0/600:26:88:02:74:87 ge-0/0/700:26:88:02:74:88 ge-0/0/8
MAC addresses areassociated with an incominginterface
Bridge Table
8/2/2019 20111013_CHT_TL_ Day2
http://slidepdf.com/reader/full/20111013chttl-day2 7/67© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 7
Bridging Mechanisms: Forwarding (1 of 2)
Bridging Mechanisms
Learning ForwardingFlooding
FilteringAging
Pre TypeDA SA FCSData
SwitchUser A
MAC: 00:26:88:02:74:86User C
MAC: 00:26:88:02:74:88
User BMAC: 00:26:88:02:74:87
ge-0/0/6 ge-0/0/8
ge-0/0/7
MAC Address00:26:88:02:74:86 ge-0/0/6
00:26:88:02:74:87 ge-0/0/700:26:88:02:74:88 ge-0/0/8
Bridge Table
The switch consults the bridge table to find a forwarding entryfor the destination MAC address of the received Ethernet
frames
8/2/2019 20111013_CHT_TL_ Day2
http://slidepdf.com/reader/full/20111013chttl-day2 8/67© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 8
Bridging Mechanisms: Forwarding (2 of 2)
Bridging Mechanisms
Learning ForwardingFlooding
FilteringAging
SwitchUser A
MAC: 00:26:88:02:74:86172.23.10.100/24
User DMAC: 00:26:88:02:74:89
172.23.11.100/24
User BMAC: 00:26:88:02:74:87
172.23.10.200/24
User CMAC: 00:26:88:02:74:88
172.23.11.200/24
Bridge Table
VLAN MAC Address I10
00:26:88:02:74:86 ge-0/0/600:26:88:02:74:87 ge-0/0/7
1100:26:88:02:74:88 ge-0/0/800:26:88:02:74:89 ge-0/0/9
The switch organizes the bridge table by VLAN to ensurethat Layer 2 traffic belonging to one broadcast domain isnot forwarded to devices on another broadcast domain
ge-0/0/6 ge-0/0/9
ge-0/0/7 ge-0/0/8
VLAN 10 VLAN 11
8/2/2019 20111013_CHT_TL_ Day2
http://slidepdf.com/reader/full/20111013chttl-day2 9/67© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 9
Bridging Mechanisms: Flooding
Bridging MechanismsLearning Forwarding
Flooding
FilteringAging
Pre TypeDA SA FCSData
SwitchUser A
MAC: 00:26:88:02:74:86User C
MAC: 00:26:88:02:74:88
User BMAC: 00:26:88:02:74:87
ge-0/0/6 ge-0/0/8
ge-0/0/7
Bridge Table
The switch floods frames out all other ports belonging to thesame VLAN when the destination MAC address is unknown
MAC Address00:26:88:02:74:86 ge-0/0/6
* All
The switch updates the bridgetable when return traffic is
received
8/2/2019 20111013_CHT_TL_ Day2
http://slidepdf.com/reader/full/20111013chttl-day2 10/67© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 10
Bridging Mechanisms: Filtering
Bridging MechanismsLearning Forwarding
Flooding
FilteringAging
SwitchUser A
MAC: 00:26:88:02:74:86User D
MAC: 00:26:88:02:74:89
User BMAC: 00:26:88:02:74:87
User CMAC: 00:26:88:02:74:88
ge-0/0/6 ge-0/0/9
Hub
ge-0/0/7
MAC Address00:26:88:02:74:86 ge-0/0/600:26:88:02:74:87 ge-0/0/7
00:26:88:02:74:88 ge-0/0/700:26:88:02:74:89 ge-0/0/9
Bridge Table
Pre TypeDA SA FCSData DA = 00:26:88:02:74:88
The switch filters (or discards)frames when the destination MAC
address is associated with theingress interface
8/2/2019 20111013_CHT_TL_ Day2
http://slidepdf.com/reader/full/20111013chttl-day2 11/67© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 11
Bridging Mechanisms: Aging
Bridging MechanismsLearning Forwarding
Flooding
FilteringAging
VLAN MAC Address Interface10
00:26:88:02:74:86 ge-0/0/600:26:88:02:74:87 ge-0/0/7
1100:26:88:02:74:88 ge-0/0/800:26:88:02:74:89 ge-0/0/9
To keep bridge table entries current, the switchmonitors activity of MAC addresses and ages out
bridge table entries after a specific amount of time ofinactivity
8/2/2019 20111013_CHT_TL_ Day2
http://slidepdf.com/reader/full/20111013chttl-day2 12/67© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 12
Given the topology and bridge table below, whatdevices will receive the packet sent by User B?
Think About It
SwitchUser A
MAC: 00:26:88:02:74:86User D
MAC: 00:26:88:02:74:89
User BMAC: 00:26:88:02:74:87
User CMAC: 00:26:88:02:74:88
Bridge Table
MAC Address Interface00:26:88:02:74:86 ge-0/0/600:26:88:02:74:87 ge-0/0/700:26:88:02:74:88 ge-0/0/7
00:26:88:02:74:89 ge-0/0/9
ge-0/0/6 ge-0/0/9
Hub
ge-0/0/7
Pre TypeDA SA FCSData DA = 00:26:88:02:74:89
8/2/2019 20111013_CHT_TL_ Day2
http://slidepdf.com/reader/full/20111013chttl-day2 13/67
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 13
Hierarchical Design
Switched networks are often hierarchical and mayconsist of access , aggregation , and core layers
• Benefits of a hierarchical network design include:
• Modularity—facilitates change
• Function-to-layer mapping—isolates faults
Access Layer
Aggregation Layer
Core Layer
WAN Edge Device
8/2/2019 20111013_CHT_TL_ Day2
http://slidepdf.com/reader/full/20111013chttl-day2 14/67
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 14
Access layer switches facilitate end-user and device access and enforceaccess policy
Functions of Layers
Layers are defined to aid successful networkdesign and to represent functionality found within anetwork
Core layer switches relay packets between
aggregation switches and function as thegateway to the WAN edge device
Aggregation layer switches connectaccess switches and often provide inter-VLAN routing and policy-based
connectivity
WAN Edge Device
Note: All three layers support
CoS
8/2/2019 20111013_CHT_TL_ Day2
http://slidepdf.com/reader/full/20111013chttl-day2 15/67
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 15
Simplify large complex switched networks• Juniper’s 3-2-1 architectural solutions
• Virtual Chassis is a technology that can be implemented tocombine functions of various layers into a single manageddevice
• QFabric is another technology that is being developed tosimplify and combine all of the functions of a multitieredswitched network into a single managed device
Consolidation of Layers
Virtual Chassis
Qfabric
8/2/2019 20111013_CHT_TL_ Day2
http://slidepdf.com/reader/full/20111013chttl-day2 16/67
© 2011 Juniper Networks, Inc. All rights reserved. | www.juniper.net
Virtual Local Area Networks(VLAN)
8/2/2019 20111013_CHT_TL_ Day2
http://slidepdf.com/reader/full/20111013chttl-day2 17/67
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 17
What Is a VLAN?
A logical LAN that allows you to assign users to acommon broadcast domain based on businessneeds and regardless of physical location
Switch-1 Switch-2
Switch-3
User A172.23.10.86/24
User B172.23.20.86/24
User C172.23.10.87/24
User D172.23.20.87/24
User E172.23.10.88/24
User F172.23.20.88/24
VLAN 10 is associated with the172.23.10.0/24 broadcast
domain
VLAN 20 is associated with the172.23.20.0/24 broadcast
domain
8/2/2019 20111013_CHT_TL_ Day2
http://slidepdf.com/reader/full/20111013chttl-day2 18/67
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 18
Switch ports operate in either access or trunk mode• By default all switch ports are access ports and belong to
the default VLAN, which is an untagged VLAN
Trunk Ports
Switch Port Designations
Switch-1 Switch-2
Switch-3
Access Ports Access Ports
8/2/2019 20111013_CHT_TL_ Day2
http://slidepdf.com/reader/full/20111013chttl-day2 19/67
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 19
Access Ports
Access ports typically connect to end-user devicessuch as computers, IP phones, and printers
• Access ports typically carry untagged traffic
Switch-1 Switch-2
Access Ports Access Ports
Switch-3
8/2/2019 20111013_CHT_TL_ Day2
http://slidepdf.com/reader/full/20111013chttl-day2 20/67
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 20
Trunk ports typically connect switches to otherswitches or a router with VLAN tagging configured
• Trunk ports typically carry tagged traffic
Trunk Ports
Trunk Ports
Switch-1 Switch-2
Switch-3
8/2/2019 20111013_CHT_TL_ Day2
http://slidepdf.com/reader/full/20111013chttl-day2 21/67
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 21
User A sends traffic toward User C through anaccess port on Switch-1; the traffic is received bySwitch-1 as untagged frames:
Example of Tagging Traffic: Step 1
Switch-1 Switch-2User A
172.23.10.86/24MAC: 00:26:88:02:74:86
User B172.23.20.86/24
MAC: 00:26:88:03:78:86
User C172.23.10.87/24
MAC: 00:26:88:02:74:87
User D172.23.20.87/24
MAC: 00:26:88:03:78:87
VLAN 10 is associated with the172.23.10.0/24 broadcast
domain
VLAN 20 is associated with the172.23.20.0/24 broadcast
domain
Pre TypeDA SA FCSData
Trunk PortsAccess Ports Access Ports
8/2/2019 20111013_CHT_TL_ Day2
http://slidepdf.com/reader/full/20111013chttl-day2 22/67
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 22
Example of Tagging Traffic: Step 2
Switch-1 performs a lookup in its bridge table, tagsthe Ethernet frames with VLAN ID 10 and forwardsthe frames out its trunk port:
Switch-1 Switch-2User A
172.23.10.86/24MAC: 00:26:88:02:74:86
User C172.23.10.87/24
MAC: 00:26:88:02:74:87Trunk PortsAccess Ports Access Ports
Pre DA SA FCSDataTypeTag
User B172.23.20.86/24
MAC: 00:26:88:03:78:86
User D172.23.20.87/24
MAC: 00:26:88:03:78:87
VLAN 10 is associated with the172.23.10.0/24 broadcast
domain
VLAN 20 is associated with the172.23.20.0/24 broadcast
domain
8/2/2019 20111013_CHT_TL_ Day2
http://slidepdf.com/reader/full/20111013chttl-day2 23/67
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 23
Switch-2 performs a lookup in its bridge table,removes the VLAN tag and forwards the frames outthe appropriate access port toward User C:
Example of Tagging Traffic: Step 3
Switch-1 Switch-2User A
172.23.10.86/24MAC: 00:26:88:02:74:86
User C172.23.10.87/24
MAC: 00:26:88:02:74:87Trunk PortsAccess Ports Access Ports
Pre TypeDA SA FCSData
User B172.23.20.86/24
MAC: 00:26:88:03:78:86
User D172.23.20.87/24
MAC: 00:26:88:03:78:87
VLAN 10 is associated with the172.23.10.0/24 broadcast
domain
VLAN 20 is associated with the172.23.20.0/24 broadcast
domain
8/2/2019 20111013_CHT_TL_ Day2
http://slidepdf.com/reader/full/20111013chttl-day2 24/67
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 24
What If…?
What if an IP phone and a PC are connected to thesame switch port and you want the traffic sourcedfrom those devices associated with different VLANs?
Voice
Switch-1
ge-0/0/6.0 Network
Data
Access Port
MAC:00:26:88:02:74:86
MAC:00:26:88:02:72:13
8/2/2019 20111013_CHT_TL_ Day2
http://slidepdf.com/reader/full/20111013chttl-day2 25/67
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 25
Voice VLAN
The voice VLAN feature enables access ports toaccept both untagged (data) and tagged (voice) traffic and separate that traffic into different VLANs
• Used with CoS to differentiate data and voice traffic
• Voice VLAN and CoS values can be communicated to IPphones through Link Layer Discovery Protocol (LLDP-MED)
Note: Detailed coverage of CoS and LLDP are outside the scope of this material.
Voice
Switch-1
ge-0/0/6.0 Network
DataUntagged
Tagged
MAC:00:26:88:02:74:86
MAC:00:26:88:02:72:13
8/2/2019 20111013_CHT_TL_ Day2
http://slidepdf.com/reader/full/20111013chttl-day2 26/67
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 26
What If …?
The default behavior for trunk ports is to only sendand receive tagged traffic. What if you needed topass untagged Layer 2 traffic through trunk ports?
ge-0/0/12.0
Switch-1 Switch-2
host-a1: 172.23.0.10/24VLAN: default (untagged)
host-b1: 172.23.14.10/24VLAN: v14 / VLAN ID: 14
host-c1: 172.23.15.10/24VLAN: v15 / VLAN ID: 15
host-a2: 172.23.0.20/24VLAN: default (untagged)
host-b2: 172.23.14.20/24VLAN: v14 / VLAN ID: 14
host-c2: 172.23.15.20/24VLAN: v15 / VLAN ID: 15
Untagged Traffic
Trunk Ports
Access Ports
8/2/2019 20111013_CHT_TL_ Day2
http://slidepdf.com/reader/full/20111013chttl-day2 27/67
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 27
Thenative-vlan-id
option enables trunk portsto accept untagged traffic in addition to taggedtraffic
• Configured on trunk ports of all switches expected to
process untagged traffic
The native-vlan-id Option
ge-0/0/12.0
Switch-1 Switch-2
host-a1: 172.23.0.10/24VLAN: default (untagged)
host-b1: 172.23.14.10/24VLAN: v14 / VLAN ID: 14
host-c1: 172.23.15.10/24VLAN: v15 / VLAN ID: 15
host-a2: 172.23.0.20/24VLAN: default (untagged)
host-b2: 172.23.14.20/24VLAN: v14 / VLAN ID: 14
host-c2: 172.23.15.20/24VLAN: v15 / VLAN ID: 15
The native-vlan-id option should
be added to the ge-0/0/12.0 interface onboth switches for the default VLAN
Untagged Traffic
8/2/2019 20111013_CHT_TL_ Day2
http://slidepdf.com/reader/full/20111013chttl-day2 28/67
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 28
A routed VLAN interface (RVI) is a logical Layer 3interface defined on an EX Series switch thatfacilitates inter-VLAN routing
What Is It?
User-group AVLAN: v14
172.23.14.0/24
User-group BVLAN: v15
172.23.15.0/24
User-group CVLAN: v16
172.23.16.0/24
Switch-1
Note: Host devices require a default gateway which points to RVI defined on the switch.
8/2/2019 20111013_CHT_TL_ Day2
http://slidepdf.com/reader/full/20111013chttl-day2 29/67
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 29
Implementing RVIs
RVIs are typically defined on aggregation or accessswitches, depending on the implementation
• All EX Series switches support RVIs as well as otherLayer 3 routing operations
CoreLayer
Aggregation
Layer
Access Layer
WAN Edge Device
8/2/2019 20111013_CHT_TL_ Day2
http://slidepdf.com/reader/full/20111013chttl-day2 30/67
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 30
Case Study: Topology and Objectives
Define three RVIs, one for each VLAN shownbelow, to function as the gateway for the respectiveVLAN
• Use an IP address of 172.23.1x .1/24, where x is the
unique value assigned to the corresponding subnetSwitch-1
User-group AVLAN: v14 / VLAN ID: 14
User-group BVLAN: v15 / VLAN ID: 15
User-group CVLAN: v16 / VLAN ID: 16
vlan.14 vlan.16
vlan.15
host-a1: 172.23.14.10/24
host-a2: 172.23.14.20/24
host-c1: 172.23.16.10/24
host-c2: 172.23.16.20/24
host-b1: 172.23.15.10/24 host-b2: 172.23.15.20/24
8/2/2019 20111013_CHT_TL_ Day2
http://slidepdf.com/reader/full/20111013chttl-day2 31/67
© 2011 Juniper Networks, Inc. All rights reserved. | www.juniper.net
Spanning Tree Protocol(STP)
8/2/2019 20111013_CHT_TL_ Day2
http://slidepdf.com/reader/full/20111013chttl-day2 32/67
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 32
Test Your Knowledge
What will Switch-1 and Switch-2 do if they receivea broadcast frame or a frame destined to anunknown MAC address?
Switch-1 Switch-2User A
MAC: 00:26:88:02:74:86
User BMAC: 00:26:88:02:74:87
User CMAC: 00:26:88:02:74:88
User DMAC: 00:26:88:02:74:89
Example: Source MAC: 00:26:88:02:74:86 / Destination MAC: 00:26:88:02:74:95
Both switches would flood the frames out allports except the port on which the frames
arrived
8/2/2019 20111013_CHT_TL_ Day2
http://slidepdf.com/reader/full/20111013chttl-day2 33/67
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 33
What if a broadcast frame or a frame with anunknown destination MAC address were sent into aLayer 2 network with redundant paths?
Switch-1 Switch-2
Switch-3
User AMAC: 00:26:88:02:74:86
User BMAC: 00:26:88:02:74:87
User CMAC: 00:26:88:02:74:88
User DMAC: 00:26:88:02:74:89
User EMAC: 00:26:88:02:74:90
User FMAC: 00:26:88:02:74:91
What If …?
Example: Source MAC: 00:26:88:02:74:86 / Destination MAC: 00:26:88:02:74:95
Layer 2 LoopFlood Flood
Flood
8/2/2019 20111013_CHT_TL_ Day2
http://slidepdf.com/reader/full/20111013chttl-day2 34/67
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 34
Spanning Tree Protocol
STP• Defined in the IEEE 802.1D-1998 specification
• Builds loop-free paths in redundant Layer 2 networks
• Automatically rebuilds tree when topology changes
Switch-2 Switch-3
Switch-1
Loop FreeEnvironment
No User Traffic
User TrafficUser Traffic
Host A Host B
8/2/2019 20111013_CHT_TL_ Day2
http://slidepdf.com/reader/full/20111013chttl-day2 35/67
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 35
How Does it Work?
Steps for creating a spanning tree include:1. Switches exchange bridge protocol data units (BPDUs)
2. Root bridge is elected
3. Port role and state are determined
4. Tree is fully converged
Switch-2 Switch-3
Switch-1 (Root Bridge)
Loop FreeEnvironment
No User Traffic
User Traffic
Switch-2 Switch-3
Switch-1
BPDUs
8/2/2019 20111013_CHT_TL_ Day2
http://slidepdf.com/reader/full/20111013chttl-day2 36/67
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 36
Terms and Concepts (1 of 2)
Key terms and concepts of STP:
: Unique identifier for each switch
: Switch with the lowest bridge ID
: The port on each bridge closest to the rootbridge
: A bridge’s calculated cost to get from
itself to the root bridge
• Equal to the received root path cost from configuration BPDUsplus the port cost of the root port on the bridge
: Every interface on a bridge has an assignedport cost value
• Used in the calculation of the root path cost for the local bridge
• Configurable value (1 –200000000)
• The default value is 20000 for 1 Gigabit Ethernet
8/2/2019 20111013_CHT_TL_ Day2
http://slidepdf.com/reader/full/20111013chttl-day2 37/67
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 37
Terms and Concepts (2 of 2)
Key terms and concepts of STP (contd.):: A switch representing the LANsegment
: A unique identifier for each port on each switch
: The designated bridge’s forwardingport on a LAN segment
• The port used by a designated bridge to send traffic from thedirection of the root to the LAN or from the LAN toward the root
: Packets used toexchange information between switches
• Configuration BPDU
• Topology change notification BPDU
8/2/2019 20111013_CHT_TL_ Day2
http://slidepdf.com/reader/full/20111013chttl-day2 38/67
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 38
Port States
Each individual port of each bridge can be in one of
four states:
• The port drops all data packets and listens to BPDUs• The port is not used in active topology
• The port drops all data packets and listens to BPDUs• The port is transitioning and will be used in active topology
• The port drops all data packets and listens to BPDUs• The port is transitioning and the switch is learning MAC
addresses
• The port receives and forwards data packets and sends andreceives BPDUs
• The port has transitioned and the switch continues to learn MAC
addresses
8/2/2019 20111013_CHT_TL_ Day2
http://slidepdf.com/reader/full/20111013chttl-day2 39/67
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 41
Building a Spanning Tree (1 of 3)
Switches exchange configuration BPDUs:• They do not flood—instead each bridge uses informationin the received BPDUs to generate its own
Root bridge is elected based on BPDU information:• Criterion for election is the bridge ID
• The election process reviews priority first—lowest priority wins• If the priority values are the same, bridge addresses (MAC) are
compared—the lowest identifier wins
Switch-2 Switch-3
Switch-1 (Root Bridge)
Host A Host B
Switch-1 is elected as the rootbridge based on the received
configuration BPDUinformation.Switches initially exchange
configuration BPDUs,claiming themselves as the
root bridge.
8/2/2019 20111013_CHT_TL_ Day2
http://slidepdf.com/reader/full/20111013chttl-day2 40/67
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 42
Building a Spanning Tree (2 of 3)
Least-cost path calculation to root bridgedetermines port role; port role determines portstate: Port Role and State Designations
All ports on root bridge assume designated port role and forwarding state
Root ports on switches are placed in the forwarding state; root bridge has no rootports
Designated ports on designated bridges are placed in the forwarding state
All other ports are placed in the blocking state
Switch-2 Switch-3
Switch-1 (Root Bridge)
Host A Host BBF,DF,D
F,D
F,RF,R
F,D
= Forwarding and root port
= Forwarding and designatedport
= Blocking
F,R
B
F,DF,D
8/2/2019 20111013_CHT_TL_ Day2
http://slidepdf.com/reader/full/20111013chttl-day2 41/67
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 43
The tree is fully converged
• All traffic between Host A to Host B flows through the rootbridge (Switch-1)
Building a Spanning Tree (3 of 3)
Switch-2 Switch-3
Switch-1 (Root Bridge)
Host A Host BF
F
F
F
F
F
8/2/2019 20111013_CHT_TL_ Day2
http://slidepdf.com/reader/full/20111013chttl-day2 42/67
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 44
STP Drawbacks
Slow convergence time• STP uses timers to transition between port states
• STP can take 30 to 50 seconds to respond to a topologychange (20 seconds for a BPDU to age out, 15 seconds for thelistening state, and 15 seconds for the learning state)
• Root bridge is responsible for communicating the currenttree topology
8/2/2019 20111013_CHT_TL_ Day2
http://slidepdf.com/reader/full/20111013chttl-day2 43/67
© 2011 Juniper Networks, Inc. All rights reserved. | www.juniper.net
Rapid Spanning TreeProtocol(RSTP)
8/2/2019 20111013_CHT_TL_ Day2
http://slidepdf.com/reader/full/20111013chttl-day2 44/67
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 46
Rapid Spanning Tree Protocol
RSTP was first defined in IEEE 802.1w and laterincorporated into IEEE 802.1D-2004
Convergence improvements:
• Point-to-point link designation
• Edge port designation• A port that connects to a LAN with no other bridges attached
• It is always in the forwarding state
• Allows for rapid recovery from failures
• A new root port or designated port can transition to forwardingwithout waiting for the protocol timers to expire
• Direct and indirect link failure and recovery
8/2/2019 20111013_CHT_TL_ Day2
http://slidepdf.com/reader/full/20111013chttl-day2 45/67
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 47
RSTP Port Roles
RSTP introduces new port roles:• Alternate port:
• Provides an alternate path to the rootbridge (essentially a backup root port)
• Blocks traffic while receiving superior
BPDUs from a neighboring switch
• Backup port:
• Provides a redundant path to a segment(on designated switches only)
• Blocks traffic while a more preferredport functions as the designated port
RSTP continues to use the rootand designated port roles
RRoot Port =
Designated Port =
Alternate Port =
Backup Port =
D
A
B
Switch-2 Switch-3
Switch-1 (Root Bridge)
R A R A
D D
D B A A
D D
8/2/2019 20111013_CHT_TL_ Day2
http://slidepdf.com/reader/full/20111013chttl-day2 46/67
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 48
STP and RSTP Port States
RSTP uses fewer states than STP but has thesame functionality
Blocking
Listening
LearningLearning
ForwardingForwarding
Discarding
802.1D-2004
RSTP
802.1D-1998
STP
Alternate Backup,
and Disabled Ports
Root and Designated Ports
8/2/2019 20111013_CHT_TL_ Day2
http://slidepdf.com/reader/full/20111013chttl-day2 47/67
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 49
Rapid Spanning Tree BPDUs
Rapid Spanning Tree BPDUs:• Act as keepalives
• RSTP-designated ports send Configuration BPDUs every hellotime (default of 2 seconds)
• Provide faster failure detection
• If a neighboring bridge receives no BPDU within 3 times thehello interval (3 x 2 = 6 seconds), connectivity to the neighbor isfaulty
Switch-2 Switch-3
Switch-1 (Root Bridge)
R A R A
D D
D B A A
D D
8/2/2019 20111013_CHT_TL_ Day2
http://slidepdf.com/reader/full/20111013chttl-day2 48/67
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 51
Transitioning to the Forwarding State
STP:
• Takes 30 seconds before the ports start forwarding trafficafter port enablement
• 2x forwarding delay (listening + learning)
RSTP:• Uses a proposal-and-agreement handshake on point-to-
point links instead of timers
• Exceptions are alternate ports that immediately transition to root,and edge ports that immediately transition to the forwardingstate
• Nonedge-designated ports transition to the forwarding stateonce they receive explicit agreement
8/2/2019 20111013_CHT_TL_ Day2
http://slidepdf.com/reader/full/20111013chttl-day2 49/67
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 52
Indirect Link Failure
When an indirect link failure occurs:
• Switch-2’s root port fails—it assumes it is the new root
• Switch-3 receives inferior BPDUs from Switch-2—itmoves the alternate port to the designated port role
• Switch-2 receives superior BPDUs, knows it is not theroot, and designates the port connecting to Switch-3 astheroot port
Switch-2 Switch-3
Switch-1 (Root Bridge)
R F
FD
BA
R F
F F
Switch-2 Switch-3
Switch-1 (Root Bridge)
RF
R F
F
Inferior PDUDF
Superior PDU
R
Forwarding =
Blocking =
Root Port =
Designated Port =
Alternate Port =
D
A
B
F
Before After
Note: The failure is fromthe perspective of Switch-3
8/2/2019 20111013_CHT_TL_ Day2
http://slidepdf.com/reader/full/20111013chttl-day2 50/67
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 53
Direct Link Failure
When a direct link failure occurs:
• Alternate port transitions to forwarding state andassumes root port role following the failure of the old rootport
• Switch-3 signals upstream switches to flush their MACtables by sending RSTP TCNs out new root port
• Upstream switches only flush MAC entries that they learned onactive ports that did not receive the RSTP TCNs (except edgeports)
Switch-2 Switch-3
Switch-1 (Root Bridge)
R F
FD
BA
R F
F F
R
Forwarding =
Blocking =
Root Port =
Designated Port =
Alternate Port =
D
A
B
F
Switch-2 Switch-3
Switch-1 (Root Bridge)
R F
FD R
F
F
Before AfterNote: The failure is fromthe perspective of Switch-3
8/2/2019 20111013_CHT_TL_ Day2
http://slidepdf.com/reader/full/20111013chttl-day2 51/67
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 54
RSTP Interoperability with STP
STP and RSTP interoperability considerations:
• If a switch supports only the STP protocol, it discards anyRSTP BPDUs it receives
• If an RSTP-capable switch receives BPDUs, it reverts to
STP mode on the receiving interface only and sends STPBPDUs
Protocol Version—0(STP)
Switch-1 Switch-2
Protocol Version—0x02(RSTP)
Switch-3
Protocol Version—0x02(RSTP)
STP RSTP
8/2/2019 20111013_CHT_TL_ Day2
http://slidepdf.com/reader/full/20111013chttl-day2 52/67
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 55
Given the topology below, what if User A connectsa personal (unauthorized) switch running thespanning tree protocol to Switch-2?
BPDUs
What If…?
Switch-2 Switch-3
Switch-1 (Root Bridge)
User A
Switch-2 Switch-3
Switch-1
User A
BPDUs would be exchanged, a new STP calculationwould occur, and the rogue switch would become partof the spanning tree, potentially leading to a network
outage
Part of the spanning tree
8/2/2019 20111013_CHT_TL_ Day2
http://slidepdf.com/reader/full/20111013chttl-day2 53/67
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 56
BPDU Protection
BPDU protection prevents rogue switches fromconnecting to the network and causing undesiredLayer 2 topology changes and possible outages• If a BPDU is received on a protected interface, the
interface is disabled and transitions to the blocking state
Switch-2 Switch-3
Switch-1 (Root Bridge)
User A
Edge port is disabled if BPDU isreceived on protected interface
8/2/2019 20111013_CHT_TL_ Day2
http://slidepdf.com/reader/full/20111013chttl-day2 54/67
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 57
Given the topology below, what if BPDUs sent bySwitch-2 were not received by Switch-3?
What If…?
Switch-2 Switch-3
Switch-1 (Root Bridge)
R
D A
R
D D
Switch-2 Switch-3
Switch-1 (Root Bridge)
R
D A
R
D D
D
Layer 2 Loop
Switch-3 waits until the max-age timer expiresthen transitions its alternate port to the
designated port role and the forwarding statethus removing the blocked port and causing a
Layer 2 loop
BPDUs not received due toa uni-directional link failureor a software configuration
issue
8/2/2019 20111013_CHT_TL_ Day2
http://slidepdf.com/reader/full/20111013chttl-day2 55/67
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 58
Loop Protection
The loop protection feature provides additionalprotection against Layer 2 loops by preventing non-designated ports from becoming designated ports• Enable loop protection on all non-designated ports
• Ports that detect the loss of BPDUs transition to the ―loop
inconsistent‖ role which maintains the blocking state • Port automatically transitions back to previous or new role when
it receives a BPDU
Switch-2 Switch-3
Switch-1 (Root Bridge)
R
D A
R
D D
LoopProtection
8/2/2019 20111013_CHT_TL_ Day2
http://slidepdf.com/reader/full/20111013chttl-day2 56/67
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 59
Given the topology and details below, what if arogue switch with a bridge priority of 4K wasconnected to the Layer 2 network?
BPDUs
What If…?
Switch-2 Switch-3
Switch-1
BPDUs would be exchanged, a new STP calculationwould occur, and the rogue switch would become
the new root bridge potentially leading to a network
outage
Switch-2
Priority = 32k
Switch-3
Priority = 32k
Switch-1 (Root Bridge)Priority = 8k
Access
Aggregation
New rootbridge
8/2/2019 20111013_CHT_TL_ Day2
http://slidepdf.com/reader/full/20111013chttl-day2 57/67
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 60
Enable root protection to avoid unwanted STPtopology changes and root bridge placement• If a superior BPDU is received on a protected interface,
the interface is disabled and transitions to the blockingstate
Root Protection
Switch-3Priority = 32k
Switch-4Priority = 32k
Switch-1 (Root Bridge)Priority = 4k
Switch-2Priority = 8k
Switch-5Priority = 32k
Access
Aggregation
Root protection is typicallyconfigured on the ports of
aggregation switches that connectto access switches
8/2/2019 20111013_CHT_TL_ Day2
http://slidepdf.com/reader/full/20111013chttl-day2 58/67
© 2011 Juniper Networks, Inc. All rights reserved. | www.juniper.net
Multiple Spanning TreeProtocol (MSTP)
8/2/2019 20111013_CHT_TL_ Day2
http://slidepdf.com/reader/full/20111013chttl-day2 59/67
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 62
What If …?
Refer to the topology below and assume nospanning tree protocol is currently in use; whatwould happen if User A sent traffic to User Z?
DS-1 DS-2
AS-2
All switch ports belong to vlan-10which is associated with
172.23.10.0/24
AS-1
User A172.23.10.86/24
AS-3
User Z172.23.10.88/24
The traffic would be flooded repeatedly through a Layer 2 loop
C
8/2/2019 20111013_CHT_TL_ Day2
http://slidepdf.com/reader/full/20111013chttl-day2 60/67
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 63
By default, RSTP is enabled on EX Series switcheswhich helps ensure a loop-free Layer 2 topology
Understanding the Default Configuration
DS-1 (Root bridge) DS-2
AS-2
All switch ports belong to vlan-10which is associated with 172.23.10.0/24
AS-1
User A172.23.10.86/24
AS-3
User Z172.23.10.88/24
Traffic will be forwarded through the root bridge towards the destination
One of the participatingswitches is selected as the
root bridge
A Li i i f STP d RSTP
8/2/2019 20111013_CHT_TL_ Day2
http://slidepdf.com/reader/full/20111013chttl-day2 61/67
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 64
A Limitation of STP and RSTP
STP and RSTP provide no load-balancingfunctionality which means some links will not beused
DS-1 (Root bridge) DS-2
AS-2
User C172.23.10.87/24
User D172.23.20.87/24
vlan-10 is associated with the172.23.10.0/24 broadcast domain
vlan-20 is associated with the172.23.20.0/24 broadcast domain
AS-1
User A172.23.10.86/24
User B172.23.20.86/24
AS-3
User E172.23.10.88/24
User F172.23.20.88/24
All links connected to DS-2 willnot be used unless a failure
occurs
M l i l S i T P l
8/2/2019 20111013_CHT_TL_ Day2
http://slidepdf.com/reader/full/20111013chttl-day2 62/67
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 65
Multiple Spanning Tree Protocol
MSTP provides extensions to RSTP which allowyou to:
Create multiple spanning tree instances (MSTIs)in order to balance traffic flows over all available
links
DS-1 DS-2
AS-2
User C172.23.10.87/24
User D172.23.20.87/24
vlan-10 is associated with the172.23.10.0/24 broadcast domain
vlan-20 is associated with the172.23.20.0/24 broadcast domain
AS-1
User A172.23.10.86/24
User B172.23.20.86/24
AS-3
User E172.23.10.88/24
User F172.23.20.88/24
(Root bridge for Instance-1) (Root bridge for Instance-2)
M l i l S i T R i
8/2/2019 20111013_CHT_TL_ Day2
http://slidepdf.com/reader/full/20111013chttl-day2 63/67
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 66
Multiple Spanning Tree Region
A group of switches with the same region name,revision level, and VLAN-to-instance mapping
• You can configure a maximum of 64 MSTIs per MSTregion with one regional root bridge per instance
DS-1 DS-2
AS-2AS-1
(Root bridge for Instance-1) (Root bridge for Instance-2)
AS-3
Region-1Instance-1 = VLANs 10-19 Instance-2 = VLANs 20-29
VLAN S i T P t l
8/2/2019 20111013_CHT_TL_ Day2
http://slidepdf.com/reader/full/20111013chttl-day2 64/67
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 70
VLAN Spanning Tree Protocol
VSTP maintains a separate spanning-tree instancefor each VLAN allowing load balancing of Layer 2traffic
• Proprietary protocol that is compatible with similar
protocols from other vendors including PVST+ and Rapid-PVST+Vlan-1Vlan-2Vlan-3Vlan-4Vlan-5
VSTP instance 1VSTP instance 2VSTP instance 3VSTP instance 4VSTP instance 5
DS-1 DS-2
AS-2AS-1 AS-3
VSTP C id ti (1 f 2)
8/2/2019 20111013_CHT_TL_ Day2
http://slidepdf.com/reader/full/20111013chttl-day2 65/67
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 71
VSTP Considerations (1 of 2)
Some VSTP considerations include:
• Supports up to 253 different spanning-tree topologies
• You selectively determine which VLANs participate in VSTP
• We recommend that you enable RSTP in addition to VSTP toaccount for any VLANs above and beyond 253
Vlan-1Vlan-2… Vlan-253
Vlan-1Vlan-2… Vlan-253VSTP
Vlan-254Vlan-255…
Vlan-254Vlan-255…
RSTP
VSTP C id ti (2 f 2)
8/2/2019 20111013_CHT_TL_ Day2
http://slidepdf.com/reader/full/20111013chttl-day2 66/67
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 72
Some VSTP considerations include (contd):
• As you add VLANs, more CPU resources are consumed
• A separate BPDU is sent out for each configured VLAN
VSTP Considerations (2 of 2)
DA SAVLANTAG
L LLC SNAP BPDU FCS
Vlan-1
Vlan-2Vlan-3…
VSTP BPDU format is the same as RSTP format with an added type,length, and value that advertises the same VLAN ID found in the
VLAN tag
8/2/2019 20111013_CHT_TL_ Day2
http://slidepdf.com/reader/full/20111013chttl-day2 67/67