Multilayer Switching

  1. 5 parts to the Enterprise Campus Design
    • Core Backbone
    • Campus
    • Data Center
    • Branch/WAN
    • Internet Edge
  2. Core Backbone (2)
    • generally self contained, physically 
    • can often interconnect the campus access, the data center, and WAN portions of the network
  3. Campus (2)
    • Provides access to network communication services and resources to end users and devices spread over a single geographic location
    • can act as the core and backbone of the network
  4. Data Center
    a facility used to house computing systems and associated components
  5. Branch/WAN
    contains routers, switches and so on to interconnect a main office to branch offices and interconnect multiple main sites
  6. Internet Edge
    Encompasses the routers, switches, firewalls, and network devices that interconnect the enterprise network to the internet
  7. Enterprise Campus Design Characteristics (3)
    • modular
    • resilient
    • flexible
  8. Hierarchical Model Layers
    • Access
    • Distribution
    • Core
  9. Access Layer
    Used to grant the user, server, or edge device access to the network
  10. Distribution Layer
    • Aggregates wiring closet
    • Aggregates WAN connections
    • Often acts as a service and control boundary between the access and core layers
  11. Core Layer
    A high-speed backbone, designed to switch packets as past as possible
  12. The hierarchical model is advantageous because...(6)
    • Provides modularity
    • Easier to understand
    • Increases flexibility
    • Eases growth and scalability
    • Provides for network predictability
    • Reduces troubleshooting complexity
  13. Layer 2 switching characteristics (5)
    • Hardware based
    • Wire-speed
    • Collision domain per port
    • Frame is unchanged
    • May support QoS; IGMP
  14. Layer 2 switching issues (2)
    • No traffic between VLANs
    • Unbounded broadcast domain
  15. Layer 3 switching characteristics (4)
    • Routing (not BGP)
    • TTL
    • Rewrites source and destination MAC address on a per hop basis
    • some security
  16. SONA Network
    • Service-oriented Network Architecture
    • Cisco architectural approach to designing advanced network capabilities
  17. Small Campus Network
    • < 200 end devices
    • collapsed core
  18. Medium Campus Network
    200 - 1000 end devices
  19. Large Campus Network
    > 2000 end users
  20. ASICs
    • Application Specific Integrated Circuits
    • keeps track of info so we get wire speed
    • has memory limitations
  21. VLAN
    A logical group of end devices with a common set of requirements independent of their physical location.
  22. End-to-End VLAN
    switch ports widely dispersed throughout the enterprise network on multiple switches
  23. End-to-End VLAN characteristics
    • Each VLAN is dispersed geographically throughout the network
    • Users are grouped into each VLAN regardless of the physical location
    • VLAN membership remains the same
    • Users are typicallu associated with a given vlan for network management reasons
    • all devices on a given vlan typically have addresses on the same IP subnet
    • Switches commonly operate in a server/client vtp mode
  24. What type of VLAN model is the Campus Enterprise Network Architecture based on?
    Local VLAN model
  25. Local VLAN (4)
    • All users of a set of geographically common switches are grouped into a single VLAN, regardless of user function
    • Layer 2 switching in implemented at the access level
    • routing in implemented at the distribution and core level
    • most efficient
  26. Reasons to implement End-to-End VLANs
    • Grouping Users
    • Security
    • Applying QoS
    • Routing Avoidance
    • Special Purpose VLAN
    • Poor Design
  27. Local VLAN Benefits
    • Deterministic traffic flow
    • Active Redundant Paths
    • High availability
    • Finite failure domain
    • Scalable design
  28. Troubleshoot VLANs
    • physical connections
    • switch config
    • VLAN config
  29. IEEE 802.1Q/802.1p advantages over ISL
    • Smaller frame overhead
    • Widely Supported
    • Support for QoS
  30. DTP Modes
    • Access
    • Trunk
    • Nonegotiate
    • Dynamic Desirable
    • Dynamic Auto
  31. DTP Access Mode
    • Permanent nontrunking mode
    • negotiated to convert the link into a nontrunking link
  32. DTP Trunk Mode
    • Permanent Trunking Mode
    • negotiates to convert the link into a trunk link
  33. DTP Dynamic Desirable Mode
    • actively attempts to convert the link to a trunk link
    • works with trunk, desirable, or auto mode
  34. DTP Nonegotiate Mode
    • Permanent trunking mode
    • prevent int from getting DTP frames
    • Works only with trunk mode
  35. DTP Dynamic Auto Mode
    • Int willing to convert the link to a trunk link.
    • Works with trunk or desirable mode
    • Default
  36. ISL supports vlan numbers...
    1 - 1005
  37. 802.1Q supports VLAN numbers...
    1 - 4094
  38. VTP
    • VLAN Trunking Protocol
    • Used to distribute and synchronize info about VLAN databases configured throughout a switched network.
    • Layer 2 messaging protocol
  39. VTP Modes
    • Client
    • Server
    • Transparent
  40. VTP Client Mode
    • Cannon create, change, or delete VLANs on CLI
    • Forwards advertisements
  41. VTP Server Mode
    • Default
    • sends and forwards advertisements
    • saves VLAN config to NVRAM
  42. VTP Transparent Mode
    • Forwards
    • no synch
    • saves
  43. VTPv2 supported features
    • Token Ring
    • Unrecognized Type-Length Value (TLV) support
    • Version-independent transparent mode
    • Consistency checks
  44. VTPv3
    • Does not directly handle VLANs
    • Distributed a list of databases over an administrative domain
  45. VTPv3 Enhancements
    • Support for extended VLANs
    • Support for the creation and advertisement of Private VLANs
    • Improved server authentication
    • Interact with VTPv1 and v2
    • Configurable on a per-port basis
  46. VTP Message Types
    • Summary Advertisements
    • Subset Advertisements
    • Advertisement Requests
  47. Advertisement Requests are needed when (3)
    • The switch has been reset
    • VTP domain name has changed
    • Switch has received a VTP summary advertisement with a higher config revision number than its own
  48. Summary Advertisement
    • Sent every 5 min
    • Inform adjacent switches of the current VTP domain name and the config number
  49. Subset Advertisement
    • sent after summary advertisement
    • contains a list of VLAN info
  50. Private VLANs
    enables the isolation at layer 2 of devices in the same ip subnet
  51. Private VLAN port types
    • Isolated
    • Promiscuous
    • Community
  52. Primary Private VLAN
    carries traffic from promiscuous ports to other ports in the same Primary Private VLAN
  53. Secondary Private VLAN
    • end devices connected
    • child to a Primary Private VLAN
  54. Types of secondary Private VLANs
    • Community
    • Isolated
  55. Benefits of Etherchannel (4)
    • Relies on existing switch ports
    • Easier config
    • Redundancy
    • Load Balancing
  56. For Etherchannel ports must have the same...(3)
    • Speed
    • Duplex setting
    • VLAN info
  57. PAgP (2)
    • Cisco 
    • Packets sent every 30 seconds
  58. PAgP Modes
    • Auto
    • Desirable
    • On
    • Non-silent
  59. PAgP Auto Mode
    • default
    • passive negotiating state
  60. PAgP Desirable Mode
    active negotiating
  61. PAgP On Mode
    forced to channel without PAgP
  62. PAgP Non-silent Mode
    Always used with auto or desirable mode
  63. LACP Modes
    • Passive
    • Active
    • On
  64. LACP additional parameters
    • System Priority
    • Port Priority
    • Administrative Key
  65. What is the point of Spanning Tree?
    create a loop free topology at Layer 2
  66. How does spanning tree protocol (STP) prevent Layer 2 loops?
    allows only one active path and blocks any redundant paths
  67. Varieties of STP
    • CST
    • PVST+
    • RSTP
    • MST
    • PVRST+
  68. Common Spanning Tree (CST)
    • 1 instance for the entire bridged network
    • CPU and Memory requirements lower
    • 1 root bridge 1 tree
    • Slow convergence
  69. Per VLAN Spanning Tree + (PVST+)
    • cisco enhancement of STP
    • Separate instance for each VLAN
    • Convergence is per-VLAN
    • CPU and memory requirement increased
  70. Rapid STP (RSTP)
    • IEEE 802.1w
    • faster convergence
    • single instance
  71. CPU and memory usage of RSTP
    • Slightly more than CST
    • less than PVST+
  72. Multiple Spanning Tree (MST)
    • IEEE
    • Maps multiple VLANs
    • Up to 16 instances of RSTP
  73. MST CPU and memory requirement
    • less than PVST+
    • more than RSTP
  74. PVRST+
    • Cisco
    • Separate instance of RSTP per VLAN
    • Largest CPU and memory requirements
  75. BID =
    Priority + MAC
  76. STP Ports
    • Root
    • Designated
    • Nondesignated
    • Disabled
  77. STP Root Port
    forwards data traffic to the root bridge
  78. STP Designated Port
    Sends and receives BPDUs and traffic
  79. STP Nondesignated Port
    blocks traffic
  80. STP Disabled Port
  81. STP Port States
    • Blocking
    • Listening
    • Learning
    • Forwarding
    • Disabled
  82. STP Blocking Port State
    • does not participate in frame forwarding
    • 20 sec
    • receives BPDUs
  83. STP Listening Port State
    • can participate in frame forwarding
    • receives BPDUs
    • Transmits own BPDUs
    • 15 secs
  84. STP Learning Port State
    • Begins to populate CAM table
    • 15 sec
  85. STP Forwarding Port State
    Considered part of active topology
  86. RSTP Port States
    • Discarding
    • Learning
    • Forwarding
  87. RSTP Discarding Port State
    • prevents the forwarding of data frames
    • STP Disabled, Blocking, and Listening equivalent.
  88. RSTP Learning Port State
    accepts data frames to populate MAC table
  89. RSTP Forwarding Port State
    • Can only be seen in stable active topologies
    • determine topology
  90. RSTP Port Roles
    • Root
    • Designated
    • Alternate
    • Backup
    • Disabled
  91. RSTP Root Port
    Chosen path to root bridge
  92. RSTP Designated Port
    • receives frames designated for the root bridge
    • 1 per segment
    • assumes forwarding state
  93. RSTP Alternate Port
    • Offers an alternate path
    • assumes discarding state
  94. RSTP Backup Port
    Assumes a discarding state
  95. RSTP Disabled Port
    has no role
  96. RSTP algorithm relies on 2 variables
    • Link Type
    • Edge Port
  97. BPDU Guard
    Prevents accidental connection of switching devices to PortFast enabled ports
  98. BPDU Filtering
    Prevents unnecessary BPDUs from being transmitted to host devices
  99. Root Guard
    forced an interface to become a designated port to prevent surrounding switching from becoming the root switch
  100. Loop Guard
    places the port into the STP loop-inconsistent blocking state
  101. UDLD (unidirectional link detection)
    • message int 15 sec
    • Normal Mode
    • Aggressive Mode
  102. Content Addressable Memory (CAM)
    • Primary table used to make L2 forwarding decisions
    • MAC address and inbound port
  103. Ternary Content Address Table (TCAM)
    Stores ACLs, QoS, and other L3 info
  104. Cisco Switching Methods
    • Process Switching
    • Fast Switching 
    • Cisco Express Forwarding (CEF)
    • Route Caching
  105. Punt Adjacency
    used for packets that require special handling by the L3 engine
  106. Drop or Discard Adjacency
    Used to drop ingress packets
  107. Null Adjacency
    Used to drop packets destined for Null0 int
  108. Why is CEF faster
    Uses FIB and Adjacency table
  109. High Availability
    • Redundancy
    • Technology
    • People 
    • Process
    • Tools
  110. NSF
    Uses FIB to forward packets
  111. Syslog
    Enables device to report error notification messages
  112. SNMP
    Defines how management info is exchanged between network management apps and management agents
  113. SNMP V2 Introduces
    • Get Bulk Request
    • Inform Request
  114. SNMP v3 Introduces
  115. IP Service Level Agreement (IPSLA)
    • contract between service provider and customers
    • specifies connectivity and performance agreements
  116. RPR+ additional benefits
    • Reduced Switchover time
    • No reloading of installed modules
    • Synch of OIR events between the active and standby
  117. HSRP
    • Cisco
    • Participating routers talk to each other and agree on a virtual router with a Virtual IP address which end systems use as a default gateway
  118. HSRP Router Roles
    • Virtual
    • Active
    • Standby
    • Other
  119. HSRP States
    • Initial
    • Listen
    • Speak 
    • Standby
    • Active
  120. GLBP Active Virtual Gateway (AVG)
    assigns a virtual MAC address to each member of the GLBP group
  121. GLBP Active Virtual Forwarder (AVF)
    Forwards packets that are sent to the virtual MAC address
  122. GLBP Features
    • Load Sharing
    • Multiple Virtual Routers
    • Preemption
    • Efficient Resource Utilization
  123. HSRPv1 number of groups
  124. HSRP v1 priority defult
  125. HSRP v1 Assign MAC Address
  126. HSRP v1 Multicast
  127. VLAN Hopping
    A network attack whereby an end system sends packets to, or collects packets from, a VLAN that should not be accessible to that end system
  128. VLAN Hopping with Double Tagging
    Sends frames with a double 802.1Q tag
  129. How to mitigate VLAN Hopping
    • config all unused ports as access
    • shut down all unused ports
    • trunk configs
  130. DHCP Spoofing
    • Spoof responses that would be sent by a valid DHCP server.
    • Becomes the DNS server.
    • Man-in-the-middle
  131. Mitigate DHCP Spoofing
    DHCP Snooping
  132. DHCP snooping
    Determines which ports can respond to DHCP
  133. ARP Spoofing
    • An attacking device appears to be the destination  host sought by the servers.
    • Stores attacking MAC address to ARP cache.
  134. Mitigate ARP Spoofing
    Dynamic ARP Inspection
  135. Dynamic ARP Inspection
    Prevents the man-in-the-middle attacks by now relaying invalid and gratious ARP replies out to other ports in the same VLAN.
  136. IP Spoofing
    • The attacker is impersonating a legitimate host on the network. 
    • Results in unauthorized access or DOS attacks
  137. Mitigate IP Spoofing
    IP Source Guard
  138. IP Source Guard
    • Provides per-port IP traffic filtering of the assigned source IP address at wire speed.
    • Dynamically maintains per-port VLAN ACLs based on IP-to-MAC-to-Switch port buildings.
  139. How is ARP Inspection based on DHCP Snooping?
    Each inspected packet is verified for valid IP-to-MAC bindings that are gathered via DHCP snooping
  140. How is IP Source Guard based on DHCP Snooping?
    All IP traffic on the port is blocked except for the DHCP packets captured by the DHCP Snooping process.
  141. What is LLDP?
    • Link Layer Discovery Protocol
    • Vendor-neutral Layer 2 protocol equivalent to Cisco Discovery Protocol (CDP)
    • Enables a network device to advertise its identity and capabilities on the local network
    • Disabled by default
Card Set
Multilayer Switching
Multilayer Switching Final Prep