ccnp routing ands switching
Post on 03-Dec-2015
94 Views
Preview:
DESCRIPTION
TRANSCRIPT
FromtheLibraryofOutcastOutcastContentsataGlance
Introductionxxiv
PartIDesigningCampusNetworksChapter1EnterpriseCampusNetworkDesign3Chapter2SwitchOperation29Chapter3SwitchPortConfiguration55
PartIIBuildingaCampusNetworkChapter4VLANsandTrunks89Chapter5VLANTrunkingProtocol123
PartIIIWorkingwithRedundantLinksChapter6TraditionalSpanningTreeProtocol147Chapter7Spanning-TreeConfiguration177Chapter8ProtectingtheSpanningTreeProtocolTopology203Chapter9AdvancedSpanningTreeProtocol219Chapter10AggregatingSwitchLinks241
PartIVMultilayerSwitchingChapter11MultilayerSwitching265Chapter12ConfiguringDHCP289
PartVMonitoringCampusNetworksChapter13LoggingSwitchActivity305Chapter14ManagingSwitcheswithSNMP321Chapter15MonitoringPerformancewithIPSLA333Chapter16UsingPortMirroringtoMonitorTraffic349
PartVIImplementingHighAvailabilityChapter17UnderstandingHighAvailability365Chapter18Layer3HighAvailability381
FromtheLibraryofOutcastOutcast
ix
PartVIISecuringSwitchedNetworksChapter19SecuringSwitchAccess411Chapter20SecuringVLANs431Chapter21PreventingSpoofingAttacks449Chapter22ManagingSwitchUsers461
PartVIIIFinalPreparationChapter23FinalPreparation475
PartIXAppendixesAppendixAAnswerstotheDoIKnowThisAlready?Quizzes481AppendixBExamUpdates489Glossary493Index504
CD-OnlyAppendixesAppendixCMemoryTablesAppendixDMemoryTableAnswerKeyAppendixEStudyPlanner
FromtheLibraryofOutcastOutcast
ContentsIntroductionxxivPartIDesigningCampusNetworksChapter1EnterpriseCampusNetworkDesign3DoIKnowThisAlready?Quiz3FoundationTopics7HierarchicalNetworkDesign7PredictableNetworkModel9AccessLayer12DistributionLayer12CoreLayer12ModularNetworkDesign13SizingaSwitchBlock16SwitchBlockRedundancy18NetworkCore20CollapsedCore23CoreSizeinaCampusNetwork24CiscoProductsinaHierarchicalNetworkDesign24ExamPreparationTasks27ReviewAllKeyTopics27CompleteTablesandListsfromMemory27DefineKeyTerms27Chapter2SwitchOperation29DoIKnowThisAlready?Quiz29FoundationTopics32Layer2SwitchOperation32TransparentBridging32FollowThatFrame!35MultilayerSwitchOperation36TypesofMultilayerSwitching36FollowThatPacket!37MultilayerSwitchingExceptions39TablesUsedinSwitching40Content-AddressableMemory40TernaryContent-AddressableMemory41TCAMStructure42TCAMExample43PortOperationsinTCAM44
FromtheLibraryofOutcastOutcast
xi
ManagingSwitchingTables45CAMTableOperation45TCAMOperation48ManagingSwitchingTableSizes49ExamPreparationTasks52ReviewAllKeyTopics52CompleteTablesandListsfromMemory52DefineKeyTerms52UseCommandReferencetoCheckYourMemory52Chapter3SwitchPortConfiguration55DoIKnowThisAlready?Quiz55FoundationTopics59EthernetConcepts59EthernetOverview59ScalingEthernet60FastEthernet60GigabitEthernet6110-GigabitEthernet62Beyond10-GigabitEthernet63DuplexOperationoverEthernetLinks63ConnectingSwitchesandDevices65EthernetPortCablesandConnectors65SwitchPortConfiguration66SelectingPortstoConfigure66IdentifyingPorts68PortSpeed68PortDuplexMode69ManagingErrorConditionsonaSwitchPort69DetectingErrorConditions69AutomaticallyRecoverfromErrorConditions70EnableandUsetheSwitchPort71TroubleshootingPortConnectivity71LookingforthePortState71LookingforSpeedandDuplexMismatches72DiscoveringConnectedDevices73CiscoDiscoveryProtocol73LinkLayerDiscoveryProtocol75
FromtheLibraryofOutcastOutcast
xiiCCNPRoutingandSwitchingSWITCH300-115OfficialCertGuide
UsingPoweroverEthernet77HowPoEWorks78DetectingaPoweredDevice79ConfiguringPoE80VerifyingPoE81ExamPreparationTasks84ReviewAllKeyTopics84CompleteTablesandListsfromMemory84DefineKeyTerms84UseCommandReferencetoCheckYourMemory85PartIIBuildingaCampusNetworkChapter4VLANsandTrunks89DoIKnowThisAlready?Quiz89FoundationTopics95VirtualLANs95VLANMembership96StaticVLANs96ConfiguringStaticVLANs97DynamicVLANs99DeployingVLANs99End-to-EndVLANs100LocalVLANs101VLANTrunks101VLANFrameIdentification103Inter-SwitchLinkProtocol103IEEE802.1QProtocol104DynamicTrunkingProtocol105VLANTrunkConfiguration106ConfiguringaVLANTrunk106TrunkConfigurationExample108TroubleshootingVLANsandTrunks110VoiceVLANs112VoiceVLANConfiguration113VerifyingVoiceVLANOperation115WirelessVLANs117ExamPreparationTasks119ReviewAllKeyTopics119
FromtheLibraryofOutcastOutcast
xiii
CompleteTablesandListsfromMemory119DefineKeyTerms119UseCommandReferencetoCheckYourMemory119Chapter5VLANTrunkingProtocol123DoIKnowThisAlready?Quiz123FoundationTopics127VLANTrunkingProtocol127VTPDomains127VTPModes127VTPAdvertisements128VTPSynchronization131VTPConfiguration132ConfiguringtheVTPVersion133ConfiguringaVTPManagementDomain134ConfiguringtheVTPMode135VTPConfigurationExample136VTPStatus137VTPPruning138EnablingVTPPruning140TroubleshootingVTP141ExamPreparationTasks143ReviewAllKeyTopics143CompleteTablesandListsfromMemory143DefineKeyTerms143UseCommandReferencetoCheckYourMemory143PartIIIWorkingwithRedundantLinksChapter6TraditionalSpanningTreeProtocol147DoIKnowThisAlready?Quiz147FoundationTopics151IEEE802.1DOverview151BridgingLoops151PreventingLoopswithSpanningTreeProtocol154Spanning-TreeCommunication:BridgeProtocolDataUnits155ElectingaRootBridge156ElectingRootPorts158ElectingDesignatedPorts160
FromtheLibraryofOutcastOutcast
xivCCNPRoutingandSwitchingSWITCH300-115OfficialCertGuide
STPStates162STPTimers165TopologyChanges167DirectTopologyChanges168IndirectTopologyChanges169InsignificantTopologyChanges171TypesofSTP172CommonSpanningTree173Per-VLANSpanningTree173Per-VLANSpanningTreePlus173ExamPreparationTasks175ReviewAllKeyTopics175CompleteTablesandListsfromMemory175DefineKeyTerms175Chapter7Spanning-TreeConfiguration177DoIKnowThisAlready?Quiz177FoundationTopics181STPRootBridge181RootBridgePlacement181RootBridgeConfiguration184TuningtheRootPathCost188TuningthePortID190TuningSpanning-TreeConvergence191ModifyingSTPTimers191ManuallyConfiguringSTPTimers192AutomaticallyConfiguringSTPTimers192RedundantLinkConvergence194PortFast:AccessLayerNodes194UplinkFast:AccessLayerUplinks196BackboneFast:RedundantBackbonePaths197MonitoringSTP199ExamPreparationTasks200ReviewAllKeyTopics200CompleteTablesandListsfromMemory200DefineKeyTerms200UseCommandReferencetoCheckYourMemory200
FromtheLibraryofOutcastOutcast
xv
Chapter8ProtectingtheSpanningTreeProtocolTopology203DoIKnowThisAlready?Quiz203FoundationTopics207ProtectingAgainstUnexpectedBPDUs207RootGuard207BPDUGuard208ProtectingAgainstSuddenLossofBPDUs210LoopGuard210UDLD211UsingBPDUFilteringtoDisableSTPonaPort213TroubleshootingSTPProtection214ExamPreparationTasks215ReviewAllKeyTopics215CompleteTablesandListsfromMemory215DefineKeyTerms215UseCommandReferencetoCheckYourMemory215Chapter9AdvancedSpanningTreeProtocol219DoIKnowThisAlready?Quiz219FoundationTopics223RapidSpanningTreeProtocol223RSTPPortBehavior223BPDUsinRSTP224RSTPConvergence225PortTypes226Synchronization227TopologyChangesandRSTP229RSTPConfiguration229RapidPer-VLANSpanningTreeProtocol230MultipleSpanningTreeProtocol231MSTOverview233MSTRegions233Spanning-TreeInstancesWithinMST234ISTInstances234MSTInstances235MSTConfiguration236ExamPreparationTasks238ReviewAllKeyTopics238
FromtheLibraryofOutcastOutcast
xviCCNPRoutingandSwitchingSWITCH300-115OfficialCertGuide
CompleteTablesandListsfromMemory238DefineKeyTerms239UseCommandReferencetoCheckYourMemory239Chapter10AggregatingSwitchLinks241DoIKnowThisAlready?Quiz241FoundationTopics245SwitchPortAggregationwithEtherChannel245BundlingPortswithEtherChannel247DistributingTrafficinEtherChannel247ConfiguringEtherChannelLoadBalancing249EtherChannelNegotiationProtocols251PortAggregationProtocol252LinkAggregationControlProtocol252EtherChannelConfiguration253ConfiguringaPAgPEtherChannel253ConfiguringaLACPEtherChannel254AvoidingMisconfigurationwithEtherChannelGuard255TroubleshootinganEtherChannel257ExamPreparationTasks261ReviewAllKeyTopics261CompleteTablesandListsfromMemory261DefineKeyTerms261CommandReferencetoCheckYourMemory261PartIVMultilayerSwitchingChapter11MultilayerSwitching265DoIKnowThisAlready?Quiz265FoundationTopics268Inter-VLANRouting268TypesofInterfaces268ConfiguringInter-VLANRouting269Layer2PortConfiguration270Layer3PortConfiguration270SVIPortConfiguration271MultilayerSwitchingwithCEF272TraditionalMLSOverview272CEFOverview272ForwardingInformationBase273
FromtheLibraryofOutcastOutcast
xvii
AdjacencyTable276PacketRewrite279ConfiguringCEF280VerifyingMultilayerSwitching280VerifyingInter-VLANRouting280VerifyingCEF283ExamPreparationTasks285ReviewAllKeyTopics285CompleteTablesandListsfromMemory285DefineKeyTerms285UseCommandReferencetoCheckYourMemory285Chapter12ConfiguringDHCP289DoIKnowThisAlready?Quiz289FoundationTopics292UsingDHCPwithaMultilayerSwitch292ConfiguringanIPv4DHCPServer293ConfiguringaManualAddressBinding294ConfiguringDHCPOptions296ConfiguringaDHCPRelay296ConfiguringDHCPtoSupportIPv6297StatelessAutoconfiguration298DHCPv6298DHCPv6Lite299ConfiguringaDHCPv6RelayAgent300VerifyingIPv6DHCPOperation300ExamPreparationTasks301ReviewAllKeyTopics301CompleteTablesandListsfromMemory301DefineKeyTerms301UseCommandReferencetoCheckYourMemory301PartVMonitoringCampusNetworksChapter13LoggingSwitchActivity305DoIKnowThisAlready?Quiz305FoundationTopics308
FromtheLibraryofOutcastOutcast
xviiiCCNPRoutingandSwitchingSWITCH300-115OfficialCertGuide
SyslogMessages308LoggingtotheSwitchConsole310LoggingtotheInternalBuffer310LoggingtoaRemoteSyslogServer311AddingTimeStampstoSyslogMessages312SettingtheInternalSystemClock312UsingNTPtoSynchronizewithanExternalTimeSource313SecuringNTP316UsingSNTPtoSynchronizeTime316AddingTimeStampstoLoggingMessages317ExamPreparationTasks318ReviewAllKeyTopics318CompleteTablesandListsfromMemory318DefineKeyTerms318UseCommandReferencetoCheckYourMemory318Chapter14ManagingSwitcheswithSNMP321DoIKnowThisAlready?Quiz321FoundationTopics324SNMPOverview324ConfiguringSNMP326ConfiguringSNMPv1327ConfiguringSNMPv2C327ConfiguringSNMPv3328ExamPreparationTasks330ReviewAllKeyTopics330CompleteTablesandListsfromMemory330DefineKeyTerms330UseCommandReferencetoCheckYourMemory330Chapter15MonitoringPerformancewithIPSLA333DoIKnowThisAlready?Quiz333FoundationTopics336IPSLAOverview336ConfiguringIPSLA338UsingIPSLA341ExamPreparationTasks345ReviewAllKeyTopics345CompleteTablesandListsfromMemory345
FromtheLibraryofOutcastOutcast
xix
DefineKeyTerms345UseCommandReferencetoCheckYourMemory345Chapter16UsingPortMirroringtoMonitorTraffic349DoIKnowThisAlready?Quiz349FoundationTopics352UsingLocalSPAN352LocalSPANConfiguration354RemoteSPAN356RemoteSPANConfiguration357ManagingSPANSessions359ExamPreparationTasks361ReviewAllKeyTopics361CompleteTablesandListsfromMemory361DefineKeyTerms361UseCommandReferencetoCheckYourMemory361PartVIImplementingHighAvailabilityChapter17UnderstandingHighAvailability365DoIKnowThisAlready?Quiz365FoundationTopics368LeveragingLogicalSwitches368StackWise371VirtualSwitchingSystem372SupervisorandRouteProcessorRedundancy373RedundantSwitchSupervisors373ConfiguringtheRedundancyMode374ConfiguringSupervisorSynchronization376NonstopForwarding377ExamPreparationTasks378ReviewAllKeyTopics378CompleteTablesandListsfromMemory378DefineKeyTerms378UseCommandReferencetoCheckYourMemory378Chapter18Layer3HighAvailability381DoIKnowThisAlready?Quiz381FoundationTopics384Packet-ForwardingReview384
FromtheLibraryofOutcastOutcast
xxCCNPRoutingandSwitchingSWITCH300-115OfficialCertGuide
HotStandbyRouterProtocol385HSRPRouterElection386Plain-TextHSRPAuthentication388MD5Authentication388ConcedingtheElection389HSRPGatewayAddressing390LoadBalancingwithHSRP391VirtualRouterRedundancyProtocol394GatewayLoadBalancingProtocol397ActiveVirtualGateway397ActiveVirtualForwarder398GLBPLoadBalancing400EnablingGLBP400VerifyingGatewayRedundancy405ExamPreparationTasks406ReviewAllKeyTopics406CompleteTablesandListsfromMemory406DefineKeyTerms406UseCommandReferencetoCheckYourMemory406PartVIISecuringSwitchedNetworksChapter19SecuringSwitchAccess411DoIKnowThisAlready?Quiz411FoundationTopics415PortSecurity415Port-BasedAuthentication418802.1XConfiguration419802.1XPort-BasedAuthenticationExample420UsingStormControl421BestPracticesforSecuringSwitches423ExamPreparationTasks428ReviewAllKeyTopics428CompleteTablesandListsfromMemory428DefineKeyTerms428UseCommandReferencetoCheckYourMemory428
FromtheLibraryofOutcastOutcast
xxi
Chapter20SecuringVLANs431DoIKnowThisAlready?Quiz431FoundationTopics435VLANAccessLists435VACLConfiguration435PrivateVLANs436PrivateVLANConfiguration438ConfigurethePrivateVLANs438AssociatePortswithPrivateVLANs439AssociateSecondaryVLANstoaPrimaryVLANSVI440SecuringVLANTrunks441SwitchSpoofing441VLANHopping443ExamPreparationTasks446ReviewAllKeyTopics446CompleteTablesandListsfromMemory446DefineKeyTerms446UseCommandReferencetoCheckYourMemory446Chapter21PreventingSpoofingAttacks449DoIKnowThisAlready?Quiz449FoundationTopics451DHCPSnooping451IPSourceGuard453DynamicARPInspection455ExamPreparationTasks458ReviewAllKeyTopics458CompleteTablesandListsfromMemory458DefineKeyTerms458UseCommandReferencetoCheckYourMemory458Chapter22ManagingSwitchUsers461DoIKnowThisAlready?Quiz461FoundationTopics464ConfiguringAuthentication465ConfiguringAuthorization468ConfiguringAccounting469ExamPreparationTasks471
FromtheLibraryofOutcastOutcast
xxiiCCNPRoutingandSwitchingSWITCH300-115OfficialCertGuide
ReviewAllKeyTopics471CompleteTablesandListsfromMemory471DefineKeyTerms471UseCommandReferencetoCheckYourMemory471PartVIIIFinalPreparationChapter23FinalPreparation475ToolsforFinalPreparation475ExamEngineandQuestionsontheCD475InstalltheExamEngine476ActivateandDownloadthePracticeExam476ActivatingOtherExams477PremiumEdition477TheCiscoLearningNetwork477MemoryTables477Chapter-EndingReviewTools478StudyPlan478RecalltheFacts478PracticeConfigurations478UsingtheExamEngine479PartIXAppendixesAppendixAAnswerstotheDoIKnowThisAlready?Quizzes481AppendixBExamUpdates489AlwaysGettheLatestattheCompanionWebsite489TechnicalContent490Glossary493Index504
CD-OnlyAppendixesAppendixCMemoryTablesAppendixDMemoryTableAnswerKeyAppendixEStudyPlanner
FromtheLibraryofOutcastOutcast
xxiii
CommandSyntaxConventionsTheconventionsusedtopresentcommandsyntaxinthisbookarethesameconventionsusedintheIOSCommandReference.TheCommandReferencedescribestheseconven-tionsasfollows:Boldfaceindicatescommandsandkeywordsthatareenteredliterallyasshown.Inactualconfigurationexamplesandoutput(notgeneralcommandsyntax),boldfaceindicatescommandsthataremanuallyinputbytheuser(suchasashowcommand).Italicindicatesargumentsforwhichyousupplyactualvalues.Verticalbars(|)separatealternative,mutuallyexclusiveelements.Squarebrackets([])indicateanoptionalelement.Braces({})indicatearequiredchoice.Braceswithinbrackets([{}])indicatearequiredchoicewithinanoptionalelement.
FromtheLibraryofOutcastOutcast
xxivCCNPRoutingandSwitchingSWITCH300-115OfficialCertGuide
IntroductionThisbookfocusesononemajorgoal:tohelpyoupreparetopasstheSWITCHexam(300-115).Tohelpyouprepare,thisbookachievesotherusefulgoalsaswell:Itexplainsawiderangeofnetworkingtopics,showshowtoconfigurethosefeaturesonCiscoswitches,andexplainshowtodeterminewhetherthefeaturesareworking.Asaresult,youcanalsousethisbookasageneralreferenceasyouworkwithswitchednetworksinyourjob.ThemainmotivationforthisbookandtheCiscoPressCertificationGuideseriesistohelpyoupasstheSWITCHexam.Therestofthisintroductionfocusesontwotopics:theSWITCHexamandadescriptionofthisbook.
TheCCNPSWITCHExamProfessionalcertificationshavebeenanimportantpartofthecomputingindustryformanyyearsandwillcontinuetobecomemoreimportant.Manyreasonsexistforthesecertifications,butthemostpopularlycitedreasonisthatofcredibility.Allotherconsid-erationsheldequal,thecertifiedemployee/consultant/jobcandidateisconsideredmorevaluablethanonewhoisnot.Ciscooffersfourlevelsofroutingandswitchingcertification,eachwithanincreasinglevelofproficiency:Entry,Associate,Professional,andExpert.ThesearecommonlyknownbytheiracronymsCCENT(CiscoCertifiedEntryNetworkingTechnician),CCNA(CiscoCertifiedNetworkAssociate),CCNP(CiscoCertifiedNetworkProfessional),andCCIE(CiscoCertifiedInternetworkingExpert).Thereareothers,too,butthisbookfocusesonthecertificationsforenterprisenetworks.CiscofirstannounceditsinitialProfessionallevelcertificationsin1998withtheCCNPRoutingandSwitchingcertification.Tobecomecertified,youmustpassexamsonaseriesofCCNPtopics,includingtheSWITCH,ROUTE,andTSHOOTexams.Formostexams,Ciscodoesnotpublishthescoresneededforpassing.Youneedtotaketheexamtofindthatoutforyourself.ToseethemostcurrentrequirementsfortheCCNPRoutingandSwitchingcertifica-tion,gotohttp://www.cisco.com/go/ccnp,andlookforthe300-115SWITCHexam(ImplementingIPSwitchedNetworks,SWITCHv2.0).Thereyoucanfindoutotherexamdetailssuchasanexamblueprint,whichcontainsalistofexamtopics.Youwillalsolearnhowtoregisterforanexam.Also,youcangototheCiscoLearningNetworkwebsiteathttp://www.cisco.com/go/learnnetspacetofindexaminformation,learningtools,andforumsinwhichyoucancommunicatewithothersandlearnmoreaboutthisandotherCiscoexams.TheSWITCHexamtopicsaregroupedintothreebroadcategories:Layer2TechnologiesInfrastructureSecurityInfrastructureServices
FromtheLibraryofOutcastOutcast
xxv
TableI-1liststheexamtopics,alongwiththepartofthisbookwherethetopiciscov-ered.Thelistoftopicsisaccurate,asofthetimethisbookwasprinted.
TableI-1SWITCHExam300-115TopicsExamTopicBookPartLayer2TechnologiesConfigureandVerifySwitchAdministrationIConfigureandVerifyLayer2ProtocolsI,IIIConfigureandVerifyVLANsIIConfigureandVerifyTrunkingIIConfigureandVerifyEtherChannelsIIIConfigureandVerifySpanningTreeIIIConfigureandVerifyOtherLANSwitchingTechnologiesVDescribeChassisVirtualizationandAggregationTechnologiesVIInfrastructureSecurityConfigureandVerifySwitchSecurityFeaturesVIIDescribeDeviceSecurityUsingCiscoIOSAAAwithTACACS+andRADIUSVIIInfrastructureServicesConfigureandVerifyFirst-HopRedundancyProtocolsVI
HowtoTaketheSWITCHExamAsofthepublicationofthisbook,CiscoexclusivelyusestestingvendorPearsonVue(http://www.vue.com)fordeliveryofallCiscocareercertificationexams.Toregister,gotohttp://www.vue.com,establishalogin,andregisterforthe300-115SWITCHexam.Youalsoneedtochooseatestingcenternearyourhome.
FormatoftheCCNPSWITCHExamTheSWITCHexamfollowsthesamegeneralformatastheotherCiscoexams.Whenyougettothetestingcenterandcheckin,theproctorwillgiveyousomegeneralinstructionsandthentakeyouintoaquietroomwithaPC.WhenyoureatthePC,youhaveafewthingstodobeforethetimerstartsonyourexam.Forinstance,youcantakeasamplequiz,justtogetaccustomedtothePCandtothetestingengine.Whenyoustarttheexam,youwillbeaskedaseriesofquestions.Answeraquestion,andthenmoveontothenextquestion.Theexamenginedoesnotletyougobackandchangetheanswersyouenteredonpreviousquestions.
FromtheLibraryofOutcastOutcast
xxviCCNPRoutingandSwitchingSWITCH300-115OfficialCertGuide
Theexamquestionscanbeinanyofthefollowingformats:Multiplechoice(MC)TestletDrag-and-drop(DND)Simulatedlab(sim)SimletThefirstthreetypesofquestionsarerelativelycommoninmanytestingenvironments.TheMCformatsimplyrequiresthatyoupointandclickonacircle(thatis,aradiobut-ton)besidethecorrectanswerforasingle-answerquestionoronsquares(thatis,checkboxes)besidethecorrectanswersforamulti-answerquestion.Ciscotraditionallytellsyouhowmanyanswersyouneedtochoose,andthetestingsoftwarepreventsyoufromchoosingtoomanyanswers.Testletsarequestionswithonegeneralscenario,withmul-tipleMCquestionsabouttheoverallscenario.DNDquestionsrequireyoutoleft-clickandholdamousebutton,moveanobject(forexample,atextbox)toanotherareaonthescreen,andreleasethemousebuttontoplacetheobjectsomewhereelse-typicallyintoalist.Forsomequestions,asanexample,youmightneedtoputalistoffivethingsintotheproperordertogetthewholequestioncorrect.Thelasttwotypesbothuseanetworksimulatortoaskquestions.Interestingly,thetwotypesactuallyallowCiscotoassesstwoverydifferentskills.First,simquestionsgener-allydescribeaproblem,andyourtaskistoconfigureoneormorerouters/switchestofixtheproblem.Theexamthengradesthequestionbasedontheconfigurationyouchangedoradded.Thesimletquestionsmaywellbethemostdifficultstyleofquestionontheexams.Simletquestionsalsouseanetworksimulator,butinsteadofansweringthequestionbychangingtheconfiguration,thequestionincludesoneormoremultiplechoicequestions.Thequestionsrequirethatyouusethesimulatortoexaminethecur-rentbehaviorofanetwork,interpretingtheoutputofanyshowcommandsthatyoucanremembertoanswerthequestion.Althoughsimquestionsrequireyoutotroubleshootproblemsrelatedtoaconfiguration,simletsrequireyoutobothanalyzeworkingnet-worksandnetworkswithproblems,correlatingshowcommandoutputwithyourknowl-edgeofnetworkingtheoryandconfigurationcommands.TheCiscoLearningNetwork(http://learningnetwork.cisco.com)websitehastoolsthatletyouexperiencetheenvironmentandseehoweachofthesequestiontypeswork.TheenvironmentshouldbethesameaswhenyoupassedCCNA(aprerequisiteforCCNPandCCDP).
CCNPSWITCH300-115OfficialCertificationGuideThemostimportantandsomewhatobviousobjectiveofthisbookistohelpyoupasstheCiscoCCNPSWITCHexam(Exam300-115).WhileyouarelearningabouttopicsthatcanhelpyoupasstheSWITCHexam,youwillalsobecomemuchmoreknowledgeableabouthowtodoyourjob.AlthoughthisbookandtheaccompanyingCDhavemany
FromtheLibraryofOutcastOutcast
KeyTopic
xxvii
exampreparationtasksandexampletestquestions,themethodinwhichtheyareusedisnottosimplymakeyoumemorizeasmanyquestionsandanswersasyoupossiblycan.Themethodologyofthisbookhelpsyoudiscovertheexamtopicsaboutwhichyouneedmorereview,fullyunderstandandrememberexamtopicdetails,andprovetoyourselfthatyouhaveretainedyourknowledgeofthosetopics.Sothisbookhelpsyoupassnotbymemorization,butbyhelpingyoutrulylearnandunderstandthetopics.TheSWITCHexamisjustoneofthefoundationtopicsintheCCNPRoutingandSwitchingcertification,andtheknowledgecontainedwithinisvitallyimportanttoconsideryour-selfatrulyskilledroutingandswitchingengineerorspecialist.ThestrategyyouusetopreparefortheSWITCHexammightdifferslightlyfromstrate-giesusedbyotherreaders,mainlybasedontheskills,knowledge,andexperienceyoualreadyhaveobtained.Forinstance,ifyouhaveattendedtheSWITCHcourse,youmighttakeadifferentapproachthansomeonewholearnedswitchingthroughon-the-jobtraining.Regardlessofthestrategyyouuseorthebackgroundyouhave,thisbookisdesignedtohelpyougettothepointwhereyoucanpasstheexamwiththeleastamountoftimerequired.
BookFeaturesandExamPreparationMethodsThisbookusesseveralkeymethodologiestohelpyoudiscovertheexamtopicsonwhichyouneedmorereview,tohelpyoufullyunderstandandrememberthosedetails,andtohelpyouprovetoyourselfthatyouhaveretainedyourknowledgeofthosetopics.Thebookincludesmanyfeaturesthatprovidedifferentwaystostudyandprepareyour-selffortheexam.Ifyouunderstandatopicwhenyoureadit,butdonotstudyitanyfurther,youwillprobablynotbereadytopasstheexamwithconfidence.Thefeaturesincludedinthisbookgiveyoutoolsthathelpyoudeterminewhatyouknow,reviewwhatyouknow,betterlearnwhatyoudontknow,andbewellpreparedfortheexam.Thesetoolsincludethefollowing:DoIKnowThisAlready?quizzes:Eachchapterbeginswithaquizthathelpsyoudeterminetheamountoftimeyouneedtospendstudyingthatchapter.Foundationtopics:Thesearethecoresectionsofeachchapter.Theyexplaintheprotocols,concepts,andconfigurationforthetopicsinthatchapter.Exampreparationtasks:TheExamPreparationTaskssectionlistsaseriesofstudyactivitiesthatshouldbedoneafterreadingtheFoundationTopicssection.Eachchapterincludestheactivitiesthatmakethemostsenseforstudyingthetopicsinthatchapter.Theactivitiesincludethefollowing:KeyTopicsReview:TheKeyTopiciconisshownnexttothemostimportantitemsintheFoundationTopicssectionofthechapter.TheKeyTopicsReviewactivityliststhekeytopicsfromthechapter,andpagenumber.Althoughthecontentsoftheentirechaptercouldbeontheexam,youshoulddenitelyknowtheinformationlistedineachkeytopic.Reviewthesetopicscarefully.
FromtheLibraryofOutcastOutcast
xxviiiCCNPRoutingandSwitchingSWITCH300-115OfficialCertGuide
Memorytables:Tohelpyouexerciseyourmemoryandmemorizesomelistsoffacts,manyofthemoreimportantlistsandtablesfromthechapterareincludedinadocumentontheCD.Thisdocumentlistsonlypartialinformation,allow-ingyoutocompletethetableorlist.CD-onlyAppendixCholdstheincompletetables,andAppendixDincludesthecompletedtablesfromwhichyoucancheckyourwork.Denitionofkeyterms:AlthoughCiscoexamsmightbeunlikelytoaskaquestionsuchasDenethisterm,theSWITCHexamrequiresthatyoulearnandknowalotofnetworkingterminology.Thissectionlistssomeofthemostimportanttermsfromthechapter,askingyoutowriteashortdenitionandcompareyouranswertotheglossaryontheenclosedCD.CD-basedpracticeexam:ThecompanionCDcontainsanexamengine,includingabankofmultiple-choicequestions.Youcanusethepracticeexamstogetafeelfortheactualexamcontentandtogaugeyourknowledgeofswitchingtopics.
HowThisBookisOrganizedAlthoughthisbookcanbereadcovertocover,itisdesignedtobeflexibleandallowyoutoeasilymovebetweenchaptersandsectionsofchapterstofocusonspecificmate-rial.Thechapterscanbecoveredinanyorder,althoughsomechaptersarerelatedandbuilduponeachother.Ifyoudointendtoreadthemall,theorderinthebookisanexcellentsequencetouse.Thisbookcontains23chapters,plusappendixes.Thebookorganizesswitchingtop-icsintoninemajorparts.Thefollowinglistoutlinesthemajorpartorganizationofthisbook.PartI:DesigningCampusNetworksChapter1,EnterpriseCampusNetworkDesign:Thischaptercoversdifferentcampusnetworkmodels,hierarchicalnetworkdesign,andhowtodesign,size,andscaleacampusnetworkusingamodularapproach.Chapter2,SwitchOperation:ThischaptercoversLayer2andmultilayerswitchoperation,howvariouscontent-addressablememory(CAM)andternarycontent-addressablememory(TCAM)tablesareusedtomakeswitchingdeci-sions,andhowtomonitorthesetablestoaidintroubleshooting.Chapter3,SwitchPortConguration:ThischaptercoversbasicEthernetconcepts,howtousescalableEthernet,howtoconnectswitchesanddevicestogether,andhowtoverifyswitchportoperationtoaidintroubleshooting.PartII:BuildingaCampusNetworkChapter4,VLANsandTrunks:ThischaptercoversbasicVLANconcepts,howtotransportmultipleVLANsoversinglelinks,howtocongureVLANtrunks,andhowtoverifyVLANandtrunkoperation.Chapter5,VLANTrunkingProtocol:ThischaptercoversVLANmanagementusingVTP,VTPconguration,trafcmanagementthroughVTPpruning,andhowtoverifyVTPoperation.
FromtheLibraryofOutcastOutcast
xxix
PartIII:WorkingwithRedundantLinksChapter6,TraditionalSpanningTreeProtocol:ThischaptercoversIEEE802.1DSpanningTreeProtocol(STP)andgivesanoverviewoftheotherSTPtypesthatmightberunningonaswitch.Chapter7,Spanning-TreeConguration:ThischaptercoverstheSTProotbridge,howtocustomizetheSTPtopology,howtotuneSTPconvergence,redundantlinkconvergence,andhowtoverifySTPoperation.Chapter8,ProtectingtheSpanningTreeProtocolTopology:ThischaptercoversprotectingtheSTPtopologyusingRootGuard,BPDUGuard,andLoopGuard,andalsohowtouseBPDUlteringandhowtoverifythattheseSTPprotectionmechanismsarefunctioningproperly.Chapter9,AdvancedSpanningTreeProtocol:ThischaptercoversRapidSpanningTreeProtocol(RSTP)forRapidPVST+andMultipleSpanningTree(MST)Protocol.Chapter10,AggregatingSwitchLinks:Thischaptercoversswitchportag-gregationwithEtherChannel,EtherChannelnegotiationprotocols,EtherChannelconguration,andhowtoverifyEtherChanneloperation.PartIV:MultilayerSwitchingChapter11,MultilayerSwitching:Thischaptercoversinter-VLANrouting,multilayerswitchingwithCiscoExpressForwarding(CEF),andhowtoverifythatmultilayerswitchingisfunctioningproperly.Chapter12,ConguringDHCP:ThischapterdiscusseswaystocongureaswitchtorelayDynamicHostCongurationProtocol(DHCP)requestsortoactasaDHCPservertolocalclientdevices.PartV:MonitoringCampusNetworksChapter13,LoggingSwitchActivity:Thischapterexplainshowtocongureaswitchtogeneratelogginginformationandhowtocorrelateloggingmessageswithaccuratetimestamps.Chapter14,ManagingSwitcheswithSNMP:ThischapterdiscussesSNMPandhowyoucanuseittomonitorandmanageswitchesinanetwork.Chapter15,MonitoringPerformancewithIPSLA:ThischapterexplainshowtoleverageIPSLAprobestomeasurenetworkperformanceagainstexpectedservicelevelagreementparameters.Chapter16,UsingPortMirroringtoMonitorTrafc:Thischaptercoversmethodsyoucanusetomirrororcopyswitchedtrafctoadestinationwhereitcanbecollectedandanalyzed.PartVI:ImplementingHighAvailabilityChapter17,UnderstandingHighAvailability:Thischapterdiscusseswaysthatmultiplephysicalswitchescanbeconnectedorconguredtogethertooper-ateasonelogicalswitch,increasingavailability.Chapter18,Layer3HighAvailability:Thischaptercoversprovidingredun-dantrouterorgatewayaddressesonCatalystswitchesandverifyingthatredun-dancyisfunctioningproperly.
FromtheLibraryofOutcastOutcast
xxxCCNPRoutingandSwitchingSWITCH300-115OfficialCertGuide
PartVII:SecuringSwitchedNetworksChapter19,SecuringSwitchAccess:ThischaptercoversportsecurityusingMACaddresses,port-basedsecurityusingIEEE802.1X,stormcontroltoreducetrafcstorms,andbestpracticesforsecuringswitches.Chapter20,SecuringVLANs:ThischaptercovershowtocontroltrafcwithinaVLANusingaccesslists,implementingprivateVLANs,andbestpracticesforsecuringtrunklinks.Chapter21,PreventingSpoongAttacks:ThischapterexplainsfeatureslikeDHCPsnooping,IPSourceGuard,anddynamicARPinspection,whichyoucanle-veragetopreventnetworkattacksthatusespoofedinformationtogainafoothold.Chapter22,ManagingSwitchUsers:Thischaptercoversswitchauthentication,authorization,andaccounting(AAA)mechanismsthatcontrolwhocanaccessaswitchandwhattheycandoontheswitch,aswellasprovidearecordofwhatoccurred.PartVIII:FinalPreparationChapter23,FinalPreparation:ThischapterexplainshowtousethepracticeexamCDtoenhanceyourstudy,alongwithabasicstudyplan.PartIX:AppendixesAppendixA:ThisappendixcontainsanswerstotheDoIKnowThisAlreadyquizzes.AppendixB:Thisappendixtellsyouhowtondanyupdates,shouldtherebechangestotheexam.Glossary:TheglossarycontainsdenitionsforallthetermslistedintheDeneKeyTermssectionsattheconclusionsofChapters1through22.Inaddition,youcanfindthefollowingappendixesontheCDthatisincludedwiththisbook:AppendixC,MemoryTables:Thisappendixholdsthekeytablesandlistsfromeachchapterwithsomeofthecontentremoved.Youcanprintthisappendix,andasamemoryexercise,completethetablesandlists.Thegoalistohelpyoumemorizefactsthatcanbeusefulontheexams.AppendixD,MemoryTableAnswerKey:ThisappendixcontainstheanswerkeyfortheexercisesinAppendixD.AppendixE,StudyPlanner,isaspreadsheetwithmajorstudymilestones,whereyoucantrackyourprogressthroughyourstudy.
ForMoreInformationIfyouhaveanycommentsaboutthebook,youcansubmitthoseviahttp://www.ciscopress.com.Justgotothewebsite,selectContactUs,andtypeyourmessage.CiscomightmakechangesthataffecttheSWITCHexamfromtimetotime.Youshouldalwayscheckhttp://www.cisco.com/go/ccnpforthelatestdetails.
FromtheLibraryofOutcastOutcast
ThischaptercoversthefollowingtopicsthatyouneedtomasterfortheCCNPSWITCHexam:
HierarchicalNetworkDesign:Thissectiondetailsathree-layerhierarchicalstructureofcampusnet-workdesigns.ModularNetworkDesign:Thissectioncoverstheprocessofdesigningacampusnetwork,basedonbreakingitintofunctionalmodules.Youalsolearnhowtosizeandscalethemodulesinadesign.
FromtheLibraryofOutcastOutcast
CHAPTER1
EnterpriseCampusNetworkDesign
Thischapterpresentsalogicaldesignprocessthatyoucanusetobuildanewswitchedcampusnetworkortomodifyandimproveanexistingnetwork.Networkscanbedesignedinlayersusingasetofbuildingblocksthatcanorganizeandstreamlineevenalarge,complexcampusnetwork.Thesebuildingblockscanthenbeplacedusingseveralcampusdesignmodelstoprovidemaximumefficiency,functionality,andscalability.
DoIKnowThisAlready?QuizTheDoIKnowThisAlready?quizallowsyoutoassesswhetheryoushouldreadthisentirechapterthoroughlyorjumptotheExamPreparationTaskssection.Ifyouareindoubtbasedonyouranswerstothesequestionsoryourownassessmentofyourknowl-edgeofthetopics,readtheentirechapter.Table1-1outlinesthemajorheadingsinthischapterandtheDoIKnowThisAlready?quizquestionsthatgowiththem.YoucanfindtheanswersinAppendixA,AnswerstotheDoIKnowThisAlready?Quizzes.
Table1-1DoIKnowThisAlready?FoundationTopicsSection-to-QuestionMappingFoundationTopicsSectionQuestionsCoveredinThisSectionHierarchicalNetworkDesign110ModularNetworkDesign1117
1.Wheredoesacollisiondomainexistinaswitchednetwork?a.Onasingleswitchportb.Acrossallswitchportsc.OnasingleVLANd.AcrossallVLANs2.Wheredoesabroadcastdomainexistinaswitchednetwork?a.Onasingleswitchportb.Acrossallswitchportsc.OnasingleVLANd.AcrossallVLANs
FromtheLibraryofOutcastOutcast
4CCNPRoutingandSwitchingSWITCH300-115OfficialCertGuide
3.WhatisaVLANprimarilyusedfor?a.Tosegmentacollisiondomainb.Tosegmentabroadcastdomainc.Tosegmentanautonomoussystemd.Tosegmentaspanning-treedomain4.Howmanylayersarerecommendedinthehierarchicalcampusnetworkdesignmodel?a.1b.2c.3d.4e.75.Whatisthepurposeofbreakingacampusnetworkintoahierarchicaldesign?a.Tofacilitatedocumentationb.Tofollowpoliticalororganizationalpoliciesc.Tomakethenetworkpredictableandscalabled.Tomakethenetworkmoreredundantandsecure6.End-userPCsshouldbeconnectedintowhichofthefollowinghierarchicallayers?a.Distributionlayerb.Commonlayerc.Accesslayerd.Corelayer7.InwhichOSIlayershoulddevicesinthedistributionlayertypicallyoperate?a.Layer1b.Layer2c.Layer3d.Layer48.Ahierarchicalnetworksdistributionlayeraggregateswhichofthefollowing?a.Coreswitchesb.Broadcastdomainsc.Routingupdatesd.Accesslayerswitches
FromtheLibraryofOutcastOutcast
Chapter1:EnterpriseCampusNetworkDesign5
9.Inthecorelayerofahierarchicalnetwork,whichofthefollowingareaggregated?a.Routingtablesb.Packetfiltersc.Distributionswitchesd.Accesslayerswitches10.Inaproperlydesignedhierarchicalnetwork,abroadcastfromonePCisconfinedtowhichoneofthefollowing?a.Oneaccesslayerswitchportb.Oneaccesslayerswitchc.Oneswitchblockd.Theentirecampusnetwork11.Whichoneormoreofthefollowingarethecomponentsofatypicalswitchblock?a.Accesslayerswitchesb.Distributionlayerswitchesc.Corelayerswitchesd.E-commerceserverse.Serviceproviderswitches12.Whichofthefollowingarecommontypesofcore,orbackbone,designs?(Chooseallthatapply.)a.Collapsedcoreb.Loop-freecorec.Dualcored.Layeredcoree.Multinodecore13.Whatisthemaximumnumberofaccesslayerswitchesthatcanconnectintoasingledistributionlayerswitch?a.1b.2c.Limitedonlybythenumberofportsontheaccesslayerswitchd.Limitedonlybythenumberofportsonthedistributionlayerswitche.Unlimited
FromtheLibraryofOutcastOutcast
6CCNPRoutingandSwitchingSWITCH300-115OfficialCertGuide
14.Aswitchblockshouldbesizedaccordingtowhichtwoofthefollowingparameters?(Chooseallthatapply.)a.Thenumberofaccesslayerusersb.Amaximumof250accesslayerusersc.Astudyofthetrafficpatternsandflowsd.Theamountofrackspaceavailablee.Thenumberofserversaccessedbyusers15.Whatevidencecanbeseenwhenaswitchblockistoolarge?(Chooseallthatapply.)a.IPaddressspaceisexhausted.b.Yourunoutofaccesslayerswitchports.c.Broadcasttrafficbecomesexcessive.d.Trafficisthrottledatthedistributionlayerswitches.e.Networkcongestionoccurs.16.Howmanydistributionswitchesshouldbebuiltintoeachswitchblock?a.1b.2c.4d.817.Whicharethemostimportantaspectstoconsiderwhendesigningthecorelayerinalargenetwork?(Chooseallthatapply.)a.Lowcostb.Switchesthatcanefficientlyforwardtraffic,evenwheneveryuplinkisat100percentcapacityc.Highportdensityofhigh-speedportsd.AlownumberofLayer3routingpeers
FromtheLibraryofOutcastOutcast
Chapter1:EnterpriseCampusNetworkDesign7
FoundationTopics
HierarchicalNetworkDesignAcampusnetworkisanenterprisenetworkconsistingofmanyLANsinoneormorebuildings,allconnectedandallusuallyinthesamegeographicarea.Acompanytypicallyownstheentirecampusnetworkandthephysicalwiring.CampusnetworkscommonlyconsistofwiredEthernetLANsandsharedwirelessLANs.Anunderstandingoftrafficflowisavitalpartofthecampusnetworkdesign.Youmightbeabletoleveragehigh-speedLANtechnologiesandthrowbandwidthatanetworktoimprovetrafficmovement.However,theemphasisshouldbeonprovidinganoveralldesignthatistunedtoknown,studied,orpredictedtrafficflows.Thenetworktrafficcanthenbeeffectivelymovedandmanaged,andyoucanscalethecampusnetworktosup-portfutureneeds.Asastartingpoint,considerthesimplenetworkshowninFigure1-1.AcollectionofPCs,printers,andserversareallconnectedtothesamenetworksegmentandusethe192.168.1.0subnet.Alldevicesonthisnetworksegmentmustsharetheavailableband-width.
192.168.1.0
Figure1-1SimpleSharedEthernetNetworkRecallthatiftwoormorehoststrytotransmitatthesametimeonasharednetwork,theirframeswillcollideandinterfere.Whencollisionsoccur,allhostsmustbecomesilentandwaittoretransmittheirdata.Theboundaryaroundsuchasharednetworkiscalledacollisiondomain.InFigure1-1,theentiresharedsegmentrepresentsonecollisiondomain.Anetworksegmentwithsixhostsmightnotseemcrowded.Supposethesegmentcon-tainshundredsofhostsinstead.Nowthenetworkmightnotperformverywellifmanyofthehostsarecompetingtousethesharedmedia.Throughnetworksegmentation,youcanreducethenumberofstationsonasegment.This,inturn,reducesthesizeofthecol-lisiondomainandlowerstheprobabilityofcollisionsbecausefewerstationswilltrytotransmitatagiventime.BroadcasttrafficcanalsopresentaperformanceproblemonaLayer2networkbecauseallbroadcastframesfloodtoreachallhostsonanetworksegment.Ifthesegmentislarge,thebroadcasttrafficcangrowinproportionandmonopolizetheavailableband-width.Inaddition,allhostsonthesegmentmustlistentoandprocesseverybroadcast
FromtheLibraryofOutcastOutcast
8CCNPRoutingandSwitchingSWITCH300-115OfficialCertGuide
frame.Tocontainbroadcasttraffic,theideaistoprovideabarrierattheedgeofaLANsegmentsothatbroadcastscannotpassorbeforwardedoutward.TheextentofaLayer2network,whereabroadcastframecanreach,isknownasabroadcastdomain.Tolimitthesizeofacollisiondomain,youcanconnectsmallernumbersofhoststoindividualswitchinterfaces.Ideally,eachhostshouldconnecttoadedicatedswitchinterfacesothattheycanoperateinfull-duplexmode,preventingcollisionsaltogether.Switchinterfacesdonotpropagatecollisions,soeachinterfacebecomesitsowncollisiondomainevenifseveralinterfacesbelongtoacommonVLAN.Incontrast,whenbroadcasttrafficisforwarded,itisfloodedacrossswitchinterfaceboundaries.Infact,broadcastframeswillreacheveryswitchinterfaceinaVLAN.Inotherwords,aVLANdefinestheextentofabroadcastdomain.Toreducethesizeofabroadcastdomain,youcansegmentanetworkorbreakitupintosmallerLayer2VLANs.ThesmallerVLANsmustbeconnectedbyaLayer3device,suchasarouteroramultilayerswitch,asshowninFigure1-2.ThesimplenetworkofFigure1-1nowhastwosegmentsorVLANsinterconnectedbySwitchA,amultilayerswitch.ALayer3devicecannotpropagateacollisionconditionfromonesegmenttoanother,anditwillnotfor-wardbroadcastsbetweensegments.
VLAN1192.168.1.0
VLAN2192.168.2.0
SwitchAFigure1-2ExampleofNetworkSegmentationThenetworkmightcontinuetogrowasmoreusersanddevicesareaddedtoit.SwitchAhasalimitednumberofports,soitcannotdirectlyconnecttoeverydevice.Instead,thenetworksegmentscanbegrownbyaddinganewswitchtoeach,asshowninFigure1-3.
VLAN1192.168.1.0
SwitchA
VLAN2192.168.2.0
SwitchBSwitchCFigure1-3ExpandingaSegmentedNetwork
FromtheLibraryofOutcastOutcast
Chapter1:EnterpriseCampusNetworkDesign9
SwitchBaggregatestraffictoandfromVLAN1,whileSwitchCaggregatesVLAN2.Asthenetworkcontinuestogrow,moreVLANscanbeaddedtosupportadditionalapplica-tionsorusercommunities.Asanexample,Figure1-4showshowVoiceoverIP(VoIP)hasbeenimplementedbyplacingIPphonesintotwonewVLANs(10and20).ThesametwoaggregatingswitchescaneasilysupportthenewVLANs.
VLAN1192.168.1.0
VLAN10192.168.10.0
SwitchA
SwitchBSwitchC
VLAN2192.168.2.0
VLAN20192.168.20.0
KeyTopic
Figure1-4NetworkGrowthThroughNewVLANs
PredictableNetworkModelIdeally,youshoulddesignanetworkwithapredictablebehaviorinmindtoofferlowmaintenanceandhighavailability.Forexample,acampusnetworkneedstorecoverfromfailuresandtopologychangesquicklyandinapredeterminedmanner.Youshouldscalethenetworktoeasilysupportfutureexpansionsandupgrades.Withawidevarietyofmultiprotocolandmulticasttraffic,thenetworkshouldbecapableofefficientlyconnect-inguserswiththeresourcestheyneed,regardlessoflocation.Inotherwords,designthenetworkaroundtrafficflowsratherthanaparticulartypeoftraffic.Ideally,thenetworkshouldbearrangedsothatallendusersarelocatedataconsistentdistancefromtheresourcestheyneedtouse.Ifoneuseratonecornerofthenetworkpassesthroughtwoswitchestoreachanemailserver,anyotheruseratanyotherlocationinthenetworkshouldalsorequiretwoswitchhopsforemailservice.Ciscohasrefinedahierarchicalapproachtonetworkdesignthatenablesnetworkdesign-erstoorganizethenetworkintodistinctlayersofdevices.Theresultingnetworkiseffi-cient,intelligent,scalable,andeasilymanaged.Figure1-4canberedrawntoemphasizethehierarchythatisemerging.InFigure1-5,twolayersbecomeapparent:theaccesslayer,whereswitchesareplacedclosesttotheendusers;andthedistributionlayer,whereaccesslayerswitchesareaggregated.
FromtheLibraryofOutcastOutcast
10CCNPRoutingandSwitchingSWITCH300-115OfficialCertGuide
Distribution
AccessAccess
Figure1-5Two-LayerNetworkHierarchyEmergesAsthenetworkcontinuestogrowwithmorebuildings,morefloors,andlargergroupsofusers,thenumberofaccessswitchesincreases.Asaresult,thenumberofdistributionswitchesincreases.Nowthingshavescaledtothepointwherethedistributionswitchesneedtobeaggregated.Thisisdonebyaddingathirdlayertothehierarchy,thecorelayer,asshowninFigure1-6.
Core
Distribution
Access
Access
Access
Access
Access
Access
Distribution
Access
Access
Figure1-6CoreLayerEmergesTrafficflowsinacampusnetworkcanbeclassifiedasthreetypes,basedonwherethenetworkserviceorresourceislocatedinrelationtotheenduser.Figure1-7illustratestheflowtypesbetweenaPCandsomefileservers,alongwiththreedifferentpathsthetraf-ficmighttakethroughthethreelayersofanetwork.Table1-2alsoliststhetypesandtheextentofthecampusnetworkthatiscrossedgoingfromanyusertotheservice.
FromtheLibraryofOutcastOutcast
eriseptrEnotemRelcaLoDistribution
Chapter1:EnterpriseCampusNetworkDesign11
Core
Distribution
Access
Access
Access
Access
Access
Access
Access
Access
Figure1-7TrafficFlowPathsThroughaNetworkHierarchy
Table1-2TypesofNetworkServicesServiceTypeLocationofServiceExtentofTrafficFlowLocalSamesegment/VLANasuserAccesslayeronlyRemoteDifferentsegment/VLANasuserAccesstodistributionlayersEnterpriseCentraltoallcampususersAccesstodistributiontocorelayers
Noticehoweasilythetrafficpathscanbedescribed.Regardlessofwheretheuserislocated,thetrafficpathalwaysbeginsattheaccesslayerandprogressesintothedistri-butionandperhapsintothecorelayers.Evenapathbetweentwousersatoppositeendsofthenetworkbecomesaconsistentandpredictableaccess>distribution>core>distri-bution>accesslayer.Eachlayerhasattributesthatprovidebothphysicalandlogicalnetworkfunctionsattheappropriatepointinthecampusnetwork.Understandingeachlayeranditsfunctionsorlimitationsisimportanttoproperlyapplythelayerinthedesignprocess.
FromtheLibraryofOutcastOutcast
12CCNPRoutingandSwitchingSWITCH300-115OfficialCertGuide
KeyTopic
KeyTopic
KeyTopic
AccessLayerTheaccesslayerexistswheretheendusersareconnectedtothenetwork.Accessswitch-esusuallyprovideLayer2(VLAN)connectivitybetweenusers.Devicesinthislayer,sometimescalledbuildingaccessswitches,shouldhavethefollowingcapabilities:
LowcostperswitchportHighportdensityScalableuplinkstohigherlayersHighavailabilityAbilitytoconvergenetworkservices(thatis,data,voice,video)Securityfeaturesandqualityofservice(QoS)
DistributionLayerThedistributionlayerprovidesinterconnectionbetweenthecampusnetworksaccessandcorelayers.Devicesinthislayer,sometimescalledbuildingdistributionswitches,shouldhavethefollowingcapabilities:
AggregationofmultipleaccesslayerswitchesHighLayer3routingthroughputforpackethandlingSecurityandpolicy-basedconnectivityfunctionsQoSfeaturesScalableandredundanthigh-speedlinkstothecoreandaccesslayersInthedistributionlayer,uplinksfromallaccesslayerdevicesareaggregated,orcometogether.Thedistributionlayerswitchesmustbecapableofprocessingthetotalvolumeoftrafficfromalltheconnecteddevices.Theseswitchesshouldhaveahighportdensityofhigh-speedlinkstosupportthecollectionofaccesslayerswitches.VLANsandbroadcastdomainsconvergeatthedistributionlayer,requiringrouting,filter-ing,andsecurity.Theswitchesatthislayeralsomustbecapableofroutingpacketswithhighthroughput.NoticethatthedistributionlayerusuallyisaLayer3boundary,whereroutingmeetstheVLANsoftheaccesslayer.
CoreLayerAcampusnetworkscorelayerprovidesconnectivitybetweenalldistributionlayerdevic-es.Thecore,sometimesreferredtoasthebackbone,mustbecapableofswitchingtrafficasefficientlyaspossible.Coreswitchesshouldhavethefollowingattributes:
VeryhighLayer3routingthroughputNocostlyorunnecessarypacketmanipulations(accesslists,packetfiltering)
FromtheLibraryofOutcastOutcast
Chapter1:EnterpriseCampusNetworkDesign13
RedundancyandresilienceforhighavailabilityAdvancedQoSfunctionsDevicesinacampusnetworkscorelayerorbackboneshouldbeoptimizedforhigh-per-formanceswitching.Becausethecorelayermusthandlelargeamountsofcampus-widedata,thecorelayershouldbedesignedwithsimplicityandefficiencyinmind.Althoughcampusnetworkdesignispresentedasathree-layerapproach(access,distri-bution,andcorelayers),thehierarchycanbecollapsedorsimplifiedincertaincases.Forexample,smallormedium-sizecampusnetworksmightnothavethesizeorvolumerequirementsthatwouldrequirethefunctionsofallthreelayers.Inthatcase,youcouldcombinethedistributionandcorelayersforsimplicityandcostsavings.Whenthedis-tributionandcorelayersarecombinedintoasinglelayerofswitches,acollapsedcorenetworkresults.
ModularNetworkDesignDesigninganewnetworkthathasahierarchywiththreelayersisfairlystraightforward.Youcanalsomigrateanexistingnetworkintoahierarchicaldesign.Theresultingnet-workisorganized,efficient,andpredictable.However,asimplehierarchicaldesigndoesnotaddressotherbestpracticeslikeredundancy,inthecasewhereaswitchoralinkfails,orscalability,whenlargeadditionstothenetworkneedtobeadded.ConsiderthehierarchicalnetworkshownintheleftportionofFigure1-8.Eachlayerofthenetworkisconnectedtotheadjacentlayerbysinglelinks.Ifalinkfails,asignificantportionofthenetworkwillbecomeisolated.Inaddition,theaccesslayerswitchesareaggregatedintoasingledistributionlayerswitch.Ifthatswitchfails,alltheuserswillbecomeisolated.
Core
Distribution
Access
Core
Distribution
Access
SwitchBlockFigure1-8ImprovingAvailabilityintheDistributionandAccessLayers
FromtheLibraryofOutcastOutcast
14CCNPRoutingandSwitchingSWITCH300-115OfficialCertGuide
Tomitigateapotentialdistributionswitchfailure,youcanaddasecond,redundantdis-tributionswitch.Tomitigateapotentiallinkfailure,youcanaddredundantlinksfromeachaccesslayerswitchtoeachdistributionswitch.TheseimprovementsareshownontherightinFigure1-8.OneweaknessisstillpresentintheredundantdesignofFigure1-8:Thecorelayerhasonlyoneswitch.Ifthatcoreswitchfails,usersintheaccesslayerwillstillbeabletocommunicatewitheachother.However,theywillnotbeabletoreachotherareasofthenetwork,suchasadatacenter,theInternet,andsoon.Tomitigatetheeffectsofacoreswitchfailure,youcanaddasecond,redundantcoreswitch,asshowninFigure1-9.Redundantlinksshouldalsobeaddedbetweeneachdistributionlayerswitchandeachcorelayerswitch.
Core
Distribution
Access
SwitchBlock
Figure1-9FullyRedundantHierarchicalNetworkDesignTheredundancyneededforthesmallnetworkshowninFigure1-9isfairlystraight-forward.Asthenetworkgrowsandmoreredundantswitchesandredundantlinksareaddedintothedesign,thedesigncanbecomeconfusing.Forexample,supposemanymoreaccesslayerswitchesneedtobeaddedtothenetworkofFigure1-9becausesev-eraldepartmentsofusershavemovedintothebuildingorintoanadjacentbuilding.Shouldthenewaccesslayerswitchesbedual-connectedintothesametwodistributionswitches?Shouldnewdistributionswitchesbeadded,too?Ifso,shouldeachofthedis-tributionswitchesbeconnectedtoeveryotherdistributionandeveryothercoreswitch,creatingafullymeshednetwork?Figure1-10showsonepossiblenetworkdesignthatmightresult.Withsomanyintercon-nectinglinksbetweenswitches,itbecomesabrain-busterexercisetofigureoutwhereVLANsaretrunked,whatthespanning-treetopologieslooklike,whichlinksshouldhaveLayer3connectivity,andsoon.Usersmighthaveconnectivitythroughthisnetwork,but
FromtheLibraryofOutcastOutcast
Chapter1:EnterpriseCampusNetworkDesign15
itmightnotbeclearhowtheyareactuallyworkingorwhathasgonewrongiftheyarenotworking.Thisnetworklooksmorelikeaspiderswebthananorganized,streamlineddesign.
Core
Distribution
Access
NewUsersNewUsersSwitchBlockFigure1-10NetworkGrowthinaDisorganizedFashionTomaintainorganization,simplicity,andpredictability,youcandesignacampusnetworkinalogicalmanner,usingamodularapproach.Inthisapproach,eachlayerofthehierar-chicalnetworkmodelcanbebrokenintobasicfunctionalunits.Theseunits,ormodules,canthenbesizedappropriatelyandconnected,whileallowingforfuturescalabilityandexpansion.Youcandivideenterprisecampusnetworksintothefollowingbasicelementsorbuildingblocks:
Switchblock:Agroupofaccesslayerswitches,togetherwiththeirdistributionswitches.Thisisalsocalledanaccessdistributionblock,namedforthetwoswitchlayersthatitcontains.ThedashedrectangleinFigures1-8through1-10representtypicalswitchblocks.Core:Thecampusnetworksbackbone,whichconnectsallswitchblocks.
KeyTopic
Otherrelatedelementscanexist.Althoughtheseelementsdonotcontributetothecam-pusnetworksoverallfunction,theycanbedesignedseparatelyandaddedtothenetworkdesign.Forexample,adatacentercontainingenterpriseresourcesorservicescanhaveitsownaccessanddistributionlayerswitches,formingaswitchblockthatconnectsintothecorelayer.Infact,ifthedatacenterisverylarge,itmighthaveitsowncoreswitches,too,whichconnectintothenormalcampuscore.Recallhowacampusnetworkisdividedintoaccess,distribution,andcorelayers.Theswitchblockcontainsswitchingdevicesfromtheaccessanddistributionlayers.Theswitchblockthenconnectsintothecorelayer,providingend-to-endconnectivityacrossthecampus.Asthenetworkgrows,youcan
FromtheLibraryofOutcastOutcast
16CCNPRoutingandSwitchingSWITCH300-115OfficialCertGuide
addnewaccesslayerswitchesbyconnectingthemintoanexistingpairofdistributionswitches,asshowninFigure1-11.Youcouldalsoaddacompletelynewaccessdistribu-tionswitchblockthatcontainstheareasofnewgrowth,asshowninFigure1-12.
Core
Distribution
Access
SwitchBlock
Figure1-11NetworkGrowthbyAddingAccessSwitchestoaSwitchBlock
Core
Distribution
Access
SwitchBlockSwitchBlockSwitchBlockFigure1-12NetworkGrowthbyAddingNewSwitchBlocks
SizingaSwitchBlockContainingaccessanddistributionlayerdevices,theswitchblockissimpleinconcept.Youshouldconsiderseveralfactors,however,todetermineanappropriatesizefortheswitchblock.Therangeofavailableswitchdevicesmakestheswitchblocksizeveryflex-ible.Attheaccesslayer,switchselectionisusuallybasedonportdensityorthenumberofconnectedusers.
FromtheLibraryofOutcastOutcast
Chapter1:EnterpriseCampusNetworkDesign17
Thedistributionlayermustbesizedaccordingtothenumberofaccesslayerswitchesthatareaggregatedorbroughtintoadistributiondevice.Considerthefollowingfactors:
TraffictypesandpatternsAmountofLayer3switchingcapacityatthedistributionlayerTotalnumberofusersconnectedtotheaccesslayerswitchesGeographicboundariesofsubnetsorVLANsDesigningaswitchblockbasedsolelyonthenumberofusersorstationscontainedwithintheblockisusuallyinaccurate.Usually,nomorethan2000usersshouldbeplacedwithinasingleswitchblock.Althoughthisisusefulforinitiallyestimatingaswitchblockssize,thisideadoesnttakeintoaccountthemanydynamicprocessesthatoccuronafunctioningnetwork.Instead,switchblocksizeshouldbebasedprimarilyonthefollowing:
TraffictypesandbehaviorSizeandnumberofcommonworkgroupsBecauseofthedynamicnatureofnetworks,youcansizeaswitchblocktoolargetohan-dletheloadthatisplacedonit.Also,thenumberofusersandapplicationsonanetworktendstogrowovertime.Aprovisiontobreakupordownsizeaswitchblockmightbenecessaryastimepasses.Again,basethesedecisionsontheactualtrafficflowsandpat-ternspresentintheswitchblock.Youcanestimate,model,ormeasuretheseparameterswithnetwork-analysisapplicationsandtools.
NoteTheactualnetwork-analysisprocessisbeyondthescopeofthisbook.Trafficesti-mation,modeling,andmeasurementarecomplexprocedures,eachrequiringitsowndedi-catedanalysistool.
Generally,aswitchblockistoolargeifthefollowingconditionsareobserved:
Therouters(multilayerswitches)atthedistributionlayerbecometrafficbottlenecks.Thiscongestioncouldbebecauseofthevolumeofinter-VLANtraffic,intensiveCPUprocessing,orswitchingtimesrequiredbypolicyorsecurityfunctions(accesslists,queuing,andsoon).Broadcastormulticasttrafficslowstheswitchesintheswitchblock.Broadcastandmulticasttrafficmustbereplicatedandforwardedoutmanyportssimultaneously.Thisprocessrequiressomeoverheadinthemultilayerswitch,whichcanbecometoogreatifsignificanttrafficvolumesarepresent.
FromtheLibraryofOutcastOutcast
18CCNPRoutingandSwitchingSWITCH300-115OfficialCertGuide
KeyTopic
SwitchBlockRedundancyInanynetworkdesign,thepotentialalwaysexistsforsomecomponenttofail.Forexample,ifanelectricalcircuitbreakeristrippedorshutsoff,aswitchmightlosepower.Abetterdesignistouseaswitchthathastwoindependentpowersupplies.Eachpowersupplycouldbeconnectedtotwopowersourcessothatonesourceisalwayslikelytobeavailabletopowertheswitch.Inasimilarmanner,asingleswitchmighthaveaninternalproblemthatcausesittofail.Asinglelinkmightgodownbecauseamediamodulefails,afiber-opticcablegetscut,andsoon.Todesignamoreresilientnetwork,youcanimple-mentmostofthecomponentsinredundantpairs.Aswitchblockconsistsoftwodistributionswitchesthataggregateoneormoreaccesslayerswitches.Eachaccesslayerswitchshouldhaveapairofuplinksoneconnectingtoeachdistributionswitch.Thephysicalcablingiseasytodraw,butthelogicalconnectiv-ityisnotalwaysobvious.Forexample,Figure1-13showsaswitchblockthathasasingleVLANAthatspansmultipleaccessswitches.Youmightfindthiswherethereareseveralseparatephysicalswitchchassisinanaccesslayerroom,orwheretwonearbycommu-nicationsroomsshareacommonVLAN.NoticefromtheshadinghowthesingleVLANspansacrosseveryswitch(bothaccessanddistribution)andacrosseverylinkconnectingtheswitches.ThisisnecessaryfortheVLANtobepresentonbothaccessswitchesandtohaveredundantuplinksforhighavailability.
ToCoreLayer
Layer3
DistributionLayer2Links
Layer2
Access
VLANA
VLANB
SwitchBlock
Figure1-13ARedundantSwitchBlockDesignAlthoughthisdesignworks,itisnotoptimal.VLANAmustbecarriedovereverypos-siblelinkwithintheblocktospanbothaccessswitches.BothdistributionswitchesmustalsosupportVLANAbecausetheyprovidetheLayer3routerfunctionforallhostson
FromtheLibraryofOutcastOutcast
Chapter1:EnterpriseCampusNetworkDesign19
theVLAN.Thetwodistributionswitchescanuseoneofseveralredundantgatewaypro-tocolstoprovideanactiveIPgatewayandastandbygatewayatalltimes.Theseproto-colsrequireLayer2connectivitybetweenthedistributionswitchesandarediscussedinChapter18,Layer3HighAvailability.Noticehowtheshadedlinksconnecttoformtwotriangularloops.Layer2networkscannotremainstableorusableifloopsareallowedtoform,sosomemechanismmustbeusedtodetecttheloopsandkeepthetopologyloopfree.Inaddition,theloopedtopologymakestheentireswitchblockasinglefailuredomain.IfahostinVLANAmisbehavesorgeneratesatremendousamountofbroadcasttraffic,alltheswitchesandlinksintheswitchblockcouldbenegativelyimpacted.AbetterdesignworkstowardkeepingtheswitchblockinherentlyfreeofLayer2loops.AsFigure1-14shows,aloop-freeswitchblockrequiresauniqueVLANoneachaccessswitch.Inotherwords,VLANsarenotpermittedtospanacrossmultipleaccessswitches.TheextentofeachVLAN,asshownbytheshadedareas,becomesaVshaperatherthanaclosedtriangularloop.
ToCoreLayer
Layer3
Distribution
Layer3Link
Layer2Links
Layer2
Access
VLANA
VLANB
KeyTopic
SwitchBlock
Figure1-14BestPracticeLoop-FreeSwitchBlockTopologyTheboundarybetweenLayers2and3remainsthesame.AllLayer2connectivityiscon-tainedwithintheaccesslayer,andthedistributionlayerhasonlyLayer3links.WithoutanypotentialLayer2loops,theswitchblockcanbecomemuchmorestableandmuchlessreliantonanymechanismstodetectandpreventloops.Also,becauseeachaccessswitchhastwodedicatedpathsintothedistributionlayer,bothlinkscanbefullyutilizedwithtrafficloadbalancedacrossthem.Inturn,eachLayer3distributionswitchcanloadbalancetrafficoveritsredundantlinksintothecorelayerusingroutingprotocols.
FromtheLibraryofOutcastOutcast
20CCNPRoutingandSwitchingSWITCH300-115OfficialCertGuide
ItisalsopossibletopushtheLayer3boundaryfromthedistributionlayerdownintotheaccesslayer,aslongastheaccessswitchescansupportroutingfunctions.Figure1-15illustratesthisdesign.BecauseLayer3linksareusedthroughouttheswitchblock,net-workstabilityisofferedthroughthefastconvergenceofroutingprotocolsandupdates.Routingcanalsoloadbalancepacketsacrosstheredundantuplinks,makingfulluseofeveryavailablelinkbetweenthenetworklayers.
ToCoreLayer
Distribution
Layer3Link
Layer3
Layer3Links
Access
Layer2
VLANA
VLANB
SwitchBlock
Figure1-15ACompletelyRoutedSwitchBlockYoushouldbecomefamiliarwithafewbestpracticesthatcanhelpwitharedundanthier-archicalnetworkdesign:
Designeachlayerwithpairsofswitches.Connecteachswitchtothenexthigherlayerwithtwolinksforredundancy.Connecteachpairofdistributionswitcheswithalink,butdonotconnecttheaccesslayerswitchestoeachother(unlesstheaccessswitchessupportsomeothermeanstofunctionasonelogicalstackorchassis).DonotextendVLANsbeyonddistributionswitches.ThedistributionlayershouldalwaysbetheboundaryofVLANs,subnets,andbroadcasts.AlthoughLayer2switchescanextendVLANstootherswitchesandotherlayersofthehierarchy,thisactivityisdiscouraged.VLANtrafficshouldnottraversethenetworkcore.
NetworkCoreAcorelayerisrequiredtoconnecttwoormoreswitchblocksinacampusnetwork.Becausealltrafficpassingtoandfromallswitchblocksmustcrossthecore,thecore
FromtheLibraryofOutcastOutcast
KeyTopic
Chapter1:EnterpriseCampusNetworkDesign21
layermustbeasefficientandresilientaspossible.Thecoreisthecampusnetworksbasicfoundationandcarriesmuchmoretrafficthananyotherswitchblock.RecallthatboththedistributionandcorelayersprovideLayer3functionality.Preferably,thelinksbetweendistributionandcorelayerswitchesshouldbeLayer3routedinterfac-es.YoucanalsouseLayer2linksthatcarryasmallVLANboundedbythetwoswitches.Inthelattercase,aLayer3switchvirtualinterface(SVI)isusedtoprovideroutingwithineachsmallVLAN.Thelinksbetweenlayersshouldbedesignedtocarrytheamountoftrafficloadhandledbythedistributionswitches,ataminimum.Thelinksbetweencoreswitchesshouldbeofsufficientsizetocarrytheaggregateamountoftrafficcomingintooneofthecoreswitches.Considertheaveragelinkutilization,butallowforfuturegrowth.AnEthernetcoreallowssimpleandscalableupgradesofmagnitude;considertheprogressionfromGigabitEthernetto10-GigabitEthernet(10GE),andsoon.Acoreshouldconsistoftwomultilayerswitchesthatconnecttwoormoreswitchblocksinaredundantfashion.Aredundantcoreissometimescalledadualcorebecauseitisusuallybuiltfromtwoidenticalswitches.Figure1-16illustratesthecore.Noticethatthiscoreappearsasanindependentmoduleandisnotmergedintoanyotherblockorlayer.
Core
Distribution
Access
SwitchBlock
SwitchBlock
Figure1-16ARedundantCoreLayerRedundantlinksconnecteachswitchblocksdistributionlayerportiontoeachofthedualcoreswitches.Thetwocoreswitchesconnectbyacommonlink.Witharedundantcore,eachdistributionswitchhastwoequal-costpathsintothecore,allowingtheavailablebandwidthofbothpathstobeusedsimultaneously.Bothpaths
FromtheLibraryofOutcastOutcast
22CCNPRoutingandSwitchingSWITCH300-115OfficialCertGuide
remainactivebecausethedistributionandcorelayersuseLayer3devicesthatcanman-ageequal-costpathsinroutingtables.Theroutingprotocolinusedeterminestheavail-abilityorlossofaneighboringLayer3device.Ifoneswitchfails,theroutingprotocolreroutestrafficusinganalternativepaththroughtheremainingredundantswitch.
.Ifthecampusnetworkcontinuestogrowtothepointthatitspanstwolargebuildingsortwolargelocations,thecorelayercanbereplicated,asshowninFigure1-17Noticehowthetwo-noderedundantcorehasbeenexpandedtoincludefourcoreswitches.Thisisknownasamultinodecore.Eachofthefourcoreswitchesisconnectedtotheothercoreswitchestoformafullymeshedcorelayer.
SwitchBlock
SwitchBlock
Access
Distribution
Multi-NodeCore
Distribution
Access
SwitchBlock
SwitchBlock
Figure1-17UsingaMulti-NodeCoreinaVeryLargeCampusNetwork
FromtheLibraryofOutcastOutcast
Chapter1:EnterpriseCampusNetworkDesign23
Eventhoughthemultinodecoreisfullymeshed,thecampusnetworkisstilldividedacrossthetwopairsofcoreswitches.Eachswitchblockhasredundantconnectionstoonlyonecorepairnottoallofthecoreswitches.
CollapsedCoreShouldallnetworkshaveadistinctredundantcorelayer?Perhapsnot,insmallercampusnet-works,wherethecostandscalabilityofaseparatecorelayerisnotwarranted.Acollapsedcoreblockisoneinwhichthehierarchyscorelayeriscollapsedintothedistributionlayer.Here,bothdistributionandcorefunctionsareprovidedwithinthesameswitchdevices.Figure1-18showsthebasiccollapsedcoredesign.Althoughthedistributionandcorelayerfunctionsareperformedinthesamedevice,keepingthesefunctionsdistinctandproperlydesignedisimportant.Notealsothatthecollapsedcoreisnotanindependentbuildingblockbutisintegratedintothedistributionlayeroftheindividualstandaloneswitchblocks.
SwitchBlock
Access
Distribution
CollapsedCore
Distribution
Access
SwitchBlock
Figure1-18ACollapsedCoreNetworkDesignInthecollapsedcoredesign,eachaccesslayerswitchhasaredundantlinktoeachdistribu-tionlayerswitch.AllLayer3subnetspresentintheaccesslayerterminateatthedistribution
FromtheLibraryofOutcastOutcast
24CCNPRoutingandSwitchingSWITCH300-115OfficialCertGuide
switchesLayer3ports,asinthebasicswitchblockdesign.Thedistributionswitchescon-necttoeachotherwithredundantlinks,completingapathtouseduringafailure.
CoreSizeinaCampusNetworkThecorelayerismadeupofredundantswitchesandisboundedandisolatedbyLayer3devices.Routingprotocolsdeterminepathsandmaintainthecoresoperation.Aswithanynetwork,youmustpaysomeattentiontotheoveralldesignoftheroutersandrout-ingprotocolsinthenetwork.Becauseroutingprotocolspropagateupdatesthroughoutthenetwork,networktopologiesmightbeundergoingchange.Thenetworkssize(thenumberofrouters)thenaffectsroutingprotocolperformanceasupdatesareexchangedandnetworkconvergencetakesplace.AlthoughthenetworkshownpreviouslyinFigure1-16mightlooksmall,withonlytwoswitchblocksoftwoLayer3switches(routeprocessorswithinthedistributionlayerswitches)each,largecampusnetworkscanhavemanyswitchblocksconnectedintothecore.Ifyouthinkofeachmultilayerswitchasarouter,youwillrecallthateachrouteprocessormustcommunicatewithandkeepinformationabouteachofitsdirectlycon-nectedpeers.Mostroutingprotocolshavepracticallimitsonthenumberofpeerrout-ersthatcanbedirectlyconnectedonapoint-to-pointormultiaccesslink.Inanetworkwithalargenumberofswitchblocks,thenumberofconnectedrouterscangrowquitelarge.Shouldyoubeconcernedaboutacoreswitchpeeringwithtoomanydistributionswitches?No,becausetheactualnumberofdirectlyconnectedpeersisquitesmall,regardlessofthecampusnetworksize.AccesslayerVLANsterminateatthedistributionlayerswitches(unlesstheaccesslayerisconfiguredforLayer3operation).Theonlypeeringroutersatthatboundaryarepairsofdistributionswitches,eachprovidingroutingredundancyforeachoftheaccesslayerVLANsubnets.Atthedistributionandcoreboundary,eachdistributionswitchconnectstoonlytwocoreswitchesoverLayer3switchinterfaces.Therefore,onlypairsofrouterpeersareformed.Whenmultilayerswitchesareusedinthedistributionandcorelayers,theroutingproto-colsrunninginbothlayersregardeachpairofredundantlinksbetweenlayersasequal-costpaths.Trafficisroutedacrossbothlinksinaload-sharingfashion,utilizingtheband-widthofboth.Onefinalcorelayerdesignpointistoscalethecoreswitchestomatchtheincomingload.Ataminimum,eachcoreswitchmusthandleswitchingeachofitsincomingdistributionlinksat100percentcapacity.
CiscoProductsinaHierarchicalNetworkDesignBeforedelvingintothedesignpracticesneededtobuildahierarchicalcampusnetwork,youshouldhavesomeideaoftheactualdevicesthatyoucanplaceateachlayer.Ciscohasswitchingproductstailoredforlayerfunctionalityandforthesizeofthecampusnetwork.Forthepurposesofthisdiscussion,alargecampuscanbeconsideredtospanacrossmanybuildings.Amediumcampusmightmakeuseofoneorseveralbuildings,andasmallcampusmighthaveonlyasinglebuilding.
FromtheLibraryofOutcastOutcast
Chapter1:EnterpriseCampusNetworkDesign25
ChooseyourCiscoproductsbasedonthefunctionalitythatisexpectedateachlayerofasmall,medium,orlargecampus.Donotgetlostinthedetailsofthetables.Rather,trytounderstandwhichswitchfitsintowhichlayerforagivennetworksize.Intheaccesslayer,highportdensity,PoweroverEthernet(PoE),andlowcostareusu-allydesirable.TheCatalyst2960-X,3650,and3850switchesprovide48portseach.Likeswitchmodelscanbeconnectedtoformasinglelogicalswitchwhenagreaternumberofportsisneeded.TheCatalyst4500Eisasingle-switchchassisthatcanbepopulatedwithavarietyoflinecards.Italsooffersachoiceofredundantsupervisormodulesthatofferredundancyandeventheabilitytoperformsoftwareupgradeswithnoimpacttotheproductionnetwork.Table1-3describessomeCiscoswitchplatformsthatarecommonlyusedintheaccesslayer.
Table1-3CommonAccessLayerSwitchPlatforms
CatalystMaxPort
UplinksMax
Other
Model
Density
BackplaneFeatures
2960-X384(Upto848-portswitchesinastack)3650432(Upto948-portswitchesinastack)
3850432(Upto948-portswitchesinastack)
4500E384(Upto848-portmodulesperchassis)
210GEor41GigabitEthernetperswitch2GigabitEthernetor410GE
4GigabitEthernet,410GE
Upto12-port10GEpermodule
80GbpsRIP,OSPFavailableforroutedaccesslayer;PoE+160GbpsFull-featuredroutingavailable,integratedwirelesscontroller,PoE+480GbpsFull-featuredroutingavailable,integratedwirelesscontroller,PoE+,UPoE928GbpsDualsupervisors,full-featuredroutingavailable,integratedwirelesscontroller,PoE+,UPoE
FromtheLibraryofOutcastOutcast
26CCNPRoutingandSwitchingSWITCH300-115OfficialCertGuide
Thedistributionandcorelayersareverysimilarinfunctionandswitchingfeatures.Generally,theselayersrequirehighLayer3switchingthroughputandahighdensityofhigh-bandwidthopticalmedia.CiscoofferstheCatalyst3750-X,4500-X,4500E,and6800,assummarizedinTable1-4.
Table1-4CommonDistributionandCoreLayerSwitchPlatforms
CatalystMaxPort
Max
OtherFeatures
Model
Density
Backplane
4500-X8010GE1.6TbpsDual-chassisVirtualSwitchingSystem(VSS)redundancy
4500E9610GEor384GigabitEthernet
928GbpsDualsupervisors
6807-XL4040Gbps,160GigabitEthernet,480GigabitEthernet
22.8TbpsDualsupervisor,dual-chassisVSSredundancy
FromtheLibraryofOutcastOutcast
KeyTopic
Chapter1:EnterpriseCampusNetworkDesign27
ExamPreparationTasks
ReviewAllKeyTopicsReviewthemostimportanttopicsinthechapter,notedwiththeKeyTopiciconintheoutermarginofthepage.Table1-5listsareferenceofthesekeytopicsandthepagenum-bersonwhicheachisfound.
Table1-5KeyTopicsforChapter1KeyTopicElementDescriptionPageNumber
ParagraphDescribestheCiscohierarchicalnetworkdesign
9
principlesParagraphDescribestheaccesslayer12ParagraphDescribesthedistributionlayer12ParagraphDescribesthecorelayer12
ParagraphExplainsmodularnetworkdesignusingswitchblocksParagraphDiscussesthepitfallsoflettingVLANsspanaccess
15
18
layerswitchesParagraphDiscussestwobestpracticedesignsforswitchblock19redundancyParagraphExplainsaredundantcoredesign21
CompleteTablesandListsfromMemoryTherearenomemorytablesinthischapter.
DefineKeyTermsDefinethefollowingkeytermsfromthischapter,andcheckyouranswersintheglossary:hierarchicalnetworkdesign,accesslayer,distributionlayer,corelayer,switchblock,collapsedcore,dualcore
FromtheLibraryofOutcastOutcast
ThischaptercoversthefollowingtopicsthatyouneedtomasterfortheCCNPSWITCHexam:
Layer2SwitchOperation:ThissectiondescribesthefunctionalityofaswitchthatforwardsEthernetframes.MultilayerSwitchOperation:ThissectiondescribesthemechanismsthatforwardpacketsatOSILayers3and4.TablesUsedinSwitching:Thissectionexplainshowtablesofinformationandcomputationareusedtomakeswitchingdecisions.Coveragefocusesonthecontent-addressablememorytableinvolvedinLayer2forwarding,andtheternarycontent-address-ablememoryusedinpacket-handlingdecisionsatLayers2through4.ManagingSwitchingTables:ThissectionreviewstheCatalystcommandsthatyoucanusetoconfig-ureandmonitortheswitchingtablesandmemory.Youwillfindthesecommandsusefulwhentrouble-shootingortracingthesourcesofdataorproblemsinaswitchednetwork.
FromtheLibraryofOutcastOutcast
CHAPTER2
SwitchOperation
TohaveagoodunderstandingofthemanyfeaturesthatyoucanconfigureonaCatalystswitch,youfirstshouldunderstandthefundamentalsoftheswitchingfunction.Thischapterservesasaprimer,describinghowanEthernetswitchworks.ItpresentsLayer2forwarding,alongwiththehardwarefunctionsthatmakeforwardingpossible.Multilayerswitchingisalsoexplained.AconsiderableportionofthechapterdealswiththememoryarchitecturethatperformsswitchingatLayers3and4bothflexiblyandeffi-ciently.Thischapteralsoprovidesabriefoverviewofusefulswitchingtablemanagementcommands.
DoIKnowThisAlready?QuizTheDoIKnowThisAlready?quizallowsyoutoassesswhetheryoushouldreadthisentirechapterthoroughlyorjumptotheExamPreparationTaskssection.Ifyouareindoubtbasedonyouranswerstothesequestionsoryourownassessmentofyourknowl-edgeofthetopics,readtheentirechapter.Table2-1outlinesthemajorheadingsinthischapterandtheDoIKnowThisAlready?quizquestionsthatgowiththem.YoucanfindtheanswersinAppendixA,AnswerstotheDoIKnowThisAlready?Quizzes.
Table2-1DoIKnowThisAlready?FoundationTopicsSection-to-QuestionMappingFoundationTopicsSectionQuestionsCoveredinThisSectionLayer2SwitchOperation15MultilayerSwitchOperation69SwitchingTables1011TroubleshootingSwitchingTables12
1.Whichofthefollowingdevicesperformstransparentbridging?a.Ethernethubb.Layer2switchc.Layer3switchd.Router
FromtheLibraryofOutcastOutcast
30CCNPRoutingandSwitchingSWITCH300-115OfficialCertGuide
2.WhenaPCisconnectedtoaLayer2switchport,howfardoesthecollisiondomainspread?a.Nocollisiondomainexists.b.Oneswitchport.c.OneVLAN.d.Allportsontheswitch.3.WhatinformationisusedtoforwardframesinaLayer2switch?a.SourceMACaddressb.DestinationMACaddressc.Sourceswitchportd.IPaddresses4.WhatdoesaswitchdoifaMACaddresscannotbefoundintheCAMtable?a.Theframeisforwardedtothedefaultport.b.TheswitchgeneratesanARPrequestfortheaddress.c.Theswitchfloodstheframeoutallports(exceptthereceivingport).d.Theswitchdropstheframe.5.InaCatalystswitch,framescanbefilteredwithaccesslistsforsecurityandQoSpurposes.Thisfilteringoccursaccordingtowhichofthefollowing?a.BeforeaCAMtablelookupb.AfteraCAMtablelookupc.SimultaneouslywithaCAMtablelookupd.Accordingtohowtheaccesslistsareconfigured6.Accesslistcontentscanbemergedintowhichofthefollowing?a.CAMtableb.TCAMtablec.FIBtabled.ARPtable7.MultilayerswitchesusingCEFarebasedonwhichofthesetechniques?a.Routecachingb.NetFlowswitchingc.Topology-basedswitchingd.Demand-basedswitching
FromtheLibraryofOutcastOutcast
Chapter2:SwitchOperation31
8.WhichanswerdescribesmultilayerswitchingwithCEF?a.Thefirstpacketisroutedandthentheflowiscached.b.TheswitchsupervisorCPUforwardseachpacket.c.Theswitchinghardwarelearnsstationaddressesandbuildsaroutingdatabase.d.Asingledatabaseofroutinginformationisbuiltfortheswitchinghardware.9.Inaswitch,framesareplacedinwhichbufferafterforwardingdecisionsaremade?a.Ingressqueuesb.Egressqueuesc.CAMtabled.TCAM10.WhatsizearethemaskandpatternfieldsinaTCAMentry?a.64bitsb.128bitsc.134bitsd.168bits11.AccesslistrulesarecompiledasTCAMentries.Whenapacketismatchedagainstanaccesslist,inwhatorderaretheTCAMentriesevaluated?a.Sequentiallyintheorderoftheoriginalaccesslist.b.Numericallybytheaccesslistnumber.c.Alphabeticallybytheaccesslistname.d.Allentriesareevaluatedinparallel.12.WhichCatalystIOScommandcanyouusetodisplaytheaddressesintheCAMtable?a.showcamb.showmacaddress-tablec.showmacd.showcamaddress-table
FromtheLibraryofOutcastOutcast
32CCNPRoutingandSwitchingSWITCH300-115OfficialCertGuide
FoundationTopics
Layer2SwitchOperationConsiderasimplenetworkthatisbuiltaroundmanyhoststhatallsharethesameavail-ablebandwidth.ThisisknownasasharedmedianetworkandwasusedinearlylegacyLANsmadeupofEthernethubs.Thecarriersensemultipleaccesscollisiondetect(CSMA/CD)schemedetermineswhenadevicecantransmitdataonthesharedLAN.
KeyTopic
Whenmorethanonehosttriestotalkatonetime,acollisionoccurs,andeveryonemustbackoffandwaittotalkagain.Thisforceseveryhosttooperateinhalf-duplexmode,byeithertalkingorlisteningatanygiventime.Inaddition,whenonehostsendsaframe,
allconnectedhostshearit.Whenonehostgeneratesaframewitherrors,everyonehearsthat,too.ThistypeofLANisacollisiondomainbecausealldevicetransmissionsaresusceptibletocollisions.AnEthernetswitchoperatesatOSILayer2,makingdecisionsaboutforwardingframesbasedonthedestinationMACaddressesfoundwithintheframes.ThismeansthattheEthernetmediaisnolongersharedamongconnecteddevices.Instead,atitsmostbasiclevel,anEthernetswitchprovidesisolationbetweenconnectedhostsinseveralways:
Thecollisiondomainsscopeisseverelylimited.Oneachswitchport,thecollisiondomainconsistsoftheswitchportitselfandthedevicesdirectlyconnectedtothatporteitherasinglehostor,ifashared-mediahubisconnected,thesetofhostsconnectedtothehub.Hostconnectionscanoperateinfull-duplexmodebecausethereisnocontentiononthemedia.Hostscantalkandlistenatthesametime.Bandwidthisnolongershared.Instead,eachswitchportoffersdedicatedbandwidthacrossaswitchingfabrictoanotherswitchport.(Theseframeforwardingpathschangedynamically.)Errorsinframesarenotpropagated.Eachframereceivedonaswitchportischeckedforerrors.Goodframesareregeneratedwhentheyareforwardedortransmitted.Thisisknownasstore-and-forwardswitchingtechnology:Packetsarereceived,storedforinspection,andthenforwarded.Youcanlimitbroadcasttraffictoavolumethreshold.Othertypesofintelligentfilteringorforwardingbecomepossible.
TransparentBridgingALayer2switchisbasicallyamultiporttransparentbridge,whereeachswitchportisitsownEthernetLANsegment,isolatedfromtheothers.Frameforwardingisbasedcom-pletelyontheMACaddressescontainedineachframe,suchthattheswitchwillnotfor-wardaframeunlessitknowsthedestinationslocation.(Whentheswitchdoesnotknow
FromtheLibraryofOutcastOutcast
Chapter2:SwitchOperation33
wherethedestinationis,itmakessomesafeassumptions.)Figure2-1showstheprogres-sionfromatwo-porttoamultiporttransparentbridge,andthentoaLayer2switch.
ForwardingTable
4Multiport1
TransparentBridge
1
2
3
Bridge
1
2
34VLANX5
6
78VLANY...
2
5
6
7
8
9
10
11
1213
14
15
16
0000.1111.1111:port20000.2222.2222:port10000.3333.3333:port10000.4444.4444:port2Broadcast:allports
ForwardingTable0000.1111.1111:port40000.2222.2222:port60000.3333.3333:port10000.4444.4444:port20000.5555.5555:port80000.6666.6666:port50000.7777.7777:port30000.8888.8888:port7Broadcast:allports
ForwardingTable0000.1111.1111:port11,vlanX0000.2222.2222:port6,vlanY0000.3333.3333:port1,vlanX0000.4444.4444:port9,vlanX0000.5555.5555:port8,vlanY0000.6666.6666:port14,vlanY0000.7777.7777:port3,vlanX0000.8888.8888:port16,vlanYBroadcast:VLANX:allVLANXportsBroadcast:VLANY:allVLANYports
OtherVLANsLayer2Switch
Figure2-1AComparisonofTransparentBridgesandSwitchesTheentireprocessofforwardingEthernetframesthenbecomesfiguringoutwhatMACaddressesconnecttowhichswitchports.Forexample,theLayer2switchinFigure2-1knowsthatthedeviceusingMACaddress0000.5555.5555islocatedonswitchport8,whichisassignedtoVLANY.ItalsoknowsthatframesarrivingonVLANYanddes-tinedforthebroadcastMACaddressmustbefloodedoutallportsthatareassignedtoVLANY.Aswitcheithermustbetoldexplicitlywherehostsarelocatedormustlearnthisinforma-tionforitself.YoucanconfigureMACaddresslocationsthroughaswitchscommand-lineinterface,butthisquicklygetscumbersomewhentherearemanystationsonthenetworkorwhenstationsmovearoundfromoneswitchporttoanother.
FromtheLibraryofOutcastOutcast
34CCNPRoutingandSwitchingSWITCH300-115OfficialCertGuide
KeyTopic
Todynamicallylearnaboutstationlocations,aswitchlistenstoincomingframesandkeepsatableofaddressinformation.InFigure2-1,thisinformationiskeptinaforward-ingtable.Asaframeisreceivedonaswitchport,theswitchinspectsthesourceMACaddress.Ifthataddressisnotintheaddresstablealready,theMACaddress,switchport,andvirtualLAN(VLAN)onwhichitarrivedarerecordedinthetable.Learningtheaddresslocationsoftheincomingpacketsiseasyandstraightforward.IncomingframesalsoincludethedestinationMACaddress.Again,theswitchlooksupthisaddressintheaddresstable,hopingtofindtheswitchportandVLANwherethedestinationaddressisattached.Ifitisfound,theframecanbeforwardedoutthecorre-spondingswitchport.Iftheaddressisnotfoundinthetable,theswitchmusttakemoredrasticaction:TheframeisforwardedinabesteffortfashionbyfloodingitoutallswitchportsassignedtothesourceVLAN.Thisisknownasunknownunicastflooding,becausethelocationoftheunicastdestinationisunknown.Figure2-2illustratesthisprocess,usingonlyasingleVLANforsimplification.Suppose,forinstance,thatapacketarrivesonswitchport3,containingdestinationMACaddress0000.aaaa.aaaa.TheswitchlooksforthatMACaddressinitsforwardingtable,butisunabletofindamatchingentry.Theswitchthenfloodscopiesofthepacketouteveryotherportthatisassignedtoport3sVLAN,toincreasethelikelihoodthat0000.aaaa.aaaawilleventuallyreceivethepacketthatisdestinedforit.IfthedestinationisthebroadcastMACaddress,theswitchknowsthattheframeshouldbefloodedoutallportsontheVLAN.
Packetto0000.aaaa.aaaa
1
2
3
5
6
7
4
0000.aaaa.aaaa?
ForwardingTable0000.1111.1111:port40000.2222.2222:port60000.3333.3333:port10000.4444.4444:port20000.5555.5555:port8
8
0000.6666.6666:port50000.7777.7777:port30000.8888.8888:port7Broadcast:allports15Packetto0000.aaaa.aaaaPacketto0000.aaaa.aaaa
4UnknownPacketto0000.aaaa.aaaa
Packetto0000.aaaa.aaaa
2
3
UnicastFlooding
6
7
8
Packetto0000.aaaa.aaaa
Packetto0000.aaaa.aaaa
Packetto0000.aaaa.aaaa
Figure2-2UnknownUnicastFloodingAswitchconstantlylistenstoincomingframesoneachofitsports,learningsourceMACaddresses.However,beawarethatthelearningprocessisallowedonlywhenthe
FromtheLibraryofOutcastOutcast
MACAddressEgressPortVLAN
Chapter2:SwitchOperation35
SpanningTreeProtocol(STP)algorithmhasdecidedthataportisstablefornormaluse.STPisconcernedonlywithmaintainingaloop-freenetwork,whereframeswillnotbeforwardedrecursively.Ifaloopformed,afloodedframecouldfollowtheloopedpath,whereitwouldbefloodedagainandagain.STPiscoveredingreaterdetailinChapters6,TraditionalSpanningTreeProtocol,through9,AdvancedSpanningTreeProtocol.Inasimilarmanner,framescontainingabroadcastormulticastdestinationaddressarealsoflooded.Thesedestinationaddressesarenotunknowntheswitchknowsthemwellbecausetheyusestandardizedaddressvalues.Forexample,theEthernetbroadcastaddressisalwaysffff.ffff.ffff,IPv4multicastaddressesalwaysbeginwith01xx.xxxx.xxxx,andIPv6multicastaddressesbeginwith3333.xxxx.xxxx.Theseaddressesaredestinedformultiplelocations,sotheymustbefloodedbydefinition.Inthecaseofmulticastaddresses,floodingisperformedbydefaultunlessmorespecificrecipientloca-tionshavebeenlearned.
FollowThatFrame!YoushouldhaveabasicunderstandingoftheoperationsthataframeundergoesasitpassesthroughaLayer2switch.Thishelpsyougetafirmgrasponhowtoconfiguretheswitchforcomplexfunctions.Figure2-3showsatypicalLayer2Catalystswitchandthedecisionprocessesthattakeplacetoforwardeachframe.
SecurityACLsInboundandOutbound(TCAM)Permit,
QoSACLs
Deny,orOther
RXSwitchPorts
IngressQueues
ClassificationandPolicing(TCAM)
EgressQueues
TXSwitchPorts
L2ForwardingTable(CAM)
CAMTableFigure2-3OperationsWithinaLayer2CatalystSwitchWhenaframearrivesataswitchport,itisplacedintooneoftheportsingressqueues.Thequeueseachcancontainframestobeforwarded,witheachqueuehavingadifferentpriorityorservicelevel.Theswitchportthencanbefine-tunedsothatimportantframes
FromtheLibraryofOutcastOutcast
36CCNPRoutingandSwitchingSWITCH300-115OfficialCertGuide
getprocessedandforwardedbeforeless-importantframes.Thiscanpreventtime-criticaldatafrombeinglostintheshuffleduringaflurryofincomingtraffic.Astheingressqueuesareservicedandaframeispulledoff,theswitchmustfigureoutnotonlywheretoforwardtheframe,butalsowhetheritshouldbeforwardedandhow.Threefundamentaldecisionsmustbemade:oneconcernedwithfindingtheegressswitchport,andtwoconcernedwithforwardingpolicies.Allthesedecisionsaremadesimultaneouslybyindependentportionsofswitchinghardwareandcanbedescribedasfollows:
L2forwardingtable:TheframesdestinationMACaddressisusedasanindex,orkey,intothecontent-addressablememory(CAM),oraddress,table.Iftheaddressisfound,theegressswitchportandtheappropriateVLANIDarereadfromthetable.(Iftheaddressisnotfound,theframeismarkedforfloodingsothatitisforwardedouteveryswitchportintheVLAN.)SecurityACLs:Accesscontrollists(ACLs)canbeusedtoidentifyframesaccordingtotheirMACaddresses,protocoltypes(fornon-IPframes),IPaddresses,protocols,andLayer4portnumbers.Theternarycontent-addressablememory(TCAM)con-tainsACLsinacompiledformsothatadecisioncanbemadeonwhethertoforwardaframeinasingletablelookup.QoSACLs:OtherACLscanclassifyincomingframesaccordingtoqualityofservice(QoS)parameters,topoliceorcontroltherateoftrafficflows,andtomarkQoSparametersinoutboundframes.TheTCAMisalsousedtomakethesedecisionsinasingletablelookup.
TheCAMandTCAMtablesarediscussedingreaterdetailintheContent-AddressableMemoryandTernaryContent-AddressableMemorysections,laterinthischapter.AftertheCAMandTCAMtablelookupshaveoccurred,theframeisplacedintotheappropriateegressqueueontheappropriateoutboundswitchport.TheegressqueueisdeterminedbyQoSvalueseithercontainedintheframeorpassedalongwiththeframe.Liketheingressqueues,theegressqueuesareservicedaccordingtoimportanceortimecriticality;higherpriorityframesaresentoutwithoutbeingdelayedbyotheroutboundtraffic.
MultilayerSwitchOperationManyCiscoCatalystswitchescanalsoforwardframesbasedonLayers3and4informa-tioncontainedinpackets.Thisisknownasmultilayerswitching(MLS).Naturally,Layer2switchingisperformedatthesametimebecauseeventhehigher-layerencapsulationsstillarecontainedinEthernetframes.
TypesofMultilayerSwitchingCatalystswitcheshavesupportedtwobasicgenerationsortypesofMLS:routecaching(first-generationMLS)andtopologybased(second-generationMLS).Thissectionpres-entsanoverviewofboth,althoughonlythesecondgenerationissupportedintheCisco
FromtheLibraryofOutcastOutcast
KeyTopic
Chapter2:SwitchOperation37
IOSSoftware-basedswitchfamilies,suchastheCatalyst2960,3750,4500,and6500.Youshouldunderstandthetwotypesandthedifferencesbetweenthem:Routecaching:ThefirstgenerationofMLS,requiringarouteprocessor(RP)andaswitchengine(SE).TheRPmustprocessatrafficflowsfirstpackettodeterminethedestination.TheSElistenstothefirstpacketandtotheresultingdestination,andthensetsupashortcutentryinitsMLScache.TheSEforwardssubsequentpack-etsbelongingtothesametrafficflowbasedonshortcutentriesinitscache.ThistypeofMLSalsoisknownbythenamesNetFlowLANswitching,flow-basedordemand-basedswitching,androuteonce,switchmany.TheRPmustexamineeachnewtrafficflowandsetupshortcutentriesfortheSE.EvenifthismethodisntusedtoforwardpacketsinCiscoIOSbasedCatalystswitches,thetechniquecanstillbeusedtogeneratetrafficflowinformationandstatistics.Topologybased:ThesecondgenerationofMLS,utilizingspecializedhardware,isalsoorganizedwithdistinctRPandSEfunctions.TheRPusesLayer3routinginformationtobuildandprepopulateasingledatabaseoftheentireknownnetwork
topology.Thisdatabasebecomesanefficienttablelookupinhardware,andiscon-sultedsothatpacketscanbeforwardedathighratesbytheSE.ThelongestmatchfoundinthedatabaseisusedasthecorrectLayer3destination.Astheroutingtopologychangesovertime,thedatabasecontainedinthehardwarecanbeupdateddynamicallywithnoperformancepenalty.
ThistypeofMLSisknownasCiscoExpressForwarding(CEF).Aroutingpro-cessrunningontheswitchdownloadsthecurrentroutingtabledatabaseintotheForwardingInformationBase(FIB)areaofhardware.CEFisdiscussedingreaterdetailinChapter11,MultilayerSwitching.
TipAlthoughtheRPandSEfunctionswithinamultilayerswitchdointeract,theycanoperateindependently,asiftheyareondifferentplanes.ThecontrolplaneofaswitchincludestheRPandanyprocessthatrunstocontrolormanagetheswitch,whereasthedataplaneexistsintheSE,wheredataisforwarded.
FollowThatPacket!ThepaththataLayer3packetfollowsthroughamultilayerswitchissimilartothatofaLayer2switch.Obviously,somemeansofmakingaLayer3forwardingdecisionmustbeadded.Beyondthat,several,sometimesunexpected,thingscanhappentopacketsastheyareforwarded.Figure2-4showsatypicalmultilayerswitchandthedecisionprocessesthatmustoccur.Packetsarrivingonaswitchportareplacedintheappropriateingressqueue,justasinaLayer2switch.
FromtheLibraryofOutcastOutcast
IPAddressNext-HopIPAddrNext-HopMACAddrEgressPort
MACAddressEgressPortVLAN
38CCNPRoutingandSwitchingSWITCH300-115OfficialCertGuide
SecurityACLsInboundandOutbound(TCAM)
QoSACLs
Permit,Deny,orOther
RXSwitchPorts
IngressQueues
ClassificationandPolicing(TCAM)
L3PacketRewrite
EgressQueues
TXSwitchPorts
L3ForwardingTable(FIB)
L2ForwardingTable(CAM)
CAMTableFIBTableFigure2-4OperationsWithinaMultilayerCatalystSwitchEachpacketispulledoffaningressqueueandinspectedforbothLayer2andLayer3destinationaddresses.Now,thedecisionofwheretoforwardthepacketisbasedontwoaddresstables,whereasthedecisionofhowtoforwardthepacketstillisbasedonaccesslistresults.Allthemultilayerswitchingdecisionsareperformedsimultaneouslyinhardware,usingthefollowingfunctions:
L2forwardingtable:ThedestinationMACaddressisusedasanindexintotheCAMtable.IftheframecontainsaLayer3packetthatneedstobeforwardedfromonesubnettoanother,thedestinationMACaddresswillcontaintheaddressofaLayer3portontheswitchitself.Inthiscase,theCAMtableresultsareusedonlytodecidethattheframeshouldbeprocessedatLayer3.L3forwardingtable:TheFIBtableisconsulted,usingthedestinationIPaddressasanindex.Thelongestmatchinthetableisfound(bothaddressandmask),andtheresultingnext-hopLayer3addressisobtained.TheFIBalsocontainseachnext-hoproutersLayer2MACaddressandtheegressswitchport(andVLANID)sothatfur-thertablelookupsarenotnecessary.
FromtheLibraryofOutcastOutcast
Chapter2:SwitchOperation39
SecurityACLs:InboundandoutboundaccesslistsarecompiledintoTCAMentriessothatdecisionsofwhethertoforwardapacketcanbedeterminedasasingletablelookup.QoSACLs:Packetclassification,policing,andmarkingallcanbeperformedassingletablelookupsintheQoSTCAM.
AswithLayer2switching,thepacketfinallymustbeplacedintheappropriateegressqueueontheappropriateegressswitchport.Duringthemultilayerswitchingprocess,someportionsoftheframemustbemodifiedorrewritten,justasanyrouterwoulddo.Forexample,thedestinationMACaddressintheinboundframecontainstheaddressofthenext-hopdestination,whichistheingressLayer3interfaceonthemultilayerswitch.OncetheFIBtableisconsulted,thenext-hoprouterIPandMACaddressesarefound.Thenext-hopLayer2addressmustbeputintotheframeinplaceoftheoriginaldestina-tionaddress(themultilayerswitch).TheframesLayer2sourceaddressalsomustbecomethatofthemultilayerswitchsegressinterfacebeforetheframeissentontothenexthop.Asanygoodroutermustdo,thetime-to-live(TTL)valueintheLayer3packetmustbedecrementedbyone.BecausethecontentsoftheLayer3packet(theTTLvalue)havechanged,theLayer3headerchecksummustberecalculated.AndbecausebothLayers2and3contentshavechanged,theLayer2checksummustberecalculated.Inotherwords,theentireEthernetframemustberewrittenbeforeitgoesintotheegressqueue.Thisalsoisaccomplishedefficientlyinhardware.
MultilayerSwitchingExceptionsToforwardpacketsusingthesimultaneousdecisionprocessesdescribedintheprecedingsection,thepacketmustbeMLSreadyandmustrequirenoadditionaldecisions.Forexample,CEFcandirectlyforwardmostIPandIPv6packetsbetweenhosts.Thisoccurswhenthesourceanddestinationaddresses(bothMACandIP)arealreadyknownandnootherIPparametersmustbemanipulated.OtherpacketscannotbedirectlyforwardedbyCEFandmustbehandledinmoredetail.Thisisdonebyaquickinspectionduringtheforwardingdecisions.Ifapacketmeetscri-teriasuchasthefollowing,itisflaggedforfurtherprocessingandsentorpuntedtotheswitchCPUforprocessswitching:
ARPrequestsandrepliesIPpacketsrequiringaresponsefromarouter(TTLhasexpired,maximumtransmis-sionunit[MTU]isexceeded,fragmentationisneeded,andsoon)IPbroadcaststhatwillberelayedasunicast(DynamicHostConfigurationProtocol[DHCP]requests,IPhelper-addressfunctions)Routingprotocolupdates
FromtheLibraryofOutcastOutcast
40CCNPRoutingandSwitchingSWITCH300-115OfficialCertGuide
KeyTopic
CiscoDiscoveryProtocol(CDP)packetsPacketsneedingencryptionPacketstriggeringNetworkAddressTranslation(NAT)Legacymultiprotocolpackets(IPX,AppleTalk,andsoon)Asyoumightexpect,packetsthatarepuntedtotheCPUcannotbeforwardedaseffi-cientlyasonesthatcanbeforwardedinhardwaredirectly.TheadditionalprocessingtakesadditionaltimeandconsumesCPUresources.Ideally,allpacketsshouldbefor-wardedinhardware,butthatisnotalwayspossible.
TablesUsedinSwitchingCatalystswitchesmaintainseveraltypesoftablestobeusedintheswitchingprocess.ThetablesaretailoredforLayer2switchingorMLSandarekeptinveryfastmemorysothatmanyfieldswithinaframeorpacketcanbecomparedinparallel.
Content-AddressableMemoryAllCatalystswitchmodelsuseaCAMtableforLayer2switching.Asframesarriveonswitchports,thesourceMACaddressesarelearnedandrecordedintheCAMtable.The
top related