ccnp routing ands switching

FromtheLibraryofOutcastOutcastContentsataGlance

Introductionxxiv

PartIDesigningCampusNetworksChapter1EnterpriseCampusNetworkDesign3Chapter2SwitchOperation29Chapter3SwitchPortConfiguration55

PartIIBuildingaCampusNetworkChapter4VLANsandTrunks89Chapter5VLANTrunkingProtocol123

PartIIIWorkingwithRedundantLinksChapter6TraditionalSpanningTreeProtocol147Chapter7Spanning-TreeConfiguration177Chapter8ProtectingtheSpanningTreeProtocolTopology203Chapter9AdvancedSpanningTreeProtocol219Chapter10AggregatingSwitchLinks241

PartIVMultilayerSwitchingChapter11MultilayerSwitching265Chapter12ConfiguringDHCP289

PartVMonitoringCampusNetworksChapter13LoggingSwitchActivity305Chapter14ManagingSwitcheswithSNMP321Chapter15MonitoringPerformancewithIPSLA333Chapter16UsingPortMirroringtoMonitorTraffic349

PartVIImplementingHighAvailabilityChapter17UnderstandingHighAvailability365Chapter18Layer3HighAvailability381

FromtheLibraryofOutcastOutcast

ix

PartVIISecuringSwitchedNetworksChapter19SecuringSwitchAccess411Chapter20SecuringVLANs431Chapter21PreventingSpoofingAttacks449Chapter22ManagingSwitchUsers461

PartVIIIFinalPreparationChapter23FinalPreparation475

PartIXAppendixesAppendixAAnswerstotheDoIKnowThisAlready?Quizzes481AppendixBExamUpdates489Glossary493Index504

CD-OnlyAppendixesAppendixCMemoryTablesAppendixDMemoryTableAnswerKeyAppendixEStudyPlanner


ContentsIntroductionxxivPartIDesigningCampusNetworksChapter1EnterpriseCampusNetworkDesign3DoIKnowThisAlready?Quiz3FoundationTopics7HierarchicalNetworkDesign7PredictableNetworkModel9AccessLayer12DistributionLayer12CoreLayer12ModularNetworkDesign13SizingaSwitchBlock16SwitchBlockRedundancy18NetworkCore20CollapsedCore23CoreSizeinaCampusNetwork24CiscoProductsinaHierarchicalNetworkDesign24ExamPreparationTasks27ReviewAllKeyTopics27CompleteTablesandListsfromMemory27DefineKeyTerms27Chapter2SwitchOperation29DoIKnowThisAlready?Quiz29FoundationTopics32Layer2SwitchOperation32TransparentBridging32FollowThatFrame!35MultilayerSwitchOperation36TypesofMultilayerSwitching36FollowThatPacket!37MultilayerSwitchingExceptions39TablesUsedinSwitching40Content-AddressableMemory40TernaryContent-AddressableMemory41TCAMStructure42TCAMExample43PortOperationsinTCAM44


xi

ManagingSwitchingTables45CAMTableOperation45TCAMOperation48ManagingSwitchingTableSizes49ExamPreparationTasks52ReviewAllKeyTopics52CompleteTablesandListsfromMemory52DefineKeyTerms52UseCommandReferencetoCheckYourMemory52Chapter3SwitchPortConfiguration55DoIKnowThisAlready?Quiz55FoundationTopics59EthernetConcepts59EthernetOverview59ScalingEthernet60FastEthernet60GigabitEthernet6110-GigabitEthernet62Beyond10-GigabitEthernet63DuplexOperationoverEthernetLinks63ConnectingSwitchesandDevices65EthernetPortCablesandConnectors65SwitchPortConfiguration66SelectingPortstoConfigure66IdentifyingPorts68PortSpeed68PortDuplexMode69ManagingErrorConditionsonaSwitchPort69DetectingErrorConditions69AutomaticallyRecoverfromErrorConditions70EnableandUsetheSwitchPort71TroubleshootingPortConnectivity71LookingforthePortState71LookingforSpeedandDuplexMismatches72DiscoveringConnectedDevices73CiscoDiscoveryProtocol73LinkLayerDiscoveryProtocol75


xiiCCNPRoutingandSwitchingSWITCH300-115OfficialCertGuide

UsingPoweroverEthernet77HowPoEWorks78DetectingaPoweredDevice79ConfiguringPoE80VerifyingPoE81ExamPreparationTasks84ReviewAllKeyTopics84CompleteTablesandListsfromMemory84DefineKeyTerms84UseCommandReferencetoCheckYourMemory85PartIIBuildingaCampusNetworkChapter4VLANsandTrunks89DoIKnowThisAlready?Quiz89FoundationTopics95VirtualLANs95VLANMembership96StaticVLANs96ConfiguringStaticVLANs97DynamicVLANs99DeployingVLANs99End-to-EndVLANs100LocalVLANs101VLANTrunks101VLANFrameIdentification103Inter-SwitchLinkProtocol103IEEE802.1QProtocol104DynamicTrunkingProtocol105VLANTrunkConfiguration106ConfiguringaVLANTrunk106TrunkConfigurationExample108TroubleshootingVLANsandTrunks110VoiceVLANs112VoiceVLANConfiguration113VerifyingVoiceVLANOperation115WirelessVLANs117ExamPreparationTasks119ReviewAllKeyTopics119


xiii

CompleteTablesandListsfromMemory119DefineKeyTerms119UseCommandReferencetoCheckYourMemory119Chapter5VLANTrunkingProtocol123DoIKnowThisAlready?Quiz123FoundationTopics127VLANTrunkingProtocol127VTPDomains127VTPModes127VTPAdvertisements128VTPSynchronization131VTPConfiguration132ConfiguringtheVTPVersion133ConfiguringaVTPManagementDomain134ConfiguringtheVTPMode135VTPConfigurationExample136VTPStatus137VTPPruning138EnablingVTPPruning140TroubleshootingVTP141ExamPreparationTasks143ReviewAllKeyTopics143CompleteTablesandListsfromMemory143DefineKeyTerms143UseCommandReferencetoCheckYourMemory143PartIIIWorkingwithRedundantLinksChapter6TraditionalSpanningTreeProtocol147DoIKnowThisAlready?Quiz147FoundationTopics151IEEE802.1DOverview151BridgingLoops151PreventingLoopswithSpanningTreeProtocol154Spanning-TreeCommunication:BridgeProtocolDataUnits155ElectingaRootBridge156ElectingRootPorts158ElectingDesignatedPorts160


xivCCNPRoutingandSwitchingSWITCH300-115OfficialCertGuide

STPStates162STPTimers165TopologyChanges167DirectTopologyChanges168IndirectTopologyChanges169InsignificantTopologyChanges171TypesofSTP172CommonSpanningTree173Per-VLANSpanningTree173Per-VLANSpanningTreePlus173ExamPreparationTasks175ReviewAllKeyTopics175CompleteTablesandListsfromMemory175DefineKeyTerms175Chapter7Spanning-TreeConfiguration177DoIKnowThisAlready?Quiz177FoundationTopics181STPRootBridge181RootBridgePlacement181RootBridgeConfiguration184TuningtheRootPathCost188TuningthePortID190TuningSpanning-TreeConvergence191ModifyingSTPTimers191ManuallyConfiguringSTPTimers192AutomaticallyConfiguringSTPTimers192RedundantLinkConvergence194PortFast:AccessLayerNodes194UplinkFast:AccessLayerUplinks196BackboneFast:RedundantBackbonePaths197MonitoringSTP199ExamPreparationTasks200ReviewAllKeyTopics200CompleteTablesandListsfromMemory200DefineKeyTerms200UseCommandReferencetoCheckYourMemory200


xv

Chapter8ProtectingtheSpanningTreeProtocolTopology203DoIKnowThisAlready?Quiz203FoundationTopics207ProtectingAgainstUnexpectedBPDUs207RootGuard207BPDUGuard208ProtectingAgainstSuddenLossofBPDUs210LoopGuard210UDLD211UsingBPDUFilteringtoDisableSTPonaPort213TroubleshootingSTPProtection214ExamPreparationTasks215ReviewAllKeyTopics215CompleteTablesandListsfromMemory215DefineKeyTerms215UseCommandReferencetoCheckYourMemory215Chapter9AdvancedSpanningTreeProtocol219DoIKnowThisAlready?Quiz219FoundationTopics223RapidSpanningTreeProtocol223RSTPPortBehavior223BPDUsinRSTP224RSTPConvergence225PortTypes226Synchronization227TopologyChangesandRSTP229RSTPConfiguration229RapidPer-VLANSpanningTreeProtocol230MultipleSpanningTreeProtocol231MSTOverview233MSTRegions233Spanning-TreeInstancesWithinMST234ISTInstances234MSTInstances235MSTConfiguration236ExamPreparationTasks238ReviewAllKeyTopics238


xviCCNPRoutingandSwitchingSWITCH300-115OfficialCertGuide

CompleteTablesandListsfromMemory238DefineKeyTerms239UseCommandReferencetoCheckYourMemory239Chapter10AggregatingSwitchLinks241DoIKnowThisAlready?Quiz241FoundationTopics245SwitchPortAggregationwithEtherChannel245BundlingPortswithEtherChannel247DistributingTrafficinEtherChannel247ConfiguringEtherChannelLoadBalancing249EtherChannelNegotiationProtocols251PortAggregationProtocol252LinkAggregationControlProtocol252EtherChannelConfiguration253ConfiguringaPAgPEtherChannel253ConfiguringaLACPEtherChannel254AvoidingMisconfigurationwithEtherChannelGuard255TroubleshootinganEtherChannel257ExamPreparationTasks261ReviewAllKeyTopics261CompleteTablesandListsfromMemory261DefineKeyTerms261CommandReferencetoCheckYourMemory261PartIVMultilayerSwitchingChapter11MultilayerSwitching265DoIKnowThisAlready?Quiz265FoundationTopics268Inter-VLANRouting268TypesofInterfaces268ConfiguringInter-VLANRouting269Layer2PortConfiguration270Layer3PortConfiguration270SVIPortConfiguration271MultilayerSwitchingwithCEF272TraditionalMLSOverview272CEFOverview272ForwardingInformationBase273


xvii

AdjacencyTable276PacketRewrite279ConfiguringCEF280VerifyingMultilayerSwitching280VerifyingInter-VLANRouting280VerifyingCEF283ExamPreparationTasks285ReviewAllKeyTopics285CompleteTablesandListsfromMemory285DefineKeyTerms285UseCommandReferencetoCheckYourMemory285Chapter12ConfiguringDHCP289DoIKnowThisAlready?Quiz289FoundationTopics292UsingDHCPwithaMultilayerSwitch292ConfiguringanIPv4DHCPServer293ConfiguringaManualAddressBinding294ConfiguringDHCPOptions296ConfiguringaDHCPRelay296ConfiguringDHCPtoSupportIPv6297StatelessAutoconfiguration298DHCPv6298DHCPv6Lite299ConfiguringaDHCPv6RelayAgent300VerifyingIPv6DHCPOperation300ExamPreparationTasks301ReviewAllKeyTopics301CompleteTablesandListsfromMemory301DefineKeyTerms301UseCommandReferencetoCheckYourMemory301PartVMonitoringCampusNetworksChapter13LoggingSwitchActivity305DoIKnowThisAlready?Quiz305FoundationTopics308


xviiiCCNPRoutingandSwitchingSWITCH300-115OfficialCertGuide

SyslogMessages308LoggingtotheSwitchConsole310LoggingtotheInternalBuffer310LoggingtoaRemoteSyslogServer311AddingTimeStampstoSyslogMessages312SettingtheInternalSystemClock312UsingNTPtoSynchronizewithanExternalTimeSource313SecuringNTP316UsingSNTPtoSynchronizeTime316AddingTimeStampstoLoggingMessages317ExamPreparationTasks318ReviewAllKeyTopics318CompleteTablesandListsfromMemory318DefineKeyTerms318UseCommandReferencetoCheckYourMemory318Chapter14ManagingSwitcheswithSNMP321DoIKnowThisAlready?Quiz321FoundationTopics324SNMPOverview324ConfiguringSNMP326ConfiguringSNMPv1327ConfiguringSNMPv2C327ConfiguringSNMPv3328ExamPreparationTasks330ReviewAllKeyTopics330CompleteTablesandListsfromMemory330DefineKeyTerms330UseCommandReferencetoCheckYourMemory330Chapter15MonitoringPerformancewithIPSLA333DoIKnowThisAlready?Quiz333FoundationTopics336IPSLAOverview336ConfiguringIPSLA338UsingIPSLA341ExamPreparationTasks345ReviewAllKeyTopics345CompleteTablesandListsfromMemory345


xix

DefineKeyTerms345UseCommandReferencetoCheckYourMemory345Chapter16UsingPortMirroringtoMonitorTraffic349DoIKnowThisAlready?Quiz349FoundationTopics352UsingLocalSPAN352LocalSPANConfiguration354RemoteSPAN356RemoteSPANConfiguration357ManagingSPANSessions359ExamPreparationTasks361ReviewAllKeyTopics361CompleteTablesandListsfromMemory361DefineKeyTerms361UseCommandReferencetoCheckYourMemory361PartVIImplementingHighAvailabilityChapter17UnderstandingHighAvailability365DoIKnowThisAlready?Quiz365FoundationTopics368LeveragingLogicalSwitches368StackWise371VirtualSwitchingSystem372SupervisorandRouteProcessorRedundancy373RedundantSwitchSupervisors373ConfiguringtheRedundancyMode374ConfiguringSupervisorSynchronization376NonstopForwarding377ExamPreparationTasks378ReviewAllKeyTopics378CompleteTablesandListsfromMemory378DefineKeyTerms378UseCommandReferencetoCheckYourMemory378Chapter18Layer3HighAvailability381DoIKnowThisAlready?Quiz381FoundationTopics384Packet-ForwardingReview384


xxCCNPRoutingandSwitchingSWITCH300-115OfficialCertGuide

HotStandbyRouterProtocol385HSRPRouterElection386Plain-TextHSRPAuthentication388MD5Authentication388ConcedingtheElection389HSRPGatewayAddressing390LoadBalancingwithHSRP391VirtualRouterRedundancyProtocol394GatewayLoadBalancingProtocol397ActiveVirtualGateway397ActiveVirtualForwarder398GLBPLoadBalancing400EnablingGLBP400VerifyingGatewayRedundancy405ExamPreparationTasks406ReviewAllKeyTopics406CompleteTablesandListsfromMemory406DefineKeyTerms406UseCommandReferencetoCheckYourMemory406PartVIISecuringSwitchedNetworksChapter19SecuringSwitchAccess411DoIKnowThisAlready?Quiz411FoundationTopics415PortSecurity415Port-BasedAuthentication418802.1XConfiguration419802.1XPort-BasedAuthenticationExample420UsingStormControl421BestPracticesforSecuringSwitches423ExamPreparationTasks428ReviewAllKeyTopics428CompleteTablesandListsfromMemory428DefineKeyTerms428UseCommandReferencetoCheckYourMemory428


xxi

Chapter20SecuringVLANs431DoIKnowThisAlready?Quiz431FoundationTopics435VLANAccessLists435VACLConfiguration435PrivateVLANs436PrivateVLANConfiguration438ConfigurethePrivateVLANs438AssociatePortswithPrivateVLANs439AssociateSecondaryVLANstoaPrimaryVLANSVI440SecuringVLANTrunks441SwitchSpoofing441VLANHopping443ExamPreparationTasks446ReviewAllKeyTopics446CompleteTablesandListsfromMemory446DefineKeyTerms446UseCommandReferencetoCheckYourMemory446Chapter21PreventingSpoofingAttacks449DoIKnowThisAlready?Quiz449FoundationTopics451DHCPSnooping451IPSourceGuard453DynamicARPInspection455ExamPreparationTasks458ReviewAllKeyTopics458CompleteTablesandListsfromMemory458DefineKeyTerms458UseCommandReferencetoCheckYourMemory458Chapter22ManagingSwitchUsers461DoIKnowThisAlready?Quiz461FoundationTopics464ConfiguringAuthentication465ConfiguringAuthorization468ConfiguringAccounting469ExamPreparationTasks471


xxiiCCNPRoutingandSwitchingSWITCH300-115OfficialCertGuide

ReviewAllKeyTopics471CompleteTablesandListsfromMemory471DefineKeyTerms471UseCommandReferencetoCheckYourMemory471PartVIIIFinalPreparationChapter23FinalPreparation475ToolsforFinalPreparation475ExamEngineandQuestionsontheCD475InstalltheExamEngine476ActivateandDownloadthePracticeExam476ActivatingOtherExams477PremiumEdition477TheCiscoLearningNetwork477MemoryTables477Chapter-EndingReviewTools478StudyPlan478RecalltheFacts478PracticeConfigurations478UsingtheExamEngine479PartIXAppendixesAppendixAAnswerstotheDoIKnowThisAlready?Quizzes481AppendixBExamUpdates489AlwaysGettheLatestattheCompanionWebsite489TechnicalContent490Glossary493Index504

CD-OnlyAppendixesAppendixCMemoryTablesAppendixDMemoryTableAnswerKeyAppendixEStudyPlanner


xxiii

CommandSyntaxConventionsTheconventionsusedtopresentcommandsyntaxinthisbookarethesameconventionsusedintheIOSCommandReference.TheCommandReferencedescribestheseconven-tionsasfollows:Boldfaceindicatescommandsandkeywordsthatareenteredliterallyasshown.Inactualconfigurationexamplesandoutput(notgeneralcommandsyntax),boldfaceindicatescommandsthataremanuallyinputbytheuser(suchasashowcommand).Italicindicatesargumentsforwhichyousupplyactualvalues.Verticalbars(|)separatealternative,mutuallyexclusiveelements.Squarebrackets([])indicateanoptionalelement.Braces({})indicatearequiredchoice.Braceswithinbrackets([{}])indicatearequiredchoicewithinanoptionalelement.


xxivCCNPRoutingandSwitchingSWITCH300-115OfficialCertGuide

IntroductionThisbookfocusesononemajorgoal:tohelpyoupreparetopasstheSWITCHexam(300-115).Tohelpyouprepare,thisbookachievesotherusefulgoalsaswell:Itexplainsawiderangeofnetworkingtopics,showshowtoconfigurethosefeaturesonCiscoswitches,andexplainshowtodeterminewhetherthefeaturesareworking.Asaresult,youcanalsousethisbookasageneralreferenceasyouworkwithswitchednetworksinyourjob.ThemainmotivationforthisbookandtheCiscoPressCertificationGuideseriesistohelpyoupasstheSWITCHexam.Therestofthisintroductionfocusesontwotopics:theSWITCHexamandadescriptionofthisbook.

TheCCNPSWITCHExamProfessionalcertificationshavebeenanimportantpartofthecomputingindustryformanyyearsandwillcontinuetobecomemoreimportant.Manyreasonsexistforthesecertifications,butthemostpopularlycitedreasonisthatofcredibility.Allotherconsid-erationsheldequal,thecertifiedemployee/consultant/jobcandidateisconsideredmorevaluablethanonewhoisnot.Ciscooffersfourlevelsofroutingandswitchingcertification,eachwithanincreasinglevelofproficiency:Entry,Associate,Professional,andExpert.ThesearecommonlyknownbytheiracronymsCCENT(CiscoCertifiedEntryNetworkingTechnician),CCNA(CiscoCertifiedNetworkAssociate),CCNP(CiscoCertifiedNetworkProfessional),andCCIE(CiscoCertifiedInternetworkingExpert).Thereareothers,too,butthisbookfocusesonthecertificationsforenterprisenetworks.CiscofirstannounceditsinitialProfessionallevelcertificationsin1998withtheCCNPRoutingandSwitchingcertification.Tobecomecertified,youmustpassexamsonaseriesofCCNPtopics,includingtheSWITCH,ROUTE,andTSHOOTexams.Formostexams,Ciscodoesnotpublishthescoresneededforpassing.Youneedtotaketheexamtofindthatoutforyourself.ToseethemostcurrentrequirementsfortheCCNPRoutingandSwitchingcertifica-tion,gotohttp://www.cisco.com/go/ccnp,andlookforthe300-115SWITCHexam(ImplementingIPSwitchedNetworks,SWITCHv2.0).Thereyoucanfindoutotherexamdetailssuchasanexamblueprint,whichcontainsalistofexamtopics.Youwillalsolearnhowtoregisterforanexam.Also,youcangototheCiscoLearningNetworkwebsiteathttp://www.cisco.com/go/learnnetspacetofindexaminformation,learningtools,andforumsinwhichyoucancommunicatewithothersandlearnmoreaboutthisandotherCiscoexams.TheSWITCHexamtopicsaregroupedintothreebroadcategories:Layer2TechnologiesInfrastructureSecurityInfrastructureServices


xxv

TableI-1liststheexamtopics,alongwiththepartofthisbookwherethetopiciscov-ered.Thelistoftopicsisaccurate,asofthetimethisbookwasprinted.

TableI-1SWITCHExam300-115TopicsExamTopicBookPartLayer2TechnologiesConfigureandVerifySwitchAdministrationIConfigureandVerifyLayer2ProtocolsI,IIIConfigureandVerifyVLANsIIConfigureandVerifyTrunkingIIConfigureandVerifyEtherChannelsIIIConfigureandVerifySpanningTreeIIIConfigureandVerifyOtherLANSwitchingTechnologiesVDescribeChassisVirtualizationandAggregationTechnologiesVIInfrastructureSecurityConfigureandVerifySwitchSecurityFeaturesVIIDescribeDeviceSecurityUsingCiscoIOSAAAwithTACACS+andRADIUSVIIInfrastructureServicesConfigureandVerifyFirst-HopRedundancyProtocolsVI

HowtoTaketheSWITCHExamAsofthepublicationofthisbook,CiscoexclusivelyusestestingvendorPearsonVue(http://www.vue.com)fordeliveryofallCiscocareercertificationexams.Toregister,gotohttp://www.vue.com,establishalogin,andregisterforthe300-115SWITCHexam.Youalsoneedtochooseatestingcenternearyourhome.

FormatoftheCCNPSWITCHExamTheSWITCHexamfollowsthesamegeneralformatastheotherCiscoexams.Whenyougettothetestingcenterandcheckin,theproctorwillgiveyousomegeneralinstructionsandthentakeyouintoaquietroomwithaPC.WhenyoureatthePC,youhaveafewthingstodobeforethetimerstartsonyourexam.Forinstance,youcantakeasamplequiz,justtogetaccustomedtothePCandtothetestingengine.Whenyoustarttheexam,youwillbeaskedaseriesofquestions.Answeraquestion,andthenmoveontothenextquestion.Theexamenginedoesnotletyougobackandchangetheanswersyouenteredonpreviousquestions.


xxviCCNPRoutingandSwitchingSWITCH300-115OfficialCertGuide

Theexamquestionscanbeinanyofthefollowingformats:Multiplechoice(MC)TestletDrag-and-drop(DND)Simulatedlab(sim)SimletThefirstthreetypesofquestionsarerelativelycommoninmanytestingenvironments.TheMCformatsimplyrequiresthatyoupointandclickonacircle(thatis,aradiobut-ton)besidethecorrectanswerforasingle-answerquestionoronsquares(thatis,checkboxes)besidethecorrectanswersforamulti-answerquestion.Ciscotraditionallytellsyouhowmanyanswersyouneedtochoose,andthetestingsoftwarepreventsyoufromchoosingtoomanyanswers.Testletsarequestionswithonegeneralscenario,withmul-tipleMCquestionsabouttheoverallscenario.DNDquestionsrequireyoutoleft-clickandholdamousebutton,moveanobject(forexample,atextbox)toanotherareaonthescreen,andreleasethemousebuttontoplacetheobjectsomewhereelse-typicallyintoalist.Forsomequestions,asanexample,youmightneedtoputalistoffivethingsintotheproperordertogetthewholequestioncorrect.Thelasttwotypesbothuseanetworksimulatortoaskquestions.Interestingly,thetwotypesactuallyallowCiscotoassesstwoverydifferentskills.First,simquestionsgener-allydescribeaproblem,andyourtaskistoconfigureoneormorerouters/switchestofixtheproblem.Theexamthengradesthequestionbasedontheconfigurationyouchangedoradded.Thesimletquestionsmaywellbethemostdifficultstyleofquestionontheexams.Simletquestionsalsouseanetworksimulator,butinsteadofansweringthequestionbychangingtheconfiguration,thequestionincludesoneormoremultiplechoicequestions.Thequestionsrequirethatyouusethesimulatortoexaminethecur-rentbehaviorofanetwork,interpretingtheoutputofanyshowcommandsthatyoucanremembertoanswerthequestion.Althoughsimquestionsrequireyoutotroubleshootproblemsrelatedtoaconfiguration,simletsrequireyoutobothanalyzeworkingnet-worksandnetworkswithproblems,correlatingshowcommandoutputwithyourknowl-edgeofnetworkingtheoryandconfigurationcommands.TheCiscoLearningNetwork(http://learningnetwork.cisco.com)websitehastoolsthatletyouexperiencetheenvironmentandseehoweachofthesequestiontypeswork.TheenvironmentshouldbethesameaswhenyoupassedCCNA(aprerequisiteforCCNPandCCDP).

CCNPSWITCH300-115OfficialCertificationGuideThemostimportantandsomewhatobviousobjectiveofthisbookistohelpyoupasstheCiscoCCNPSWITCHexam(Exam300-115).WhileyouarelearningabouttopicsthatcanhelpyoupasstheSWITCHexam,youwillalsobecomemuchmoreknowledgeableabouthowtodoyourjob.AlthoughthisbookandtheaccompanyingCDhavemany


KeyTopic

xxvii

exampreparationtasksandexampletestquestions,themethodinwhichtheyareusedisnottosimplymakeyoumemorizeasmanyquestionsandanswersasyoupossiblycan.Themethodologyofthisbookhelpsyoudiscovertheexamtopicsaboutwhichyouneedmorereview,fullyunderstandandrememberexamtopicdetails,andprovetoyourselfthatyouhaveretainedyourknowledgeofthosetopics.Sothisbookhelpsyoupassnotbymemorization,butbyhelpingyoutrulylearnandunderstandthetopics.TheSWITCHexamisjustoneofthefoundationtopicsintheCCNPRoutingandSwitchingcertification,andtheknowledgecontainedwithinisvitallyimportanttoconsideryour-selfatrulyskilledroutingandswitchingengineerorspecialist.ThestrategyyouusetopreparefortheSWITCHexammightdifferslightlyfromstrate-giesusedbyotherreaders,mainlybasedontheskills,knowledge,andexperienceyoualreadyhaveobtained.Forinstance,ifyouhaveattendedtheSWITCHcourse,youmighttakeadifferentapproachthansomeonewholearnedswitchingthroughon-the-jobtraining.Regardlessofthestrategyyouuseorthebackgroundyouhave,thisbookisdesignedtohelpyougettothepointwhereyoucanpasstheexamwiththeleastamountoftimerequired.

BookFeaturesandExamPreparationMethodsThisbookusesseveralkeymethodologiestohelpyoudiscovertheexamtopicsonwhichyouneedmorereview,tohelpyoufullyunderstandandrememberthosedetails,andtohelpyouprovetoyourselfthatyouhaveretainedyourknowledgeofthosetopics.Thebookincludesmanyfeaturesthatprovidedifferentwaystostudyandprepareyour-selffortheexam.Ifyouunderstandatopicwhenyoureadit,butdonotstudyitanyfurther,youwillprobablynotbereadytopasstheexamwithconfidence.Thefeaturesincludedinthisbookgiveyoutoolsthathelpyoudeterminewhatyouknow,reviewwhatyouknow,betterlearnwhatyoudontknow,andbewellpreparedfortheexam.Thesetoolsincludethefollowing:DoIKnowThisAlready?quizzes:Eachchapterbeginswithaquizthathelpsyoudeterminetheamountoftimeyouneedtospendstudyingthatchapter.Foundationtopics:Thesearethecoresectionsofeachchapter.Theyexplaintheprotocols,concepts,andconfigurationforthetopicsinthatchapter.Exampreparationtasks:TheExamPreparationTaskssectionlistsaseriesofstudyactivitiesthatshouldbedoneafterreadingtheFoundationTopicssection.Eachchapterincludestheactivitiesthatmakethemostsenseforstudyingthetopicsinthatchapter.Theactivitiesincludethefollowing:KeyTopicsReview:TheKeyTopiciconisshownnexttothemostimportantitemsintheFoundationTopicssectionofthechapter.TheKeyTopicsReviewactivityliststhekeytopicsfromthechapter,andpagenumber.Althoughthecontentsoftheentirechaptercouldbeontheexam,youshoulddenitelyknowtheinformationlistedineachkeytopic.Reviewthesetopicscarefully.


xxviiiCCNPRoutingandSwitchingSWITCH300-115OfficialCertGuide

Memorytables:Tohelpyouexerciseyourmemoryandmemorizesomelistsoffacts,manyofthemoreimportantlistsandtablesfromthechapterareincludedinadocumentontheCD.Thisdocumentlistsonlypartialinformation,allow-ingyoutocompletethetableorlist.CD-onlyAppendixCholdstheincompletetables,andAppendixDincludesthecompletedtablesfromwhichyoucancheckyourwork.Denitionofkeyterms:AlthoughCiscoexamsmightbeunlikelytoaskaquestionsuchasDenethisterm,theSWITCHexamrequiresthatyoulearnandknowalotofnetworkingterminology.Thissectionlistssomeofthemostimportanttermsfromthechapter,askingyoutowriteashortdenitionandcompareyouranswertotheglossaryontheenclosedCD.CD-basedpracticeexam:ThecompanionCDcontainsanexamengine,includingabankofmultiple-choicequestions.Youcanusethepracticeexamstogetafeelfortheactualexamcontentandtogaugeyourknowledgeofswitchingtopics.

HowThisBookisOrganizedAlthoughthisbookcanbereadcovertocover,itisdesignedtobeflexibleandallowyoutoeasilymovebetweenchaptersandsectionsofchapterstofocusonspecificmate-rial.Thechapterscanbecoveredinanyorder,althoughsomechaptersarerelatedandbuilduponeachother.Ifyoudointendtoreadthemall,theorderinthebookisanexcellentsequencetouse.Thisbookcontains23chapters,plusappendixes.Thebookorganizesswitchingtop-icsintoninemajorparts.Thefollowinglistoutlinesthemajorpartorganizationofthisbook.PartI:DesigningCampusNetworksChapter1,EnterpriseCampusNetworkDesign:Thischaptercoversdifferentcampusnetworkmodels,hierarchicalnetworkdesign,andhowtodesign,size,andscaleacampusnetworkusingamodularapproach.Chapter2,SwitchOperation:ThischaptercoversLayer2andmultilayerswitchoperation,howvariouscontent-addressablememory(CAM)andternarycontent-addressablememory(TCAM)tablesareusedtomakeswitchingdeci-sions,andhowtomonitorthesetablestoaidintroubleshooting.Chapter3,SwitchPortConguration:ThischaptercoversbasicEthernetconcepts,howtousescalableEthernet,howtoconnectswitchesanddevicestogether,andhowtoverifyswitchportoperationtoaidintroubleshooting.PartII:BuildingaCampusNetworkChapter4,VLANsandTrunks:ThischaptercoversbasicVLANconcepts,howtotransportmultipleVLANsoversinglelinks,howtocongureVLANtrunks,andhowtoverifyVLANandtrunkoperation.Chapter5,VLANTrunkingProtocol:ThischaptercoversVLANmanagementusingVTP,VTPconguration,trafcmanagementthroughVTPpruning,andhowtoverifyVTPoperation.


xxix

PartIII:WorkingwithRedundantLinksChapter6,TraditionalSpanningTreeProtocol:ThischaptercoversIEEE802.1DSpanningTreeProtocol(STP)andgivesanoverviewoftheotherSTPtypesthatmightberunningonaswitch.Chapter7,Spanning-TreeConguration:ThischaptercoverstheSTProotbridge,howtocustomizetheSTPtopology,howtotuneSTPconvergence,redundantlinkconvergence,andhowtoverifySTPoperation.Chapter8,ProtectingtheSpanningTreeProtocolTopology:ThischaptercoversprotectingtheSTPtopologyusingRootGuard,BPDUGuard,andLoopGuard,andalsohowtouseBPDUlteringandhowtoverifythattheseSTPprotectionmechanismsarefunctioningproperly.Chapter9,AdvancedSpanningTreeProtocol:ThischaptercoversRapidSpanningTreeProtocol(RSTP)forRapidPVST+andMultipleSpanningTree(MST)Protocol.Chapter10,AggregatingSwitchLinks:Thischaptercoversswitchportag-gregationwithEtherChannel,EtherChannelnegotiationprotocols,EtherChannelconguration,andhowtoverifyEtherChanneloperation.PartIV:MultilayerSwitchingChapter11,MultilayerSwitching:Thischaptercoversinter-VLANrouting,multilayerswitchingwithCiscoExpressForwarding(CEF),andhowtoverifythatmultilayerswitchingisfunctioningproperly.Chapter12,ConguringDHCP:ThischapterdiscusseswaystocongureaswitchtorelayDynamicHostCongurationProtocol(DHCP)requestsortoactasaDHCPservertolocalclientdevices.PartV:MonitoringCampusNetworksChapter13,LoggingSwitchActivity:Thischapterexplainshowtocongureaswitchtogeneratelogginginformationandhowtocorrelateloggingmessageswithaccuratetimestamps.Chapter14,ManagingSwitcheswithSNMP:ThischapterdiscussesSNMPandhowyoucanuseittomonitorandmanageswitchesinanetwork.Chapter15,MonitoringPerformancewithIPSLA:ThischapterexplainshowtoleverageIPSLAprobestomeasurenetworkperformanceagainstexpectedservicelevelagreementparameters.Chapter16,UsingPortMirroringtoMonitorTrafc:Thischaptercoversmethodsyoucanusetomirrororcopyswitchedtrafctoadestinationwhereitcanbecollectedandanalyzed.PartVI:ImplementingHighAvailabilityChapter17,UnderstandingHighAvailability:Thischapterdiscusseswaysthatmultiplephysicalswitchescanbeconnectedorconguredtogethertooper-ateasonelogicalswitch,increasingavailability.Chapter18,Layer3HighAvailability:Thischaptercoversprovidingredun-dantrouterorgatewayaddressesonCatalystswitchesandverifyingthatredun-dancyisfunctioningproperly.


xxxCCNPRoutingandSwitchingSWITCH300-115OfficialCertGuide

PartVII:SecuringSwitchedNetworksChapter19,SecuringSwitchAccess:ThischaptercoversportsecurityusingMACaddresses,port-basedsecurityusingIEEE802.1X,stormcontroltoreducetrafcstorms,andbestpracticesforsecuringswitches.Chapter20,SecuringVLANs:ThischaptercovershowtocontroltrafcwithinaVLANusingaccesslists,implementingprivateVLANs,andbestpracticesforsecuringtrunklinks.Chapter21,PreventingSpoongAttacks:ThischapterexplainsfeatureslikeDHCPsnooping,IPSourceGuard,anddynamicARPinspection,whichyoucanle-veragetopreventnetworkattacksthatusespoofedinformationtogainafoothold.Chapter22,ManagingSwitchUsers:Thischaptercoversswitchauthentication,authorization,andaccounting(AAA)mechanismsthatcontrolwhocanaccessaswitchandwhattheycandoontheswitch,aswellasprovidearecordofwhatoccurred.PartVIII:FinalPreparationChapter23,FinalPreparation:ThischapterexplainshowtousethepracticeexamCDtoenhanceyourstudy,alongwithabasicstudyplan.PartIX:AppendixesAppendixA:ThisappendixcontainsanswerstotheDoIKnowThisAlreadyquizzes.AppendixB:Thisappendixtellsyouhowtondanyupdates,shouldtherebechangestotheexam.Glossary:TheglossarycontainsdenitionsforallthetermslistedintheDeneKeyTermssectionsattheconclusionsofChapters1through22.Inaddition,youcanfindthefollowingappendixesontheCDthatisincludedwiththisbook:AppendixC,MemoryTables:Thisappendixholdsthekeytablesandlistsfromeachchapterwithsomeofthecontentremoved.Youcanprintthisappendix,andasamemoryexercise,completethetablesandlists.Thegoalistohelpyoumemorizefactsthatcanbeusefulontheexams.AppendixD,MemoryTableAnswerKey:ThisappendixcontainstheanswerkeyfortheexercisesinAppendixD.AppendixE,StudyPlanner,isaspreadsheetwithmajorstudymilestones,whereyoucantrackyourprogressthroughyourstudy.

ForMoreInformationIfyouhaveanycommentsaboutthebook,youcansubmitthoseviahttp://www.ciscopress.com.Justgotothewebsite,selectContactUs,andtypeyourmessage.CiscomightmakechangesthataffecttheSWITCHexamfromtimetotime.Youshouldalwayscheckhttp://www.cisco.com/go/ccnpforthelatestdetails.


ThischaptercoversthefollowingtopicsthatyouneedtomasterfortheCCNPSWITCHexam:

HierarchicalNetworkDesign:Thissectiondetailsathree-layerhierarchicalstructureofcampusnet-workdesigns.ModularNetworkDesign:Thissectioncoverstheprocessofdesigningacampusnetwork,basedonbreakingitintofunctionalmodules.Youalsolearnhowtosizeandscalethemodulesinadesign.


CHAPTER1

EnterpriseCampusNetworkDesign

Thischapterpresentsalogicaldesignprocessthatyoucanusetobuildanewswitchedcampusnetworkortomodifyandimproveanexistingnetwork.Networkscanbedesignedinlayersusingasetofbuildingblocksthatcanorganizeandstreamlineevenalarge,complexcampusnetwork.Thesebuildingblockscanthenbeplacedusingseveralcampusdesignmodelstoprovidemaximumefficiency,functionality,andscalability.

DoIKnowThisAlready?QuizTheDoIKnowThisAlready?quizallowsyoutoassesswhetheryoushouldreadthisentirechapterthoroughlyorjumptotheExamPreparationTaskssection.Ifyouareindoubtbasedonyouranswerstothesequestionsoryourownassessmentofyourknowl-edgeofthetopics,readtheentirechapter.Table1-1outlinesthemajorheadingsinthischapterandtheDoIKnowThisAlready?quizquestionsthatgowiththem.YoucanfindtheanswersinAppendixA,AnswerstotheDoIKnowThisAlready?Quizzes.

Table1-1DoIKnowThisAlready?FoundationTopicsSection-to-QuestionMappingFoundationTopicsSectionQuestionsCoveredinThisSectionHierarchicalNetworkDesign110ModularNetworkDesign1117

1.Wheredoesacollisiondomainexistinaswitchednetwork?a.Onasingleswitchportb.Acrossallswitchportsc.OnasingleVLANd.AcrossallVLANs2.Wheredoesabroadcastdomainexistinaswitchednetwork?a.Onasingleswitchportb.Acrossallswitchportsc.OnasingleVLANd.AcrossallVLANs


4CCNPRoutingandSwitchingSWITCH300-115OfficialCertGuide

3.WhatisaVLANprimarilyusedfor?a.Tosegmentacollisiondomainb.Tosegmentabroadcastdomainc.Tosegmentanautonomoussystemd.Tosegmentaspanning-treedomain4.Howmanylayersarerecommendedinthehierarchicalcampusnetworkdesignmodel?a.1b.2c.3d.4e.75.Whatisthepurposeofbreakingacampusnetworkintoahierarchicaldesign?a.Tofacilitatedocumentationb.Tofollowpoliticalororganizationalpoliciesc.Tomakethenetworkpredictableandscalabled.Tomakethenetworkmoreredundantandsecure6.End-userPCsshouldbeconnectedintowhichofthefollowinghierarchicallayers?a.Distributionlayerb.Commonlayerc.Accesslayerd.Corelayer7.InwhichOSIlayershoulddevicesinthedistributionlayertypicallyoperate?a.Layer1b.Layer2c.Layer3d.Layer48.Ahierarchicalnetworksdistributionlayeraggregateswhichofthefollowing?a.Coreswitchesb.Broadcastdomainsc.Routingupdatesd.Accesslayerswitches


Chapter1:EnterpriseCampusNetworkDesign5

9.Inthecorelayerofahierarchicalnetwork,whichofthefollowingareaggregated?a.Routingtablesb.Packetfiltersc.Distributionswitchesd.Accesslayerswitches10.Inaproperlydesignedhierarchicalnetwork,abroadcastfromonePCisconfinedtowhichoneofthefollowing?a.Oneaccesslayerswitchportb.Oneaccesslayerswitchc.Oneswitchblockd.Theentirecampusnetwork11.Whichoneormoreofthefollowingarethecomponentsofatypicalswitchblock?a.Accesslayerswitchesb.Distributionlayerswitchesc.Corelayerswitchesd.E-commerceserverse.Serviceproviderswitches12.Whichofthefollowingarecommontypesofcore,orbackbone,designs?(Chooseallthatapply.)a.Collapsedcoreb.Loop-freecorec.Dualcored.Layeredcoree.Multinodecore13.Whatisthemaximumnumberofaccesslayerswitchesthatcanconnectintoasingledistributionlayerswitch?a.1b.2c.Limitedonlybythenumberofportsontheaccesslayerswitchd.Limitedonlybythenumberofportsonthedistributionlayerswitche.Unlimited



14.Aswitchblockshouldbesizedaccordingtowhichtwoofthefollowingparameters?(Chooseallthatapply.)a.Thenumberofaccesslayerusersb.Amaximumof250accesslayerusersc.Astudyofthetrafficpatternsandflowsd.Theamountofrackspaceavailablee.Thenumberofserversaccessedbyusers15.Whatevidencecanbeseenwhenaswitchblockistoolarge?(Chooseallthatapply.)a.IPaddressspaceisexhausted.b.Yourunoutofaccesslayerswitchports.c.Broadcasttrafficbecomesexcessive.d.Trafficisthrottledatthedistributionlayerswitches.e.Networkcongestionoccurs.16.Howmanydistributionswitchesshouldbebuiltintoeachswitchblock?a.1b.2c.4d.817.Whicharethemostimportantaspectstoconsiderwhendesigningthecorelayerinalargenetwork?(Chooseallthatapply.)a.Lowcostb.Switchesthatcanefficientlyforwardtraffic,evenwheneveryuplinkisat100percentcapacityc.Highportdensityofhigh-speedportsd.AlownumberofLayer3routingpeers



FoundationTopics

HierarchicalNetworkDesignAcampusnetworkisanenterprisenetworkconsistingofmanyLANsinoneormorebuildings,allconnectedandallusuallyinthesamegeographicarea.Acompanytypicallyownstheentirecampusnetworkandthephysicalwiring.CampusnetworkscommonlyconsistofwiredEthernetLANsandsharedwirelessLANs.Anunderstandingoftrafficflowisavitalpartofthecampusnetworkdesign.Youmightbeabletoleveragehigh-speedLANtechnologiesandthrowbandwidthatanetworktoimprovetrafficmovement.However,theemphasisshouldbeonprovidinganoveralldesignthatistunedtoknown,studied,orpredictedtrafficflows.Thenetworktrafficcanthenbeeffectivelymovedandmanaged,andyoucanscalethecampusnetworktosup-portfutureneeds.Asastartingpoint,considerthesimplenetworkshowninFigure1-1.AcollectionofPCs,printers,andserversareallconnectedtothesamenetworksegmentandusethe192.168.1.0subnet.Alldevicesonthisnetworksegmentmustsharetheavailableband-width.

192.168.1.0

Figure1-1SimpleSharedEthernetNetworkRecallthatiftwoormorehoststrytotransmitatthesametimeonasharednetwork,theirframeswillcollideandinterfere.Whencollisionsoccur,allhostsmustbecomesilentandwaittoretransmittheirdata.Theboundaryaroundsuchasharednetworkiscalledacollisiondomain.InFigure1-1,theentiresharedsegmentrepresentsonecollisiondomain.Anetworksegmentwithsixhostsmightnotseemcrowded.Supposethesegmentcon-tainshundredsofhostsinstead.Nowthenetworkmightnotperformverywellifmanyofthehostsarecompetingtousethesharedmedia.Throughnetworksegmentation,youcanreducethenumberofstationsonasegment.This,inturn,reducesthesizeofthecol-lisiondomainandlowerstheprobabilityofcollisionsbecausefewerstationswilltrytotransmitatagiventime.BroadcasttrafficcanalsopresentaperformanceproblemonaLayer2networkbecauseallbroadcastframesfloodtoreachallhostsonanetworksegment.Ifthesegmentislarge,thebroadcasttrafficcangrowinproportionandmonopolizetheavailableband-width.Inaddition,allhostsonthesegmentmustlistentoandprocesseverybroadcast



frame.Tocontainbroadcasttraffic,theideaistoprovideabarrierattheedgeofaLANsegmentsothatbroadcastscannotpassorbeforwardedoutward.TheextentofaLayer2network,whereabroadcastframecanreach,isknownasabroadcastdomain.Tolimitthesizeofacollisiondomain,youcanconnectsmallernumbersofhoststoindividualswitchinterfaces.Ideally,eachhostshouldconnecttoadedicatedswitchinterfacesothattheycanoperateinfull-duplexmode,preventingcollisionsaltogether.Switchinterfacesdonotpropagatecollisions,soeachinterfacebecomesitsowncollisiondomainevenifseveralinterfacesbelongtoacommonVLAN.Incontrast,whenbroadcasttrafficisforwarded,itisfloodedacrossswitchinterfaceboundaries.Infact,broadcastframeswillreacheveryswitchinterfaceinaVLAN.Inotherwords,aVLANdefinestheextentofabroadcastdomain.Toreducethesizeofabroadcastdomain,youcansegmentanetworkorbreakitupintosmallerLayer2VLANs.ThesmallerVLANsmustbeconnectedbyaLayer3device,suchasarouteroramultilayerswitch,asshowninFigure1-2.ThesimplenetworkofFigure1-1nowhastwosegmentsorVLANsinterconnectedbySwitchA,amultilayerswitch.ALayer3devicecannotpropagateacollisionconditionfromonesegmenttoanother,anditwillnotfor-wardbroadcastsbetweensegments.

VLAN1192.168.1.0

VLAN2192.168.2.0

SwitchAFigure1-2ExampleofNetworkSegmentationThenetworkmightcontinuetogrowasmoreusersanddevicesareaddedtoit.SwitchAhasalimitednumberofports,soitcannotdirectlyconnecttoeverydevice.Instead,thenetworksegmentscanbegrownbyaddinganewswitchtoeach,asshowninFigure1-3.

VLAN1192.168.1.0

SwitchA

VLAN2192.168.2.0

SwitchBSwitchCFigure1-3ExpandingaSegmentedNetwork



SwitchBaggregatestraffictoandfromVLAN1,whileSwitchCaggregatesVLAN2.Asthenetworkcontinuestogrow,moreVLANscanbeaddedtosupportadditionalapplica-tionsorusercommunities.Asanexample,Figure1-4showshowVoiceoverIP(VoIP)hasbeenimplementedbyplacingIPphonesintotwonewVLANs(10and20).ThesametwoaggregatingswitchescaneasilysupportthenewVLANs.

VLAN1192.168.1.0

VLAN10192.168.10.0

SwitchA

SwitchBSwitchC

VLAN2192.168.2.0

VLAN20192.168.20.0

KeyTopic

Figure1-4NetworkGrowthThroughNewVLANs

PredictableNetworkModelIdeally,youshoulddesignanetworkwithapredictablebehaviorinmindtoofferlowmaintenanceandhighavailability.Forexample,acampusnetworkneedstorecoverfromfailuresandtopologychangesquicklyandinapredeterminedmanner.Youshouldscalethenetworktoeasilysupportfutureexpansionsandupgrades.Withawidevarietyofmultiprotocolandmulticasttraffic,thenetworkshouldbecapableofefficientlyconnect-inguserswiththeresourcestheyneed,regardlessoflocation.Inotherwords,designthenetworkaroundtrafficflowsratherthanaparticulartypeoftraffic.Ideally,thenetworkshouldbearrangedsothatallendusersarelocatedataconsistentdistancefromtheresourcestheyneedtouse.Ifoneuseratonecornerofthenetworkpassesthroughtwoswitchestoreachanemailserver,anyotheruseratanyotherlocationinthenetworkshouldalsorequiretwoswitchhopsforemailservice.Ciscohasrefinedahierarchicalapproachtonetworkdesignthatenablesnetworkdesign-erstoorganizethenetworkintodistinctlayersofdevices.Theresultingnetworkiseffi-cient,intelligent,scalable,andeasilymanaged.Figure1-4canberedrawntoemphasizethehierarchythatisemerging.InFigure1-5,twolayersbecomeapparent:theaccesslayer,whereswitchesareplacedclosesttotheendusers;andthedistributionlayer,whereaccesslayerswitchesareaggregated.



Distribution

AccessAccess

Figure1-5Two-LayerNetworkHierarchyEmergesAsthenetworkcontinuestogrowwithmorebuildings,morefloors,andlargergroupsofusers,thenumberofaccessswitchesincreases.Asaresult,thenumberofdistributionswitchesincreases.Nowthingshavescaledtothepointwherethedistributionswitchesneedtobeaggregated.Thisisdonebyaddingathirdlayertothehierarchy,thecorelayer,asshowninFigure1-6.

Core

Distribution

Access

Access

Access

Access

Access

Access

Distribution

Access

Access

Figure1-6CoreLayerEmergesTrafficflowsinacampusnetworkcanbeclassifiedasthreetypes,basedonwherethenetworkserviceorresourceislocatedinrelationtotheenduser.Figure1-7illustratestheflowtypesbetweenaPCandsomefileservers,alongwiththreedifferentpathsthetraf-ficmighttakethroughthethreelayersofanetwork.Table1-2alsoliststhetypesandtheextentofthecampusnetworkthatiscrossedgoingfromanyusertotheservice.


eriseptrEnotemRelcaLoDistribution


Core

Distribution

Access

Access

Access

Access

Access

Access

Access

Access

Figure1-7TrafficFlowPathsThroughaNetworkHierarchy

Table1-2TypesofNetworkServicesServiceTypeLocationofServiceExtentofTrafficFlowLocalSamesegment/VLANasuserAccesslayeronlyRemoteDifferentsegment/VLANasuserAccesstodistributionlayersEnterpriseCentraltoallcampususersAccesstodistributiontocorelayers

Noticehoweasilythetrafficpathscanbedescribed.Regardlessofwheretheuserislocated,thetrafficpathalwaysbeginsattheaccesslayerandprogressesintothedistri-butionandperhapsintothecorelayers.Evenapathbetweentwousersatoppositeendsofthenetworkbecomesaconsistentandpredictableaccess>distribution>core>distri-bution>accesslayer.Eachlayerhasattributesthatprovidebothphysicalandlogicalnetworkfunctionsattheappropriatepointinthecampusnetwork.Understandingeachlayeranditsfunctionsorlimitationsisimportanttoproperlyapplythelayerinthedesignprocess.



KeyTopic

KeyTopic

KeyTopic

AccessLayerTheaccesslayerexistswheretheendusersareconnectedtothenetwork.Accessswitch-esusuallyprovideLayer2(VLAN)connectivitybetweenusers.Devicesinthislayer,sometimescalledbuildingaccessswitches,shouldhavethefollowingcapabilities:

LowcostperswitchportHighportdensityScalableuplinkstohigherlayersHighavailabilityAbilitytoconvergenetworkservices(thatis,data,voice,video)Securityfeaturesandqualityofservice(QoS)

DistributionLayerThedistributionlayerprovidesinterconnectionbetweenthecampusnetworksaccessandcorelayers.Devicesinthislayer,sometimescalledbuildingdistributionswitches,shouldhavethefollowingcapabilities:

AggregationofmultipleaccesslayerswitchesHighLayer3routingthroughputforpackethandlingSecurityandpolicy-basedconnectivityfunctionsQoSfeaturesScalableandredundanthigh-speedlinkstothecoreandaccesslayersInthedistributionlayer,uplinksfromallaccesslayerdevicesareaggregated,orcometogether.Thedistributionlayerswitchesmustbecapableofprocessingthetotalvolumeoftrafficfromalltheconnecteddevices.Theseswitchesshouldhaveahighportdensityofhigh-speedlinkstosupportthecollectionofaccesslayerswitches.VLANsandbroadcastdomainsconvergeatthedistributionlayer,requiringrouting,filter-ing,andsecurity.Theswitchesatthislayeralsomustbecapableofroutingpacketswithhighthroughput.NoticethatthedistributionlayerusuallyisaLayer3boundary,whereroutingmeetstheVLANsoftheaccesslayer.

CoreLayerAcampusnetworkscorelayerprovidesconnectivitybetweenalldistributionlayerdevic-es.Thecore,sometimesreferredtoasthebackbone,mustbecapableofswitchingtrafficasefficientlyaspossible.Coreswitchesshouldhavethefollowingattributes:

VeryhighLayer3routingthroughputNocostlyorunnecessarypacketmanipulations(accesslists,packetfiltering)



RedundancyandresilienceforhighavailabilityAdvancedQoSfunctionsDevicesinacampusnetworkscorelayerorbackboneshouldbeoptimizedforhigh-per-formanceswitching.Becausethecorelayermusthandlelargeamountsofcampus-widedata,thecorelayershouldbedesignedwithsimplicityandefficiencyinmind.Althoughcampusnetworkdesignispresentedasathree-layerapproach(access,distri-bution,andcorelayers),thehierarchycanbecollapsedorsimplifiedincertaincases.Forexample,smallormedium-sizecampusnetworksmightnothavethesizeorvolumerequirementsthatwouldrequirethefunctionsofallthreelayers.Inthatcase,youcouldcombinethedistributionandcorelayersforsimplicityandcostsavings.Whenthedis-tributionandcorelayersarecombinedintoasinglelayerofswitches,acollapsedcorenetworkresults.

ModularNetworkDesignDesigninganewnetworkthathasahierarchywiththreelayersisfairlystraightforward.Youcanalsomigrateanexistingnetworkintoahierarchicaldesign.Theresultingnet-workisorganized,efficient,andpredictable.However,asimplehierarchicaldesigndoesnotaddressotherbestpracticeslikeredundancy,inthecasewhereaswitchoralinkfails,orscalability,whenlargeadditionstothenetworkneedtobeadded.ConsiderthehierarchicalnetworkshownintheleftportionofFigure1-8.Eachlayerofthenetworkisconnectedtotheadjacentlayerbysinglelinks.Ifalinkfails,asignificantportionofthenetworkwillbecomeisolated.Inaddition,theaccesslayerswitchesareaggregatedintoasingledistributionlayerswitch.Ifthatswitchfails,alltheuserswillbecomeisolated.

Core

Distribution

Access

Core

Distribution

Access

SwitchBlockFigure1-8ImprovingAvailabilityintheDistributionandAccessLayers



Tomitigateapotentialdistributionswitchfailure,youcanaddasecond,redundantdis-tributionswitch.Tomitigateapotentiallinkfailure,youcanaddredundantlinksfromeachaccesslayerswitchtoeachdistributionswitch.TheseimprovementsareshownontherightinFigure1-8.OneweaknessisstillpresentintheredundantdesignofFigure1-8:Thecorelayerhasonlyoneswitch.Ifthatcoreswitchfails,usersintheaccesslayerwillstillbeabletocommunicatewitheachother.However,theywillnotbeabletoreachotherareasofthenetwork,suchasadatacenter,theInternet,andsoon.Tomitigatetheeffectsofacoreswitchfailure,youcanaddasecond,redundantcoreswitch,asshowninFigure1-9.Redundantlinksshouldalsobeaddedbetweeneachdistributionlayerswitchandeachcorelayerswitch.

Core

Distribution

Access

SwitchBlock

Figure1-9FullyRedundantHierarchicalNetworkDesignTheredundancyneededforthesmallnetworkshowninFigure1-9isfairlystraight-forward.Asthenetworkgrowsandmoreredundantswitchesandredundantlinksareaddedintothedesign,thedesigncanbecomeconfusing.Forexample,supposemanymoreaccesslayerswitchesneedtobeaddedtothenetworkofFigure1-9becausesev-eraldepartmentsofusershavemovedintothebuildingorintoanadjacentbuilding.Shouldthenewaccesslayerswitchesbedual-connectedintothesametwodistributionswitches?Shouldnewdistributionswitchesbeadded,too?Ifso,shouldeachofthedis-tributionswitchesbeconnectedtoeveryotherdistributionandeveryothercoreswitch,creatingafullymeshednetwork?Figure1-10showsonepossiblenetworkdesignthatmightresult.Withsomanyintercon-nectinglinksbetweenswitches,itbecomesabrain-busterexercisetofigureoutwhereVLANsaretrunked,whatthespanning-treetopologieslooklike,whichlinksshouldhaveLayer3connectivity,andsoon.Usersmighthaveconnectivitythroughthisnetwork,but



itmightnotbeclearhowtheyareactuallyworkingorwhathasgonewrongiftheyarenotworking.Thisnetworklooksmorelikeaspiderswebthananorganized,streamlineddesign.

Core

Distribution

Access

NewUsersNewUsersSwitchBlockFigure1-10NetworkGrowthinaDisorganizedFashionTomaintainorganization,simplicity,andpredictability,youcandesignacampusnetworkinalogicalmanner,usingamodularapproach.Inthisapproach,eachlayerofthehierar-chicalnetworkmodelcanbebrokenintobasicfunctionalunits.Theseunits,ormodules,canthenbesizedappropriatelyandconnected,whileallowingforfuturescalabilityandexpansion.Youcandivideenterprisecampusnetworksintothefollowingbasicelementsorbuildingblocks:

Switchblock:Agroupofaccesslayerswitches,togetherwiththeirdistributionswitches.Thisisalsocalledanaccessdistributionblock,namedforthetwoswitchlayersthatitcontains.ThedashedrectangleinFigures1-8through1-10representtypicalswitchblocks.Core:Thecampusnetworksbackbone,whichconnectsallswitchblocks.

KeyTopic

Otherrelatedelementscanexist.Althoughtheseelementsdonotcontributetothecam-pusnetworksoverallfunction,theycanbedesignedseparatelyandaddedtothenetworkdesign.Forexample,adatacentercontainingenterpriseresourcesorservicescanhaveitsownaccessanddistributionlayerswitches,formingaswitchblockthatconnectsintothecorelayer.Infact,ifthedatacenterisverylarge,itmighthaveitsowncoreswitches,too,whichconnectintothenormalcampuscore.Recallhowacampusnetworkisdividedintoaccess,distribution,andcorelayers.Theswitchblockcontainsswitchingdevicesfromtheaccessanddistributionlayers.Theswitchblockthenconnectsintothecorelayer,providingend-to-endconnectivityacrossthecampus.Asthenetworkgrows,youcan



addnewaccesslayerswitchesbyconnectingthemintoanexistingpairofdistributionswitches,asshowninFigure1-11.Youcouldalsoaddacompletelynewaccessdistribu-tionswitchblockthatcontainstheareasofnewgrowth,asshowninFigure1-12.

Core

Distribution

Access

SwitchBlock

Figure1-11NetworkGrowthbyAddingAccessSwitchestoaSwitchBlock

Core

Distribution

Access

SwitchBlockSwitchBlockSwitchBlockFigure1-12NetworkGrowthbyAddingNewSwitchBlocks

SizingaSwitchBlockContainingaccessanddistributionlayerdevices,theswitchblockissimpleinconcept.Youshouldconsiderseveralfactors,however,todetermineanappropriatesizefortheswitchblock.Therangeofavailableswitchdevicesmakestheswitchblocksizeveryflex-ible.Attheaccesslayer,switchselectionisusuallybasedonportdensityorthenumberofconnectedusers.



Thedistributionlayermustbesizedaccordingtothenumberofaccesslayerswitchesthatareaggregatedorbroughtintoadistributiondevice.Considerthefollowingfactors:

TraffictypesandpatternsAmountofLayer3switchingcapacityatthedistributionlayerTotalnumberofusersconnectedtotheaccesslayerswitchesGeographicboundariesofsubnetsorVLANsDesigningaswitchblockbasedsolelyonthenumberofusersorstationscontainedwithintheblockisusuallyinaccurate.Usually,nomorethan2000usersshouldbeplacedwithinasingleswitchblock.Althoughthisisusefulforinitiallyestimatingaswitchblockssize,thisideadoesnttakeintoaccountthemanydynamicprocessesthatoccuronafunctioningnetwork.Instead,switchblocksizeshouldbebasedprimarilyonthefollowing:

TraffictypesandbehaviorSizeandnumberofcommonworkgroupsBecauseofthedynamicnatureofnetworks,youcansizeaswitchblocktoolargetohan-dletheloadthatisplacedonit.Also,thenumberofusersandapplicationsonanetworktendstogrowovertime.Aprovisiontobreakupordownsizeaswitchblockmightbenecessaryastimepasses.Again,basethesedecisionsontheactualtrafficflowsandpat-ternspresentintheswitchblock.Youcanestimate,model,ormeasuretheseparameterswithnetwork-analysisapplicationsandtools.

NoteTheactualnetwork-analysisprocessisbeyondthescopeofthisbook.Trafficesti-mation,modeling,andmeasurementarecomplexprocedures,eachrequiringitsowndedi-catedanalysistool.

Generally,aswitchblockistoolargeifthefollowingconditionsareobserved:

Therouters(multilayerswitches)atthedistributionlayerbecometrafficbottlenecks.Thiscongestioncouldbebecauseofthevolumeofinter-VLANtraffic,intensiveCPUprocessing,orswitchingtimesrequiredbypolicyorsecurityfunctions(accesslists,queuing,andsoon).Broadcastormulticasttrafficslowstheswitchesintheswitchblock.Broadcastandmulticasttrafficmustbereplicatedandforwardedoutmanyportssimultaneously.Thisprocessrequiressomeoverheadinthemultilayerswitch,whichcanbecometoogreatifsignificanttrafficvolumesarepresent.



KeyTopic

SwitchBlockRedundancyInanynetworkdesign,thepotentialalwaysexistsforsomecomponenttofail.Forexample,ifanelectricalcircuitbreakeristrippedorshutsoff,aswitchmightlosepower.Abetterdesignistouseaswitchthathastwoindependentpowersupplies.Eachpowersupplycouldbeconnectedtotwopowersourcessothatonesourceisalwayslikelytobeavailabletopowertheswitch.Inasimilarmanner,asingleswitchmighthaveaninternalproblemthatcausesittofail.Asinglelinkmightgodownbecauseamediamodulefails,afiber-opticcablegetscut,andsoon.Todesignamoreresilientnetwork,youcanimple-mentmostofthecomponentsinredundantpairs.Aswitchblockconsistsoftwodistributionswitchesthataggregateoneormoreaccesslayerswitches.Eachaccesslayerswitchshouldhaveapairofuplinksoneconnectingtoeachdistributionswitch.Thephysicalcablingiseasytodraw,butthelogicalconnectiv-ityisnotalwaysobvious.Forexample,Figure1-13showsaswitchblockthathasasingleVLANAthatspansmultipleaccessswitches.Youmightfindthiswherethereareseveralseparatephysicalswitchchassisinanaccesslayerroom,orwheretwonearbycommu-nicationsroomsshareacommonVLAN.NoticefromtheshadinghowthesingleVLANspansacrosseveryswitch(bothaccessanddistribution)andacrosseverylinkconnectingtheswitches.ThisisnecessaryfortheVLANtobepresentonbothaccessswitchesandtohaveredundantuplinksforhighavailability.

ToCoreLayer

Layer3

DistributionLayer2Links

Layer2

Access

VLANA

VLANB

SwitchBlock

Figure1-13ARedundantSwitchBlockDesignAlthoughthisdesignworks,itisnotoptimal.VLANAmustbecarriedovereverypos-siblelinkwithintheblocktospanbothaccessswitches.BothdistributionswitchesmustalsosupportVLANAbecausetheyprovidetheLayer3routerfunctionforallhostson



theVLAN.Thetwodistributionswitchescanuseoneofseveralredundantgatewaypro-tocolstoprovideanactiveIPgatewayandastandbygatewayatalltimes.Theseproto-colsrequireLayer2connectivitybetweenthedistributionswitchesandarediscussedinChapter18,Layer3HighAvailability.Noticehowtheshadedlinksconnecttoformtwotriangularloops.Layer2networkscannotremainstableorusableifloopsareallowedtoform,sosomemechanismmustbeusedtodetecttheloopsandkeepthetopologyloopfree.Inaddition,theloopedtopologymakestheentireswitchblockasinglefailuredomain.IfahostinVLANAmisbehavesorgeneratesatremendousamountofbroadcasttraffic,alltheswitchesandlinksintheswitchblockcouldbenegativelyimpacted.AbetterdesignworkstowardkeepingtheswitchblockinherentlyfreeofLayer2loops.AsFigure1-14shows,aloop-freeswitchblockrequiresauniqueVLANoneachaccessswitch.Inotherwords,VLANsarenotpermittedtospanacrossmultipleaccessswitches.TheextentofeachVLAN,asshownbytheshadedareas,becomesaVshaperatherthanaclosedtriangularloop.

ToCoreLayer

Layer3

Distribution

Layer3Link

Layer2Links

Layer2

Access

VLANA

VLANB

KeyTopic

SwitchBlock

Figure1-14BestPracticeLoop-FreeSwitchBlockTopologyTheboundarybetweenLayers2and3remainsthesame.AllLayer2connectivityiscon-tainedwithintheaccesslayer,andthedistributionlayerhasonlyLayer3links.WithoutanypotentialLayer2loops,theswitchblockcanbecomemuchmorestableandmuchlessreliantonanymechanismstodetectandpreventloops.Also,becauseeachaccessswitchhastwodedicatedpathsintothedistributionlayer,bothlinkscanbefullyutilizedwithtrafficloadbalancedacrossthem.Inturn,eachLayer3distributionswitchcanloadbalancetrafficoveritsredundantlinksintothecorelayerusingroutingprotocols.



ItisalsopossibletopushtheLayer3boundaryfromthedistributionlayerdownintotheaccesslayer,aslongastheaccessswitchescansupportroutingfunctions.Figure1-15illustratesthisdesign.BecauseLayer3linksareusedthroughouttheswitchblock,net-workstabilityisofferedthroughthefastconvergenceofroutingprotocolsandupdates.Routingcanalsoloadbalancepacketsacrosstheredundantuplinks,makingfulluseofeveryavailablelinkbetweenthenetworklayers.

ToCoreLayer

Distribution

Layer3Link

Layer3

Layer3Links

Access

Layer2

VLANA

VLANB

SwitchBlock

Figure1-15ACompletelyRoutedSwitchBlockYoushouldbecomefamiliarwithafewbestpracticesthatcanhelpwitharedundanthier-archicalnetworkdesign:

Designeachlayerwithpairsofswitches.Connecteachswitchtothenexthigherlayerwithtwolinksforredundancy.Connecteachpairofdistributionswitcheswithalink,butdonotconnecttheaccesslayerswitchestoeachother(unlesstheaccessswitchessupportsomeothermeanstofunctionasonelogicalstackorchassis).DonotextendVLANsbeyonddistributionswitches.ThedistributionlayershouldalwaysbetheboundaryofVLANs,subnets,andbroadcasts.AlthoughLayer2switchescanextendVLANstootherswitchesandotherlayersofthehierarchy,thisactivityisdiscouraged.VLANtrafficshouldnottraversethenetworkcore.

NetworkCoreAcorelayerisrequiredtoconnecttwoormoreswitchblocksinacampusnetwork.Becausealltrafficpassingtoandfromallswitchblocksmustcrossthecore,thecore


KeyTopic


layermustbeasefficientandresilientaspossible.Thecoreisthecampusnetworksbasicfoundationandcarriesmuchmoretrafficthananyotherswitchblock.RecallthatboththedistributionandcorelayersprovideLayer3functionality.Preferably,thelinksbetweendistributionandcorelayerswitchesshouldbeLayer3routedinterfac-es.YoucanalsouseLayer2linksthatcarryasmallVLANboundedbythetwoswitches.Inthelattercase,aLayer3switchvirtualinterface(SVI)isusedtoprovideroutingwithineachsmallVLAN.Thelinksbetweenlayersshouldbedesignedtocarrytheamountoftrafficloadhandledbythedistributionswitches,ataminimum.Thelinksbetweencoreswitchesshouldbeofsufficientsizetocarrytheaggregateamountoftrafficcomingintooneofthecoreswitches.Considertheaveragelinkutilization,butallowforfuturegrowth.AnEthernetcoreallowssimpleandscalableupgradesofmagnitude;considertheprogressionfromGigabitEthernetto10-GigabitEthernet(10GE),andsoon.Acoreshouldconsistoftwomultilayerswitchesthatconnecttwoormoreswitchblocksinaredundantfashion.Aredundantcoreissometimescalledadualcorebecauseitisusuallybuiltfromtwoidenticalswitches.Figure1-16illustratesthecore.Noticethatthiscoreappearsasanindependentmoduleandisnotmergedintoanyotherblockorlayer.

Core

Distribution

Access

SwitchBlock

SwitchBlock

Figure1-16ARedundantCoreLayerRedundantlinksconnecteachswitchblocksdistributionlayerportiontoeachofthedualcoreswitches.Thetwocoreswitchesconnectbyacommonlink.Witharedundantcore,eachdistributionswitchhastwoequal-costpathsintothecore,allowingtheavailablebandwidthofbothpathstobeusedsimultaneously.Bothpaths



remainactivebecausethedistributionandcorelayersuseLayer3devicesthatcanman-ageequal-costpathsinroutingtables.Theroutingprotocolinusedeterminestheavail-abilityorlossofaneighboringLayer3device.Ifoneswitchfails,theroutingprotocolreroutestrafficusinganalternativepaththroughtheremainingredundantswitch.

.Ifthecampusnetworkcontinuestogrowtothepointthatitspanstwolargebuildingsortwolargelocations,thecorelayercanbereplicated,asshowninFigure1-17Noticehowthetwo-noderedundantcorehasbeenexpandedtoincludefourcoreswitches.Thisisknownasamultinodecore.Eachofthefourcoreswitchesisconnectedtotheothercoreswitchestoformafullymeshedcorelayer.

SwitchBlock

SwitchBlock

Access

Distribution

Multi-NodeCore

Distribution

Access

SwitchBlock

SwitchBlock

Figure1-17UsingaMulti-NodeCoreinaVeryLargeCampusNetwork



Eventhoughthemultinodecoreisfullymeshed,thecampusnetworkisstilldividedacrossthetwopairsofcoreswitches.Eachswitchblockhasredundantconnectionstoonlyonecorepairnottoallofthecoreswitches.

CollapsedCoreShouldallnetworkshaveadistinctredundantcorelayer?Perhapsnot,insmallercampusnet-works,wherethecostandscalabilityofaseparatecorelayerisnotwarranted.Acollapsedcoreblockisoneinwhichthehierarchyscorelayeriscollapsedintothedistributionlayer.Here,bothdistributionandcorefunctionsareprovidedwithinthesameswitchdevices.Figure1-18showsthebasiccollapsedcoredesign.Althoughthedistributionandcorelayerfunctionsareperformedinthesamedevice,keepingthesefunctionsdistinctandproperlydesignedisimportant.Notealsothatthecollapsedcoreisnotanindependentbuildingblockbutisintegratedintothedistributionlayeroftheindividualstandaloneswitchblocks.

SwitchBlock

Access

Distribution

CollapsedCore

Distribution

Access

SwitchBlock

Figure1-18ACollapsedCoreNetworkDesignInthecollapsedcoredesign,eachaccesslayerswitchhasaredundantlinktoeachdistribu-tionlayerswitch.AllLayer3subnetspresentintheaccesslayerterminateatthedistribution



switchesLayer3ports,asinthebasicswitchblockdesign.Thedistributionswitchescon-necttoeachotherwithredundantlinks,completingapathtouseduringafailure.

CoreSizeinaCampusNetworkThecorelayerismadeupofredundantswitchesandisboundedandisolatedbyLayer3devices.Routingprotocolsdeterminepathsandmaintainthecoresoperation.Aswithanynetwork,youmustpaysomeattentiontotheoveralldesignoftheroutersandrout-ingprotocolsinthenetwork.Becauseroutingprotocolspropagateupdatesthroughoutthenetwork,networktopologiesmightbeundergoingchange.Thenetworkssize(thenumberofrouters)thenaffectsroutingprotocolperformanceasupdatesareexchangedandnetworkconvergencetakesplace.AlthoughthenetworkshownpreviouslyinFigure1-16mightlooksmall,withonlytwoswitchblocksoftwoLayer3switches(routeprocessorswithinthedistributionlayerswitches)each,largecampusnetworkscanhavemanyswitchblocksconnectedintothecore.Ifyouthinkofeachmultilayerswitchasarouter,youwillrecallthateachrouteprocessormustcommunicatewithandkeepinformationabouteachofitsdirectlycon-nectedpeers.Mostroutingprotocolshavepracticallimitsonthenumberofpeerrout-ersthatcanbedirectlyconnectedonapoint-to-pointormultiaccesslink.Inanetworkwithalargenumberofswitchblocks,thenumberofconnectedrouterscangrowquitelarge.Shouldyoubeconcernedaboutacoreswitchpeeringwithtoomanydistributionswitches?No,becausetheactualnumberofdirectlyconnectedpeersisquitesmall,regardlessofthecampusnetworksize.AccesslayerVLANsterminateatthedistributionlayerswitches(unlesstheaccesslayerisconfiguredforLayer3operation).Theonlypeeringroutersatthatboundaryarepairsofdistributionswitches,eachprovidingroutingredundancyforeachoftheaccesslayerVLANsubnets.Atthedistributionandcoreboundary,eachdistributionswitchconnectstoonlytwocoreswitchesoverLayer3switchinterfaces.Therefore,onlypairsofrouterpeersareformed.Whenmultilayerswitchesareusedinthedistributionandcorelayers,theroutingproto-colsrunninginbothlayersregardeachpairofredundantlinksbetweenlayersasequal-costpaths.Trafficisroutedacrossbothlinksinaload-sharingfashion,utilizingtheband-widthofboth.Onefinalcorelayerdesignpointistoscalethecoreswitchestomatchtheincomingload.Ataminimum,eachcoreswitchmusthandleswitchingeachofitsincomingdistributionlinksat100percentcapacity.

CiscoProductsinaHierarchicalNetworkDesignBeforedelvingintothedesignpracticesneededtobuildahierarchicalcampusnetwork,youshouldhavesomeideaoftheactualdevicesthatyoucanplaceateachlayer.Ciscohasswitchingproductstailoredforlayerfunctionalityandforthesizeofthecampusnetwork.Forthepurposesofthisdiscussion,alargecampuscanbeconsideredtospanacrossmanybuildings.Amediumcampusmightmakeuseofoneorseveralbuildings,andasmallcampusmighthaveonlyasinglebuilding.



ChooseyourCiscoproductsbasedonthefunctionalitythatisexpectedateachlayerofasmall,medium,orlargecampus.Donotgetlostinthedetailsofthetables.Rather,trytounderstandwhichswitchfitsintowhichlayerforagivennetworksize.Intheaccesslayer,highportdensity,PoweroverEthernet(PoE),andlowcostareusu-allydesirable.TheCatalyst2960-X,3650,and3850switchesprovide48portseach.Likeswitchmodelscanbeconnectedtoformasinglelogicalswitchwhenagreaternumberofportsisneeded.TheCatalyst4500Eisasingle-switchchassisthatcanbepopulatedwithavarietyoflinecards.Italsooffersachoiceofredundantsupervisormodulesthatofferredundancyandeventheabilitytoperformsoftwareupgradeswithnoimpacttotheproductionnetwork.Table1-3describessomeCiscoswitchplatformsthatarecommonlyusedintheaccesslayer.

Table1-3CommonAccessLayerSwitchPlatforms

CatalystMaxPort

UplinksMax

Other

Model

Density

BackplaneFeatures

2960-X384(Upto848-portswitchesinastack)3650432(Upto948-portswitchesinastack)

3850432(Upto948-portswitchesinastack)

4500E384(Upto848-portmodulesperchassis)

210GEor41GigabitEthernetperswitch2GigabitEthernetor410GE

4GigabitEthernet,410GE

Upto12-port10GEpermodule

80GbpsRIP,OSPFavailableforroutedaccesslayer;PoE+160GbpsFull-featuredroutingavailable,integratedwirelesscontroller,PoE+480GbpsFull-featuredroutingavailable,integratedwirelesscontroller,PoE+,UPoE928GbpsDualsupervisors,full-featuredroutingavailable,integratedwirelesscontroller,PoE+,UPoE



Thedistributionandcorelayersareverysimilarinfunctionandswitchingfeatures.Generally,theselayersrequirehighLayer3switchingthroughputandahighdensityofhigh-bandwidthopticalmedia.CiscoofferstheCatalyst3750-X,4500-X,4500E,and6800,assummarizedinTable1-4.

Table1-4CommonDistributionandCoreLayerSwitchPlatforms

CatalystMaxPort

Max

OtherFeatures

Model

Density

Backplane

4500-X8010GE1.6TbpsDual-chassisVirtualSwitchingSystem(VSS)redundancy

4500E9610GEor384GigabitEthernet

928GbpsDualsupervisors

6807-XL4040Gbps,160GigabitEthernet,480GigabitEthernet

22.8TbpsDualsupervisor,dual-chassisVSSredundancy


KeyTopic


ExamPreparationTasks

ReviewAllKeyTopicsReviewthemostimportanttopicsinthechapter,notedwiththeKeyTopiciconintheoutermarginofthepage.Table1-5listsareferenceofthesekeytopicsandthepagenum-bersonwhicheachisfound.

Table1-5KeyTopicsforChapter1KeyTopicElementDescriptionPageNumber

ParagraphDescribestheCiscohierarchicalnetworkdesign

9

principlesParagraphDescribestheaccesslayer12ParagraphDescribesthedistributionlayer12ParagraphDescribesthecorelayer12

ParagraphExplainsmodularnetworkdesignusingswitchblocksParagraphDiscussesthepitfallsoflettingVLANsspanaccess

15

18

layerswitchesParagraphDiscussestwobestpracticedesignsforswitchblock19redundancyParagraphExplainsaredundantcoredesign21

CompleteTablesandListsfromMemoryTherearenomemorytablesinthischapter.

DefineKeyTermsDefinethefollowingkeytermsfromthischapter,andcheckyouranswersintheglossary:hierarchicalnetworkdesign,accesslayer,distributionlayer,corelayer,switchblock,collapsedcore,dualcore


ThischaptercoversthefollowingtopicsthatyouneedtomasterfortheCCNPSWITCHexam:

Layer2SwitchOperation:ThissectiondescribesthefunctionalityofaswitchthatforwardsEthernetframes.MultilayerSwitchOperation:ThissectiondescribesthemechanismsthatforwardpacketsatOSILayers3and4.TablesUsedinSwitching:Thissectionexplainshowtablesofinformationandcomputationareusedtomakeswitchingdecisions.Coveragefocusesonthecontent-addressablememorytableinvolvedinLayer2forwarding,andtheternarycontent-address-ablememoryusedinpacket-handlingdecisionsatLayers2through4.ManagingSwitchingTables:ThissectionreviewstheCatalystcommandsthatyoucanusetoconfig-ureandmonitortheswitchingtablesandmemory.Youwillfindthesecommandsusefulwhentrouble-shootingortracingthesourcesofdataorproblemsinaswitchednetwork.


CHAPTER2

SwitchOperation

TohaveagoodunderstandingofthemanyfeaturesthatyoucanconfigureonaCatalystswitch,youfirstshouldunderstandthefundamentalsoftheswitchingfunction.Thischapterservesasaprimer,describinghowanEthernetswitchworks.ItpresentsLayer2forwarding,alongwiththehardwarefunctionsthatmakeforwardingpossible.Multilayerswitchingisalsoexplained.AconsiderableportionofthechapterdealswiththememoryarchitecturethatperformsswitchingatLayers3and4bothflexiblyandeffi-ciently.Thischapteralsoprovidesabriefoverviewofusefulswitchingtablemanagementcommands.

DoIKnowThisAlready?QuizTheDoIKnowThisAlready?quizallowsyoutoassesswhetheryoushouldreadthisentirechapterthoroughlyorjumptotheExamPreparationTaskssection.Ifyouareindoubtbasedonyouranswerstothesequestionsoryourownassessmentofyourknowl-edgeofthetopics,readtheentirechapter.Table2-1outlinesthemajorheadingsinthischapterandtheDoIKnowThisAlready?quizquestionsthatgowiththem.YoucanfindtheanswersinAppendixA,AnswerstotheDoIKnowThisAlready?Quizzes.

Table2-1DoIKnowThisAlready?FoundationTopicsSection-to-QuestionMappingFoundationTopicsSectionQuestionsCoveredinThisSectionLayer2SwitchOperation15MultilayerSwitchOperation69SwitchingTables1011TroubleshootingSwitchingTables12

1.Whichofthefollowingdevicesperformstransparentbridging?a.Ethernethubb.Layer2switchc.Layer3switchd.Router



2.WhenaPCisconnectedtoaLayer2switchport,howfardoesthecollisiondomainspread?a.Nocollisiondomainexists.b.Oneswitchport.c.OneVLAN.d.Allportsontheswitch.3.WhatinformationisusedtoforwardframesinaLayer2switch?a.SourceMACaddressb.DestinationMACaddressc.Sourceswitchportd.IPaddresses4.WhatdoesaswitchdoifaMACaddresscannotbefoundintheCAMtable?a.Theframeisforwardedtothedefaultport.b.TheswitchgeneratesanARPrequestfortheaddress.c.Theswitchfloodstheframeoutallports(exceptthereceivingport).d.Theswitchdropstheframe.5.InaCatalystswitch,framescanbefilteredwithaccesslistsforsecurityandQoSpurposes.Thisfilteringoccursaccordingtowhichofthefollowing?a.BeforeaCAMtablelookupb.AfteraCAMtablelookupc.SimultaneouslywithaCAMtablelookupd.Accordingtohowtheaccesslistsareconfigured6.Accesslistcontentscanbemergedintowhichofthefollowing?a.CAMtableb.TCAMtablec.FIBtabled.ARPtable7.MultilayerswitchesusingCEFarebasedonwhichofthesetechniques?a.Routecachingb.NetFlowswitchingc.Topology-basedswitchingd.Demand-basedswitching


Chapter2:SwitchOperation31

8.WhichanswerdescribesmultilayerswitchingwithCEF?a.Thefirstpacketisroutedandthentheflowiscached.b.TheswitchsupervisorCPUforwardseachpacket.c.Theswitchinghardwarelearnsstationaddressesandbuildsaroutingdatabase.d.Asingledatabaseofroutinginformationisbuiltfortheswitchinghardware.9.Inaswitch,framesareplacedinwhichbufferafterforwardingdecisionsaremade?a.Ingressqueuesb.Egressqueuesc.CAMtabled.TCAM10.WhatsizearethemaskandpatternfieldsinaTCAMentry?a.64bitsb.128bitsc.134bitsd.168bits11.AccesslistrulesarecompiledasTCAMentries.Whenapacketismatchedagainstanaccesslist,inwhatorderaretheTCAMentriesevaluated?a.Sequentiallyintheorderoftheoriginalaccesslist.b.Numericallybytheaccesslistnumber.c.Alphabeticallybytheaccesslistname.d.Allentriesareevaluatedinparallel.12.WhichCatalystIOScommandcanyouusetodisplaytheaddressesintheCAMtable?a.showcamb.showmacaddress-tablec.showmacd.showcamaddress-table



FoundationTopics

Layer2SwitchOperationConsiderasimplenetworkthatisbuiltaroundmanyhoststhatallsharethesameavail-ablebandwidth.ThisisknownasasharedmedianetworkandwasusedinearlylegacyLANsmadeupofEthernethubs.Thecarriersensemultipleaccesscollisiondetect(CSMA/CD)schemedetermineswhenadevicecantransmitdataonthesharedLAN.

KeyTopic

Whenmorethanonehosttriestotalkatonetime,acollisionoccurs,andeveryonemustbackoffandwaittotalkagain.Thisforceseveryhosttooperateinhalf-duplexmode,byeithertalkingorlisteningatanygiventime.Inaddition,whenonehostsendsaframe,

allconnectedhostshearit.Whenonehostgeneratesaframewitherrors,everyonehearsthat,too.ThistypeofLANisacollisiondomainbecausealldevicetransmissionsaresusceptibletocollisions.AnEthernetswitchoperatesatOSILayer2,makingdecisionsaboutforwardingframesbasedonthedestinationMACaddressesfoundwithintheframes.ThismeansthattheEthernetmediaisnolongersharedamongconnecteddevices.Instead,atitsmostbasiclevel,anEthernetswitchprovidesisolationbetweenconnectedhostsinseveralways:

Thecollisiondomainsscopeisseverelylimited.Oneachswitchport,thecollisiondomainconsistsoftheswitchportitselfandthedevicesdirectlyconnectedtothatporteitherasinglehostor,ifashared-mediahubisconnected,thesetofhostsconnectedtothehub.Hostconnectionscanoperateinfull-duplexmodebecausethereisnocontentiononthemedia.Hostscantalkandlistenatthesametime.Bandwidthisnolongershared.Instead,eachswitchportoffersdedicatedbandwidthacrossaswitchingfabrictoanotherswitchport.(Theseframeforwardingpathschangedynamically.)Errorsinframesarenotpropagated.Eachframereceivedonaswitchportischeckedforerrors.Goodframesareregeneratedwhentheyareforwardedortransmitted.Thisisknownasstore-and-forwardswitchingtechnology:Packetsarereceived,storedforinspection,andthenforwarded.Youcanlimitbroadcasttraffictoavolumethreshold.Othertypesofintelligentfilteringorforwardingbecomepossible.

TransparentBridgingALayer2switchisbasicallyamultiporttransparentbridge,whereeachswitchportisitsownEthernetLANsegment,isolatedfromtheothers.Frameforwardingisbasedcom-pletelyontheMACaddressescontainedineachframe,suchthattheswitchwillnotfor-wardaframeunlessitknowsthedestinationslocation.(Whentheswitchdoesnotknow



wherethedestinationis,itmakessomesafeassumptions.)Figure2-1showstheprogres-sionfromatwo-porttoamultiporttransparentbridge,andthentoaLayer2switch.

ForwardingTable

4Multiport1

TransparentBridge

1

2

3

Bridge

1

2

34VLANX5

6

78VLANY...

2

5

6

7

8

9

10

11

1213

14

15

16

0000.1111.1111:port20000.2222.2222:port10000.3333.3333:port10000.4444.4444:port2Broadcast:allports

ForwardingTable0000.1111.1111:port40000.2222.2222:port60000.3333.3333:port10000.4444.4444:port20000.5555.5555:port80000.6666.6666:port50000.7777.7777:port30000.8888.8888:port7Broadcast:allports

ForwardingTable0000.1111.1111:port11,vlanX0000.2222.2222:port6,vlanY0000.3333.3333:port1,vlanX0000.4444.4444:port9,vlanX0000.5555.5555:port8,vlanY0000.6666.6666:port14,vlanY0000.7777.7777:port3,vlanX0000.8888.8888:port16,vlanYBroadcast:VLANX:allVLANXportsBroadcast:VLANY:allVLANYports

OtherVLANsLayer2Switch

Figure2-1AComparisonofTransparentBridgesandSwitchesTheentireprocessofforwardingEthernetframesthenbecomesfiguringoutwhatMACaddressesconnecttowhichswitchports.Forexample,theLayer2switchinFigure2-1knowsthatthedeviceusingMACaddress0000.5555.5555islocatedonswitchport8,whichisassignedtoVLANY.ItalsoknowsthatframesarrivingonVLANYanddes-tinedforthebroadcastMACaddressmustbefloodedoutallportsthatareassignedtoVLANY.Aswitcheithermustbetoldexplicitlywherehostsarelocatedormustlearnthisinforma-tionforitself.YoucanconfigureMACaddresslocationsthroughaswitchscommand-lineinterface,butthisquicklygetscumbersomewhentherearemanystationsonthenetworkorwhenstationsmovearoundfromoneswitchporttoanother.



KeyTopic

Todynamicallylearnaboutstationlocations,aswitchlistenstoincomingframesandkeepsatableofaddressinformation.InFigure2-1,thisinformationiskeptinaforward-ingtable.Asaframeisreceivedonaswitchport,theswitchinspectsthesourceMACaddress.Ifthataddressisnotintheaddresstablealready,theMACaddress,switchport,andvirtualLAN(VLAN)onwhichitarrivedarerecordedinthetable.Learningtheaddresslocationsoftheincomingpacketsiseasyandstraightforward.IncomingframesalsoincludethedestinationMACaddress.Again,theswitchlooksupthisaddressintheaddresstable,hopingtofindtheswitchportandVLANwherethedestinationaddressisattached.Ifitisfound,theframecanbeforwardedoutthecorre-spondingswitchport.Iftheaddressisnotfoundinthetable,theswitchmusttakemoredrasticaction:TheframeisforwardedinabesteffortfashionbyfloodingitoutallswitchportsassignedtothesourceVLAN.Thisisknownasunknownunicastflooding,becausethelocationoftheunicastdestinationisunknown.Figure2-2illustratesthisprocess,usingonlyasingleVLANforsimplification.Suppose,forinstance,thatapacketarrivesonswitchport3,containingdestinationMACaddress0000.aaaa.aaaa.TheswitchlooksforthatMACaddressinitsforwardingtable,butisunabletofindamatchingentry.Theswitchthenfloodscopiesofthepacketouteveryotherportthatisassignedtoport3sVLAN,toincreasethelikelihoodthat0000.aaaa.aaaawilleventuallyreceivethepacketthatisdestinedforit.IfthedestinationisthebroadcastMACaddress,theswitchknowsthattheframeshouldbefloodedoutallportsontheVLAN.

Packetto0000.aaaa.aaaa

1

2

3

5

6

7

4

0000.aaaa.aaaa?

ForwardingTable0000.1111.1111:port40000.2222.2222:port60000.3333.3333:port10000.4444.4444:port20000.5555.5555:port8

8

0000.6666.6666:port50000.7777.7777:port30000.8888.8888:port7Broadcast:allports15Packetto0000.aaaa.aaaaPacketto0000.aaaa.aaaa

4UnknownPacketto0000.aaaa.aaaa


2

3

UnicastFlooding

6

7

8




Figure2-2UnknownUnicastFloodingAswitchconstantlylistenstoincomingframesoneachofitsports,learningsourceMACaddresses.However,beawarethatthelearningprocessisallowedonlywhenthe


MACAddressEgressPortVLAN


SpanningTreeProtocol(STP)algorithmhasdecidedthataportisstablefornormaluse.STPisconcernedonlywithmaintainingaloop-freenetwork,whereframeswillnotbeforwardedrecursively.Ifaloopformed,afloodedframecouldfollowtheloopedpath,whereitwouldbefloodedagainandagain.STPiscoveredingreaterdetailinChapters6,TraditionalSpanningTreeProtocol,through9,AdvancedSpanningTreeProtocol.Inasimilarmanner,framescontainingabroadcastormulticastdestinationaddressarealsoflooded.Thesedestinationaddressesarenotunknowntheswitchknowsthemwellbecausetheyusestandardizedaddressvalues.Forexample,theEthernetbroadcastaddressisalwaysffff.ffff.ffff,IPv4multicastaddressesalwaysbeginwith01xx.xxxx.xxxx,andIPv6multicastaddressesbeginwith3333.xxxx.xxxx.Theseaddressesaredestinedformultiplelocations,sotheymustbefloodedbydefinition.Inthecaseofmulticastaddresses,floodingisperformedbydefaultunlessmorespecificrecipientloca-tionshavebeenlearned.

FollowThatFrame!YoushouldhaveabasicunderstandingoftheoperationsthataframeundergoesasitpassesthroughaLayer2switch.Thishelpsyougetafirmgrasponhowtoconfiguretheswitchforcomplexfunctions.Figure2-3showsatypicalLayer2Catalystswitchandthedecisionprocessesthattakeplacetoforwardeachframe.

SecurityACLsInboundandOutbound(TCAM)Permit,

QoSACLs

Deny,orOther

RXSwitchPorts

IngressQueues

ClassificationandPolicing(TCAM)

EgressQueues

TXSwitchPorts

L2ForwardingTable(CAM)

CAMTableFigure2-3OperationsWithinaLayer2CatalystSwitchWhenaframearrivesataswitchport,itisplacedintooneoftheportsingressqueues.Thequeueseachcancontainframestobeforwarded,witheachqueuehavingadifferentpriorityorservicelevel.Theswitchportthencanbefine-tunedsothatimportantframes



getprocessedandforwardedbeforeless-importantframes.Thiscanpreventtime-criticaldatafrombeinglostintheshuffleduringaflurryofincomingtraffic.Astheingressqueuesareservicedandaframeispulledoff,theswitchmustfigureoutnotonlywheretoforwardtheframe,butalsowhetheritshouldbeforwardedandhow.Threefundamentaldecisionsmustbemade:oneconcernedwithfindingtheegressswitchport,andtwoconcernedwithforwardingpolicies.Allthesedecisionsaremadesimultaneouslybyindependentportionsofswitchinghardwareandcanbedescribedasfollows:

L2forwardingtable:TheframesdestinationMACaddressisusedasanindex,orkey,intothecontent-addressablememory(CAM),oraddress,table.Iftheaddressisfound,theegressswitchportandtheappropriateVLANIDarereadfromthetable.(Iftheaddressisnotfound,theframeismarkedforfloodingsothatitisforwardedouteveryswitchportintheVLAN.)SecurityACLs:Accesscontrollists(ACLs)canbeusedtoidentifyframesaccordingtotheirMACaddresses,protocoltypes(fornon-IPframes),IPaddresses,protocols,andLayer4portnumbers.Theternarycontent-addressablememory(TCAM)con-tainsACLsinacompiledformsothatadecisioncanbemadeonwhethertoforwardaframeinasingletablelookup.QoSACLs:OtherACLscanclassifyincomingframesaccordingtoqualityofservice(QoS)parameters,topoliceorcontroltherateoftrafficflows,andtomarkQoSparametersinoutboundframes.TheTCAMisalsousedtomakethesedecisionsinasingletablelookup.

TheCAMandTCAMtablesarediscussedingreaterdetailintheContent-AddressableMemoryandTernaryContent-AddressableMemorysections,laterinthischapter.AftertheCAMandTCAMtablelookupshaveoccurred,theframeisplacedintotheappropriateegressqueueontheappropriateoutboundswitchport.TheegressqueueisdeterminedbyQoSvalueseithercontainedintheframeorpassedalongwiththeframe.Liketheingressqueues,theegressqueuesareservicedaccordingtoimportanceortimecriticality;higherpriorityframesaresentoutwithoutbeingdelayedbyotheroutboundtraffic.

MultilayerSwitchOperationManyCiscoCatalystswitchescanalsoforwardframesbasedonLayers3and4informa-tioncontainedinpackets.Thisisknownasmultilayerswitching(MLS).Naturally,Layer2switchingisperformedatthesametimebecauseeventhehigher-layerencapsulationsstillarecontainedinEthernetframes.

TypesofMultilayerSwitchingCatalystswitcheshavesupportedtwobasicgenerationsortypesofMLS:routecaching(first-generationMLS)andtopologybased(second-generationMLS).Thissectionpres-entsanoverviewofboth,althoughonlythesecondgenerationissupportedintheCisco


KeyTopic


IOSSoftware-basedswitchfamilies,suchastheCatalyst2960,3750,4500,and6500.Youshouldunderstandthetwotypesandthedifferencesbetweenthem:Routecaching:ThefirstgenerationofMLS,requiringarouteprocessor(RP)andaswitchengine(SE).TheRPmustprocessatrafficflowsfirstpackettodeterminethedestination.TheSElistenstothefirstpacketandtotheresultingdestination,andthensetsupashortcutentryinitsMLScache.TheSEforwardssubsequentpack-etsbelongingtothesametrafficflowbasedonshortcutentriesinitscache.ThistypeofMLSalsoisknownbythenamesNetFlowLANswitching,flow-basedordemand-basedswitching,androuteonce,switchmany.TheRPmustexamineeachnewtrafficflowandsetupshortcutentriesfortheSE.EvenifthismethodisntusedtoforwardpacketsinCiscoIOSbasedCatalystswitches,thetechniquecanstillbeusedtogeneratetrafficflowinformationandstatistics.Topologybased:ThesecondgenerationofMLS,utilizingspecializedhardware,isalsoorganizedwithdistinctRPandSEfunctions.TheRPusesLayer3routinginformationtobuildandprepopulateasingledatabaseoftheentireknownnetwork

topology.Thisdatabasebecomesanefficienttablelookupinhardware,andiscon-sultedsothatpacketscanbeforwardedathighratesbytheSE.ThelongestmatchfoundinthedatabaseisusedasthecorrectLayer3destination.Astheroutingtopologychangesovertime,thedatabasecontainedinthehardwarecanbeupdateddynamicallywithnoperformancepenalty.

ThistypeofMLSisknownasCiscoExpressForwarding(CEF).Aroutingpro-cessrunningontheswitchdownloadsthecurrentroutingtabledatabaseintotheForwardingInformationBase(FIB)areaofhardware.CEFisdiscussedingreaterdetailinChapter11,MultilayerSwitching.

TipAlthoughtheRPandSEfunctionswithinamultilayerswitchdointeract,theycanoperateindependently,asiftheyareondifferentplanes.ThecontrolplaneofaswitchincludestheRPandanyprocessthatrunstocontrolormanagetheswitch,whereasthedataplaneexistsintheSE,wheredataisforwarded.

FollowThatPacket!ThepaththataLayer3packetfollowsthroughamultilayerswitchissimilartothatofaLayer2switch.Obviously,somemeansofmakingaLayer3forwardingdecisionmustbeadded.Beyondthat,several,sometimesunexpected,thingscanhappentopacketsastheyareforwarded.Figure2-4showsatypicalmultilayerswitchandthedecisionprocessesthatmustoccur.Packetsarrivingonaswitchportareplacedintheappropriateingressqueue,justasinaLayer2switch.


IPAddressNext-HopIPAddrNext-HopMACAddrEgressPort

MACAddressEgressPortVLAN


SecurityACLsInboundandOutbound(TCAM)

QoSACLs

Permit,Deny,orOther

RXSwitchPorts

IngressQueues

ClassificationandPolicing(TCAM)

L3PacketRewrite

EgressQueues

TXSwitchPorts

L3ForwardingTable(FIB)

L2ForwardingTable(CAM)

CAMTableFIBTableFigure2-4OperationsWithinaMultilayerCatalystSwitchEachpacketispulledoffaningressqueueandinspectedforbothLayer2andLayer3destinationaddresses.Now,thedecisionofwheretoforwardthepacketisbasedontwoaddresstables,whereasthedecisionofhowtoforwardthepacketstillisbasedonaccesslistresults.Allthemultilayerswitchingdecisionsareperformedsimultaneouslyinhardware,usingthefollowingfunctions:

L2forwardingtable:ThedestinationMACaddressisusedasanindexintotheCAMtable.IftheframecontainsaLayer3packetthatneedstobeforwardedfromonesubnettoanother,thedestinationMACaddresswillcontaintheaddressofaLayer3portontheswitchitself.Inthiscase,theCAMtableresultsareusedonlytodecidethattheframeshouldbeprocessedatLayer3.L3forwardingtable:TheFIBtableisconsulted,usingthedestinationIPaddressasanindex.Thelongestmatchinthetableisfound(bothaddressandmask),andtheresultingnext-hopLayer3addressisobtained.TheFIBalsocontainseachnext-hoproutersLayer2MACaddressandtheegressswitchport(andVLANID)sothatfur-thertablelookupsarenotnecessary.



SecurityACLs:InboundandoutboundaccesslistsarecompiledintoTCAMentriessothatdecisionsofwhethertoforwardapacketcanbedeterminedasasingletablelookup.QoSACLs:Packetclassification,policing,andmarkingallcanbeperformedassingletablelookupsintheQoSTCAM.

AswithLayer2switching,thepacketfinallymustbeplacedintheappropriateegressqueueontheappropriateegressswitchport.Duringthemultilayerswitchingprocess,someportionsoftheframemustbemodifiedorrewritten,justasanyrouterwoulddo.Forexample,thedestinationMACaddressintheinboundframecontainstheaddressofthenext-hopdestination,whichistheingressLayer3interfaceonthemultilayerswitch.OncetheFIBtableisconsulted,thenext-hoprouterIPandMACaddressesarefound.Thenext-hopLayer2addressmustbeputintotheframeinplaceoftheoriginaldestina-tionaddress(themultilayerswitch).TheframesLayer2sourceaddressalsomustbecomethatofthemultilayerswitchsegressinterfacebeforetheframeissentontothenexthop.Asanygoodroutermustdo,thetime-to-live(TTL)valueintheLayer3packetmustbedecrementedbyone.BecausethecontentsoftheLayer3packet(theTTLvalue)havechanged,theLayer3headerchecksummustberecalculated.AndbecausebothLayers2and3contentshavechanged,theLayer2checksummustberecalculated.Inotherwords,theentireEthernetframemustberewrittenbeforeitgoesintotheegressqueue.Thisalsoisaccomplishedefficientlyinhardware.

MultilayerSwitchingExceptionsToforwardpacketsusingthesimultaneousdecisionprocessesdescribedintheprecedingsection,thepacketmustbeMLSreadyandmustrequirenoadditionaldecisions.Forexample,CEFcandirectlyforwardmostIPandIPv6packetsbetweenhosts.Thisoccurswhenthesourceanddestinationaddresses(bothMACandIP)arealreadyknownandnootherIPparametersmustbemanipulated.OtherpacketscannotbedirectlyforwardedbyCEFandmustbehandledinmoredetail.Thisisdonebyaquickinspectionduringtheforwardingdecisions.Ifapacketmeetscri-teriasuchasthefollowing,itisflaggedforfurtherprocessingandsentorpuntedtotheswitchCPUforprocessswitching:

ARPrequestsandrepliesIPpacketsrequiringaresponsefromarouter(TTLhasexpired,maximumtransmis-sionunit[MTU]isexceeded,fragmentationisneeded,andsoon)IPbroadcaststhatwillberelayedasunicast(DynamicHostConfigurationProtocol[DHCP]requests,IPhelper-addressfunctions)Routingprotocolupdates



KeyTopic

CiscoDiscoveryProtocol(CDP)packetsPacketsneedingencryptionPacketstriggeringNetworkAddressTranslation(NAT)Legacymultiprotocolpackets(IPX,AppleTalk,andsoon)Asyoumightexpect,packetsthatarepuntedtotheCPUcannotbeforwardedaseffi-cientlyasonesthatcanbeforwardedinhardwaredirectly.TheadditionalprocessingtakesadditionaltimeandconsumesCPUresources.Ideally,allpacketsshouldbefor-wardedinhardware,butthatisnotalwayspossible.

TablesUsedinSwitchingCatalystswitchesmaintainseveraltypesoftablestobeusedintheswitchingprocess.ThetablesaretailoredforLayer2switchingorMLSandarekeptinveryfastmemorysothatmanyfieldswithinaframeorpacketcanbecomparedinparallel.

Content-AddressableMemoryAllCatalystswitchmodelsuseaCAMtableforLayer2switching.Asframesarriveonswitchports,thesourceMACaddressesarelearnedandrecordedintheCAMtable.The

ccnp routing ands switching

Documents