Monday, August 24, 2009

Spanning Tree

Ethernet network design balances two separate imperatives. First, Ethernet has no capacity for detecting circular paths. If such paths exist, traffic loops around and accumulates until new traffic is shut out (this is called a broadcast storm). Second, having secondary paths is good preparation for inevitable link failure.

Spanning Tree is a protocol that prevents loop formation by detecting redundant links and disabling them until needed. Designers can therefore build redundant links and the protocol will allow one to pass traffic and keep the other in reserve. When the active link fails, the secondary link is enabled quickly.


Understanding the Spanning Tree Protocol

Switches either forward or filter Layer 2 frames. The way they make the forwarding/filtering decision can lead to loops in a network with redundant links. Spanning Tree is a protocol that detects potential loops and breaks them.

A Layer 2 switch is functionally the same thing as a transparent bridge. Transparent bridges:
  • Learn MAC (Media Access Control) addresses by looking at the source address of incoming frames. They build a table mapping MAC address to port number.
  • Forward broadcasts and multicasts out all ports except the on which they came. (This is called flooding.)
  • Forward unknown unicasts out all ports except the one on which they came. An unknown unicast is a message bound for a unicast MAC address that is not in the switch’s table of addresses and ports.
  • Do not make any changes to the frames as they forward them.
Spanning Tree Protocol (STP) works by selecting a root bridge, then selecting one loop-free path from the root bridge to every other switch. (STP uses the term bridge because it was written before there were switches.) Consider the following switched network (see Figure 3-1).


Spanning Tree must select:
  • One root bridge
  • One root port per nonroot bridge
  • One designated port per network segment

Spanning Tree Election Criteria

Spanning Tree builds paths out from a central point along the fastest available links. It selects path according to the following criteria:

1. Lowest root bridge ID (BID)
2. Lowest path cost to the root
3. Lowest sender bridge ID
4. Lowest sender port ID (PID)

When reading the path selection criteria, remember the following:
  • Bridge ID—Bridge priority: Bridge MAC address.
  • Bridge priority—2-btye value, 0–65,535 (0–0xFFFF).
  • Default priority is 32,768 (0x8000).
  • Port ID—Port priority: port number.
  • Port priority—A 6-bit value, 0–63, default is 32.
  • Path cost—This is the cumulative value of the cost of each link between the bridge and the root. Cost values were updated in 2000 and you should see only new cost values, but both are given in the following table (see Table 3-1). Old and new switches work together.

The STP Election

Spanning Tree builds paths out from a starting point, the “root” of the tree. The first step in selecting paths is to identify this root device. Then, each device selects its best path back to the root, according to the criteria laid out in the previous sections (lowest root BID, lowest cost, lowest advertising BID, lowest port).


Root Bridge Election

Looking at Figure 3-1, first select the root bridge. Assume each switch uses the default priority.
  • Switch A BID = 80-00-00-0c-11-11-00-11
  • Switch B BID = 80-00-00-0c-26-78-10-10
  • Switch C BID = 80-00-00-0c-32-1a-bc-de
  • Switch D BID = 80-00-00-0c-81-81-11-22
  • Switch E BID = 80-00-00-0c-26-79-22-22
Switch A has the lowest BID, so it is the root. Each nonroot switch must now select a root port.


Root Port Election

The root port is the port that leads back to the root. Continuing with Figure 3-1, once A is acknowledged as the root, the remaining bridges sort out their lowest cost path back to the A.
  • Switch B—Uses the link to A with a cost of 19 (link speed of 100 Mbps).
  • Switch C—The connected link has a cost of 100 (Ethernet), the link through B has a path cost of 38 (two 100 Mbps links), and so B is chosen.
  • Switch D—The link through B has a path cost of 119, the path cost through C to A is 119, the path through C then B is 57, so C is chosen.
  • Switch E—The lowest path cost is the same for both ports (76 through D to C to B to A). Next check sender BID—sender for both ports is D, so that it does not break the tie. Next check sender Port ID. Assuming default port priority, the PID for 0/1 is lower than the PID for 0/2, so the port on the left is the root port.

Designated Port Election

Designated ports are ports that lead away from the root. Obviously, all ports on the root bridge are designated ports (A-B and A-C in Figure 3-1).
  • Segment B-D—B has the lowest path cost to root (19 vs 119), so it is designated for this segment.
  • Segment C-D—C has the lowest path cost to the root (100 vs 119), so it is designated for this segment.
  • Segment B-C—B has the lowest path cost to the root (19 vs 100), so it is designated for this segment.
  • Both segments D-E—D has the lowest cost to the root (57 vs 76), so it is designated for both segments.
Now the looped topology has been turned into a tree with A at the root. Notice that there are no more redundant links.


Bridge Protocol Data Units (BPDUs)

Switches exchange BPDUs. There are two types of BPDUs:
Configuration and Topology Change (TCN).

Configuration BPDUs are sent every two seconds from the root toward the downstream switches. They:
  • Are used during an election.
  • Maintain connectivity between switches.
  • Send timer information from the root.

TCN BPDUs are sent toward the root when:
  • There is a link failure.
  • A port starts forwarding, and there is already a designated port.
  • The switch receives a TCN from a neighbor.

When a switch receives a TCN BPDU, it acknowledges that with a configuration BPDU that has the TCN Acknowledgment bit set.

When the root bridge receives a TCN, it starts sending configuration BPDUs with the TCN bit set for a period of time equal to max age plus forward delay. Switches that receive this change their MAC table aging time to the Forward Delay time, causing MAC addresses to age faster. The topology change also causes an election of the root bridge, root ports, and designated ports.


BPDU Fields

Some of the fields in the BPDU include:
  • Root bridge ID—The BID of the current root.
  • Sender’s root path cost—The cost to the root.
  • Sender’s bridge ID—Sender’s priority concatenated to MAC.
  • Sender’s port ID—The port number, transmitted as final tiebreaker.
  • Hello time—Two seconds by default.
  • Forward Delay—15 seconds by default.
  • Max Age—20 seconds by default.

Spanning Tree Port States

When a port is first activated, it transitions through the following stages shown in Table 3-2.




Designing for Spanning Tree

To optimize data flow in the network, design and configure switches for the following STP roles:
  • Primary and secondary root bridges (set priority values)
  • Designated and root ports (set port priorities/path cost)
  • Enable STP enhancements, such as Root Guard
Posted by at No comments:
Labels:

Sunday, August 16, 2009

802.1Q Tunnels

Tunneling is a way to send 802.1Q-tagged frames across a foreign network (such as a Service Provider’s network) and still preserve the original 802.1Q tag. The SP configures their end of the trunk link as a tunnel port and assigns a VLAN to carry your traffic within their network. The SP switch then adds a second 802.1Q tag to each frame that came in the tunnel port. Other switches in the SP network see only this second tag, and do not read the original tag. When the frame exits the SP network, the extra tag is removed, leaving the original 802.1Q tag to be read by the receiving switch in your network.


Layer 2 Protocol Tunneling (GBPT)

If a Service Provider separates sections of your network, you can use Layer 2 protocol tunneling to tunnel CDP, Spanning Tree Protocol (STP), and VLAN Trunking Protocol (VTP) frames across the SP’s cloud. This is called Generic Bridge PDU Tunneling (GBPT). Frames from the above control protocols are encapsulated as they enter the SP’s network on a tunnel port, and de-encapsulated when they exit that network.


Troubleshooting Trunking

Troubleshooting trunking links happens mostly at the physical and datalink layers. Start with the most basic assumptions and work your way “up” the OSI model. It is important to show that physical layer connectivity is present, before moving on to, for instance before trying to troubleshoot IP problems.
  • Are both sides of the link in the correct trunking mode?
  • Is the same trunk encapsulation on both sides?
  • If 802.1Q, is the same native VLAN on both sides?
  • Are the same VLANs permitted on both sides?

VLAN Trunking Protocol (VTP)

VTP is a protocol that runs over trunk links and synchronizes the VLAN databases of all switches in the VTP domain. A VTP domain is an administrative group—all switches within that group must have the same VTP domain name configured or they do not synchronize databases.
VTP works by using Configuration Revision numbers and VTP advertisements:
  • All switches send out VTP advertisements every five minutes, or when there is a change to the VLAN database (when a VLAN is created, deleted, or renamed).
  • VTP advertisements contain a Configuration Revision number. This number is increased by one for every VLAN change.
  • When a switch receives a VTP advertisement, it compares the Configuration Revision number against the one in its VLAN database.
  • If the new number is higher, the switch overwrites its database with the new VLAN information, and forwards the information to its neighbor switches.
  • If the number is the same, the switch ignores the advertisement.
  • If the new number is lower, the switch replies with the more up-to-date information contained in its own database.

VTP Switch Roles

A switch can be a VTP:
  • Server—The default VTP role. Servers can create, delete, and rename VLANs. They originate both periodic and triggered VTP advertisements and synchronize their databases with other switches in the domain.
  • Client—Clients cannot make VLAN changes. They originate periodic VTP advertisements and synchronize their databases with other switches in the domain.
  • Transparent—It can create, delete, and rename VLANs, but its VLANs are only local. It does not originate advertisements or synchronize its database with any other switches. It forwards VTP advertisements out its trunk links, however.

VTP Pruning

By default, switches flood broadcasts, multicasts, and unknown unicasts across trunk links. Suppose a host in VLAN 10 on Switch B sends a broadcast. Hosts in VLAN 10 on Switch C need to see that broadcast, but Switch A has no ports in VLAN 10, so it doesn’t need to receive the broadcast traffic.

Enabling VTP pruning causes the switch to keep track of VLAN port assignments in its downstream switches. The switch then sends flooded traffic only on trunks toward switches that have ports assigned to the VLAN originating the traffic. It prunes flooded traffic from all other trunks. VTP pruning increases the available bandwidth by preventing unnecessary traffic on trunk links.

There are two versions of VTP: Version 1 and Version 2. To use Version 2, all switches in the domain must be capable of using it. Configure one server for Version 2, and the information is propagated through VTP.
Version 2 has the following added features:
  • It supports Token Ring VLANs.
  • Transparent switches pass along messages from both versions of VTP.
  • Consistency checks are performed only when changes are configured through the CLI or SNMP.

Configuring VTP

VTP configuration is done at the global config mode. To configure the switch’s VTP mode:
(config)#vtp {server | client |transparent}

To configure the VTP domain name:
(config)#vtp domain name

To configure a VTP password (all switches in the domain must use the same password):
(config)#vtp password password

To configure the switch to use VTP Version 2:
(config)#vtp version 2

To enable pruning:
vtp pruning

To specify which VLANs are to be pruned:
(config-if)#switchport trunk pruning vlan {add | except | none | remove} vlan-list [,vlan[,vlan[,,,]]


Verifying and Monitoring VTP

To get basic information about the VTP configuration, use show vtp status. The example shows the default settings:

Troubleshooting VTP

The following are some common things to check when troubleshooting problems with VTP:
  • Make sure you are trunking between the switches. VTP is sent only over trunk links.
  • Make sure the domain name matches on both switches (name is case sensitive).
  • If the switch is not updating its database, make sure it is not in transparent mode.
  • If using passwords, make sure they all match. To remove a password, use no vtp password.

Adding a New Switch to a VTP Domain

Adding a new switch in client mode does not prevent it from propagating its incorrect VLAN information. A server synchronizes to a client if the client has the higher configuration revision number. You must reset the revision number back to 0 on the new switch. The easiest way to do this is to change the domain name. Then change it back to the correct one, and attach the switch to the network.
Posted by at No comments:

Sunday, August 9, 2009

VLAN Trunking

A trunk is a link that carries traffic for more than one VLAN. Trunks multiplex traffic from multiple VLANs. Trunks connect switches and allow ports on multiple switches to be assigned to the same VLAN.

Two methods of identifying VLANs over trunk links are:
  • Inter-Switch Link (ISL)—A Cisco proprietary method that encapsulates the original frame in a header, which contains VLAN information. It is protocol-independent and can identify Cisco Discovery Protocol (CDP) and bridge protocol data unit (BPDU) frames.
  • 802.1Q—Standards-based, tags the frames (inserts a field into the original frame immediately after the source MAC address field), and supports Ethernet and Token Ring networks.
When a frame comes into a switch port, the frame is tagged internally within the switch with the VLAN number of the port. When it reaches the outgoing port, the internal tag is removed. If the exit port is a trunk port, then its VLAN is identified in either the ISL encapsulation or the 802.1Q tag. The switch on the other end of the trunk removes the ISL or 802.1Q information, checks the VLAN of the frame, and adds the internal tag. If the exit port is a user port, then the original frame is sent out unchanged, making the use of VLANs transparent to the user.

If a nontrunking port receives an ISL-encapsulated frame, the frame is dropped. If the ISL header and footer cause the MTU size to be exceeded, it might be counted as an error.

If a nontrunking port receives an 802.1Q frame, the source and destination MAC addresses are read, the tag field is ignored, and the frame is switched normally at Layer 2.


Configuring a Trunk Link

Ports can become trunk ports either by static configuration or dynamic negotiation using Dynamic Trunking Protocol (DTP). A switch port can be in one of five DTP modes:
  • Access—The port is a user port in a single VLAN.
  • Trunk—The port negotiates trunking with the port on the other end of the link.
  • Non-negotiate—The port is a trunk and does not do DTP negotiation with the other side of the link.
  • Dynamic Desirable—Actively negotiates trunking with the other side of the link. It becomes a trunk if the port on the other switch is set to trunk, dynamic desirable, or dynamic auto mode.
Configure a port for trunking at the interface configuration mode:

(config-if)#switchport mode {dynamic {auto | desirable} | trunk}

If dynamic mode is used, DTP negotiates the trunking state and encapsulation. If trunk mode is used, you must specify encapsulation:

(config-if)#switchport trunk encapsulation {isl | dot1q | negotiate}


Native VLAN with 802.1Q

If you are using 802.1Q, specify a native VLAN for the trunk link with the command:

(config-if)#switchport trunk native vlan vlan no

Frames from the native VLAN are sent over the trunk link untagged. Native VLAN is the VLAN the port would be in if it were not a trunk, and it must match on both sides of the trunk link. VLAN 1 is the default native VLAN for all ports.


VLAN Mapping

ISL trunking recognizes only VLANs numbered 1–1001, but 802.1Q can use VLANs 0–4094. If you are using both ISL and 802.1Q in your network and have VLANs numbered above 1001, you have to map the 802.1Q VLANS to ISL numbers. Some rules about mapping VLANs include:
  • You can configure only eight mappings.
  • Mappings are local to the switch; the same mappings must be configured on all switches in the network.
  • You can map only to Ethernet ISL VLANs.
  • The 802.1Q VLANs with the same number as mapped ISL VLANs are blocked. (For example, you map 802.1Q VLAN 1500 to ISL VLAN 150, then 802.1Q VLAN 150 is blocked on that switch.)
  • You should not map the 802.1Q native VLAN.

VLANs Allowed on the Trunk

By default, a trunk carries traffic for all VLANs. You can change that behavior for a particular trunk link by giving the following command at the interface config mode:

switchport trunk allowed vlan vlans

Make sure that both sides of a trunk link allow the same VLANs.


Verifying a Trunk Link

Two commands you can use to verify your trunk configuration are:

#show running-config
#show interfaces [interface no.] switchport | trunk


Using the trunk keyword with the show interfaces command gives information about the trunk link:

Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)