Layer 2 Technologies
Overview
For a network designer to properly design a network, they need to know, understand, and be able to properly make design decisions with the following core Layer 2 technologies:
- Spanning Tree Protocol (STP)
- Virtual local-area networks (VLANs)
- Trunking
- Link aggregation
- Multichassis link aggregation (mLAG)
- First Hop Redundancy Protocol (FHRP)
There are more Layer 2 technologies than this core list. A number of them are covered in subsequent chapters.
Spanning Tree Protocol
As a Layer 2 network control protocol, the Spanning Tree Protocol (STP) is considered the most proven and commonly used control protocol in classical Layer 2 switched network environments, which include multiple redundant Layer 2 links that can generate loops. The basic function of STP is to prevent Layer 2 bridge loops by blocking the redundant L2 interface to a level that can provide a loop-free topology.
There are multiple flavors or versions of STP. The following are the most commonly deployed versions:
- 802.1D: The traditional STP implementation.
- 802.1W: Rapid STP (RSTP) supports large-scale implementations with enhanced convergence time.
- 802.1S: Multiple Spanning Tree (MST) permits very large-scale STP implementations. MST is a spanning tree protocol that reduces the total number of spanning-tree instances that match the physical topology of the network by aggregating multiple VLANs into the same STP instance, which directly reduces the CPU load.
In addition, there are features and enhancements to STP that can optimize the operation and design of STP behavior in a classical Layer 2 environment. The following are the primary STP features:
- Root Guard: Is an interface-level feature that prevents a port from becoming a Root Port. If it receives a superior BPDU, it places the interface into a root-inconsistent state to prevent an unauthorized switch from becoming the Root Bridge.
- Loop Guard: Prevents a Non-Designated port from becoming Designated due to loss of BPDUs on the root port; thus, it is the opposite of Root Guard; for this reason, Root Guard and Loop Guard cannot be actively enabled at the same time on the same ports, and it doesn’t even make sense to do it.
- PortFast: Transitions an access port directly to the forwarding state, bypassing the listening and learning states
- BPDU Guard: Disables a PortFast-enabled port if a BPDU is received
- BPDU Filter: Prevents sending or receiving BPDUs on PortFast-enabled ports. Do not confuse BPDU filtering with the BPDU Guard feature. BPDU Guard is used to detect inbound BPDUs on ports where BPDUs are not expected to be seen, then protect the STP stability by preventing those BPDUs from being processed. In contrast, BPDU filtering stops all BPDUs from being received or sent on a switch port, effectively disabling STP
Figure 1 briefly highlights the most appropriate place where these features should be applied in a Layer 2 STP-based environment.
Cisco has developed enhanced versions of STP. It has incorporated a number of the preceding features into them using different versions of STP that provide faster convergence and increased scalability, such as Per-VLAN Spanning Tree Plus (PVST+) and Rapid PVST+.
Review Questions
1. Which mechanism transitions an access port directly to the forwarding state?
- Root Guard
- PortFast
- BPDU Guard
- BPDU Filter
b. PortFast is a feature that bypasses the listening and learning phases to transition directly to the forwarding state. STP edge port is another name for this but is less well-known.
2. Which mechanism suppresses BPDUs on ports?
- Root Guard
- PortFast
- BPDU Guard
- BPDU Filter
d. BPDU Filter is a feature that suppresses BPDUs on ports.
3. Which mechanism prevents external switches (i.e., switches not under your administrative control) from becoming the root of a Spanning Tree Protocol tree?
- Root Guard
- PortFast
- BPDU Guard
- BPDU Filter
a. Root Guard is a feature that prevents external switches — switches that are not part of your network or under your control — from becoming the root of the Spanning Tree Protocol tree.
4. Which protocol groups multiple VLANs into a single STP instance?
- GLBP
- STP
- MST
- HSRP
c. Multiple Spanning Tree (MST) is a protocol that is used to group multiple VLANs into a single STP instance. This also reduces the total number of spanning-tree instances that match the physical topology of the network, reducing the CPU load.
VLANs and Trunking
A Layer 2 virtual local-area network (VLAN) is considered a type of network virtualization technique that provides logical separation with broadcast domains and policy control implementation. In addition, VLANs offer a degree of fault isolation at Layer 2 that can contribute to the optimization of network performance, stability, and manageability. Trunking, however, refers to the protocols that enable the network to extend VLANs across Layer 2 uplinks between different nodes by providing the ability to carry multiple VLANs over a single physical link.
From a design best practices perspective, VLANs should not span multiple access switches; however, this is only a general recommendation. For example, some designs dictate that VLANs must span multiple access switches to meet certain application requirements. Consequently, understanding the different Layer 2 topologies and the impact of spanning VLANs across multiple switches is a key aspect for Layer 2 design. Keep in mind that although spanning VLANs might not always be the best option from a network design perspective, that does not mean it is the incorrect decision to make, as there are numerous designs that require Layer 2 spanning to be in place. An example of this is the requirement in an architecture with multiple data centers where the network must allow for virtual machine mobility between the different data centers while maintaining the same IP address.
Link Aggregation
The concept of link aggregation refers to the industry standard IEEE 802.3ad, in which multiple physical links can be grouped together to form a single logical link. This concept offers a cost-effective solution by increasing cumulative bandwidth without requiring any hardware upgrades. The IEEE 802.3ad Link Aggregation Control Protocol (LACP) offers several other benefits, including the following:
- An industry standard protocol that enables interoperability of multivendor network devices
- The optimization of network performance in a cost-effective manner by increasing link capacity without changing any physical connections or requiring hardware upgrades
- Eliminates single points of failure and enhances link-level reliability and resiliency
Although link aggregation is a simple and reasonable mechanism to increase bandwidth capacity between network nodes, each individual flow will be limited to the speed of the utilized member link by that flow, based on the load-balancing hashing algorithm used.
In addition to LACP (the industry standard link aggregation control protocol), Cisco has developed a proprietary link aggregation protocol called Port Aggregation Protocol (PAgP). Both protocols have different operational modes, which the network designer must be aware of.
There are two primary types of link aggregation connectivity models:
- Single-chassis link aggregation: The typical link aggregation type of connectivity that connects two network nodes in a point-to-point manner.
- Multichassis link aggregation (mLAG): This type of link aggregation connectivity is most commonly used when the upstream switches (typically two) are deployed in “switch clustering” mode. This connectivity model offers a higher level of link and path resiliency than the single-chassis link aggregation.
Figure 2 illustrates these two link aggregation connectivity models.
Cisco has created a “switch-clustering” solution called Virtual Switching System (VSS), which solves the Spanning Tree Protocol looping problem by converting the distribution switching pair into a logical single switch. From a design perspective, VSS removes the need for both STP and FHRP in the Layer 2 design.
Review Questions
6. Which protocol is defined in IEEE 802.3ad and provides a method to control the bundling of several physical ports to form a single logical channel?
- PAgP
- VSS
- FHRP
- LACP
d. Link Aggregation Control Protocol (LACP) is a protocol defined in IEEE 802.3ad that provides a method to control the bundling of several physical ports to form a single logical channel.
7. Which Cisco-proprietary technology allows certain Cisco switches to bond together as a single virtual switch?
- PAgP
- VSS
- FHRP
- LACP
b. Virtual Switching System (VSS) is a Cisco technology that allows certain Cisco switches to bond together as a single virtual switch.
First Hop Redundancy Protocol and Spanning Tree
First-hop Layer 3 routing redundancy is designed to offer transparent failover capabilities at the first-hop Layer 3 IP gateways, where two or more Layer 3 devices work together in a group to represent one virtual Layer 3 gateway. The First Hop Redundancy Protocol (FHRP) options include Hot Standby Router Protocol (HSRP), Virtual Router Redundancy Protocol (VRRP), and Gateway Load Balancing Protocol (GLBP). These are the primary and most commonly used protocols to provide a resilient default gateway service for endpoints and hosts.
Understanding what drives the need for a FHRP is critical to know when to leverage one. The following is a list of characteristics for all FHRP options:
- Where is the current default gateway? Is the location suitable for FHRP? If not, can the default gateway be moved?
- Provide routing redundancy for the access layer
- Independent of routing protocols
- Capable of providing subsecond failover
The following table (Table 1) summarizes and compares the main capabilities and functions of these different FHRP protocols.
| HSRP | VRRP | GLBP | |
|---|---|---|---|
| Standard | Cisco proprietary | IEEE | Cisco proprietary |
| IPv6 support | Yes (v2) | Yes (v3) | Yes |
| Authentication | Yes | Yes | Yes |
| Load sharing | Multiple HSRP groups per interface | Multiple VRRP groups per interface | Natively supported |
| Default hello timer | 3 | 1 | 3 |
| Virtual IP (VIP) | Different from interface IP | Can be the same as the interface IP of the master router | Different from interface IP |
| BFD support for subsecond convergence | Yes | Yes | Yes |
One of the typical scenarios in classical hierarchical networks is when FHRP works in conjunction with STP to provide redundant Layer 3 gateway services. This is most often the first time a network designer will run into designing multiple technologies that impact each other directly. The following design model (depicted in Figure 3) is considered one of the common design models that has a proven ability to provide the most resilient design when FHRP is applied to an STP-based Layer 2 network (such as VRRP or HSRP). This design model has the following characteristics:
- The interswitch link between the distribution switches is configured as a Layer 3 link.
- No VLAN spanning across switches.
- The STP root bridge is aligned with the active FHRP instance for each VLAN.
- Uplinks from the access layer to the distribution layer are both forwarding from an STP point of view.
In the design illustrated in Figure 3, when GLBP is used as the FHRP, it is going to be less deterministic compared to HSRP or VRRP because the distribution of Address Resolution Protocol (ARP) responses is going to be random.
If a network designer does not properly align the STP root bridge with the active FHRP instance for the corresponding VLAN, there will be a suboptimal impact to traffic traversing that VLAN. An example of this is shown in Figure 4.
While the design in Figure 4 functionally works, it is not optimal and in most cases would be called a poor design. This is because FHRP and STP have not been properly aligned from a design perspective, causing traffic sourced from the client device on VLAN 22 to traverse an extra hop through DSW1 to then get to DSW2.
Review Questions
5. Which protocol is a standards-based first-hop routing protocol that provides redundancy with a virtual router elected as a master?
- GLBP
- VSS
- VRRP
- HSRP
c. Virtual Router Redundancy Protocol (VRRP) is a standards-based first-hop routing protocol that provides redundancy with a virtual router elected as the master.
Layer 2 LAN Common Design Models
Network designers have many design options for Layer 2 LANs. This section highlights the primary and most common Layer 2 LAN design models used in traditional and today’s LANs, along with the strengths and weaknesses of each design model.
STP-Based Models
In classical Layer 2 STP-based LAN networks, the connectivity from the access layer switches to the distribution layer switches can be designed in various ways and combined with Layer 2 control protocols and features to achieve certain design functional requirements. In general, there is no single best design that can fit every requirement, because each design is proposed to resolve a certain issue or requirement. However, by understanding the strengths and weaknesses of each topology and design model, network designers may select the most suitable design model that meets the requirements from different aspects, such as network convergence time, reliability, and flexibility.
Figure 5 highlights the different STP-based LAN connectivity topologies.
Table 2 contains a design comparison summary for the STP-based LAN connectivity topologies highlighted in Figure 5.
| Topology Model | Design Concern | When to Use |
|---|---|---|
| Looped Triangle Topology | STP limits the ability to utilize all the available uplinks, which makes it inefficient and not a flexible option. | Single-homed endpoints without high-bandwidth capacity and fast convergence requirements. |
| Loop-Free Inverted U Topology | Introduces a single point of failure to the design if one distribution switch or the uplink between access and distribution switch fails. | Dual-homed endpoints with NIC teaming or endpoints that do not require low MTTR. |
| Looped Square Topology | A significant amount of access layer traffic might cross the interswitch link to reach the active FHRP. In case of a distribution switch failure, the oversubscription of the second access to distribution uplink will significantly increase, making it not a very reliable or scalable option. | Noncritical single- or dual-homed endpoints without high-bandwidth capacity requirements. |
| Loop-Free U Topology | Inability to extend same VLANs over more than a pair of access switches; otherwise, a loop could be formed between multiple access pairs carrying same VLANs. | Single- or dual-homed endpoints with high forwarding capacity and relatively fast convergence requirements. Spanning VLANs across multiple access switches is not a requirement. |
All the Layer 2 design models in Figure 5 share common limitations: the reliance on STP to avoid loss of connectivity caused by Layer 2 loops and the dependency on Layer 3 FHRP timers, such as VRRP, to converge. These dependencies naturally lead to an increased convergence time when a node or link fails. Therefore, as a rule of thumb, tuning and aligning STP and FHRP timers is a recommended practice to overcome these limitations to some extent.
Switch Clustering Based (Virtual Switch)
The concept of switch clustering significantly changed the Layer 2 design model between the access and distribution layer switches. With this design model, a pair of upstream distribution switches can appear as one logical (virtual) switch from the access layer switch point of view. Consequently, this approach transformed the way access layer switches connect to the distribution layer switches, because there is no longer a reliance on STP and FHRP, which means the elimination of convergence delays associated with STP and FHRP. In addition, from the uplinks and link aggregation perspective, one access switch can be connected (multihomed) to the two clustered distribution switches as one logical switch using one link aggregation bundle over multichassis link aggregation (mLAG).
As Figure 6 shows, all uplinks will be in a forwarding state across both distribution switches from a Layer 2 point of view. There will be one virtual IP gateway that should permit the forwarding across both switches from the forwarding plane perspective. This design model can enhance network resiliency and convergence time, and maximize bandwidth capacity, by utilizing all uplinks. In addition, this design model supports the extension of the Layer 2 VLAN across access switches safely, without any concern about forming any Layer 2 loop. This makes the design model simple, reliable, easy to manage, and more scalable as compared to the classical STP-based design model.
Although a virtual switch adds many positive design attributes, it is not without its own limitations. There are several different virtual switching protocols today, but no matter the protocol, they all face the same potential limitation of a split brain. A split-brain situation is where two or more devices in the cluster act as if they are the primary member of the cluster at the same time as the others. This usually occurs when there is an outage with the cluster link(s), which severs all cluster communication between the corresponding cluster members. To mitigate the occurrence of a split-brain scenario, network designers should incorporate what is known as Dual Active Detection mechanisms within the clustering protocol being selected. Figure 7 shows where the Dual Active Detection links would be in a Cisco VSS cluster design.
Stacking switches is another form of clustering that is like the virtual switch architecture. Stacking has a number of the same attributes and design elements but is achieved by joining multiple physical switches into a single logical switch. From a Cisco product implementation perspective (Cisco-proprietary StackWise), switches are interconnected by StackWise interconnect cables, and a master switch is selected. The switch stack is managed as a single object and uses a single IP management address and a single configuration file, which reduces management overhead. Furthermore, the switch stack can create an EtherChannel connection, and uplinks can form Multichassis EtherChannel (MEC) with an upstream distribution architecture.
Daisy-Chained Access Switches
Although this design model might be a viable option to overcome some limitations, network designers commonly use it as an interim solution. This design can introduce undesirable network behaviors. For instance, the design shown in Figure 8 can introduce the following issues during a link or node failure:
- Dual active HSRP (split-brain situation)
- Possibility of 50 percent loss of the returning traffic for devices that still use the distribution switch-1 as the active Layer 3 FHRP gateway
When suggesting an alternative solution to overcome a given design issue or limitation, it is important to make sure that the suggested design option will not introduce new challenges or issues during certain failure scenarios. Otherwise, the newly introduced issues will outweigh the benefits of the suggested solution. In some situations, a network designer has no other choices available, in which case the designer may have to leverage a less than ideal solution as a short-term fix while the long-term solution is procured and deployed.
Review Questions
8. Which of the following is the primary design concern for a Looped Triangle Topology?
- Introduces a single point of failure to the design if one distribution switch or uplink fails.
- A significant amount of access layer traffic might cross the interswitch link to reach the active FHRP.
- Inability to extend the same VLANs over more than a pair of access switches.
- STP limits the ability to utilize all the available uplinks within a VLAN or STP instance.
d. The primary design concern for a Looped Triangle Topology is that STP limits the ability to utilize all the available uplinks within a VLAN or STP/MST instance.
9. Which of the following is the primary design concern for a Loop-Free Inverted U Topology?
- Introduces a single point of failure to the design if one distribution switch or uplink fails.
- A significant amount of access layer traffic might cross the interswitch link to reach the active FHRP.
- Inability to extend the same VLANs over more than a pair of access switches.
- STP limits the ability to utilize all the available uplinks within a VLAN or STP instance.
a. The primary design concern for a Loop-Free Inverted U Topology is that it introduces a single point of failure to the design if one distribution switch or uplink fails.
10. Which of the following is the primary design concern for a Looped Square Topology?
- Introduces a single point of failure to the design if one distribution switch or uplink fails.
- A significant amount of access layer traffic might cross the interswitch link to reach the active FHRP.
- Inability to extend the same VLANs over more than a pair of access switches.
- STP limits the ability to utilize all the available uplinks within a VLAN or STP instance.
b. The primary design concern for a Looped Square Topology is that a significant amount of access layer traffic might cross the interswitch link to reach the active FHRP.
11. Which of the following is the primary design concern for a Loop-Free U Topology?
- Introduces a single point of failure to the design if one distribution switch or uplink fails.
- A significant amount of access layer traffic might cross the interswitch link to reach the active FHRP.
- Inability to extend the same VLANs over more than a pair of access switches.
- STP limits the ability to utilize all the available uplinks within a VLAN or STP instance.
c. The primary design concern for Loop-Free U Topology is the inability to extend the same VLANs over more than a pair of access switches.
Summary
This chapter focused on the Layer 2 technologies that all network designers need to know. This included STP, VLANs, trunking, link aggregation, multichassis link aggregation (mLAG), and FHRP. The most common LAN design models were then discussed and compared, including when and why to use them. As a network designer, you need to have various technologies in place that properly protect the Layer 2 domain and facilitate having redundant paths to ensure continuous connectivity to the end user and their respective application, in the event of a failure scenario. Understanding the characteristics of these core Layer 2 technologies and their respective behaviors is critical to successfully designing a reliable and highly available Layer 2 network.
Previous: Transport Technologies | Next: Layer 3 Technologies