Designing Campus Layer 2 Infrastructures

Campus Layer 2 Infrastructures

Designing Campus Layer 2 Infrastructures is the beginning steps into the Network Design focus area. We will be covering DTP, VTP, VLANs, STP, MST, PoE, and WoL in this Network Design Article. This Article provides network design considerations and recommendations for these protocols to help you make better design decisions.

You’ll Learn

• What is DTP and VTP?
• The design considerations for DTP
• The most common design issues with VTP and how to mitigate them
• Should you leverage VTPv3 or not?
• VTP Design considerations
• What is VLAN Pruning and how does it function
• VLAN Pruning Design Considerations
• What is STP and its purpose? Why do we need it?
• How can we mitigate the slow convergence of STP?
• What are the three additional flavors of STP and when to use them?
• The design considerations for STP.
• What are the Non-Rapid STP Improvements and how to leverage them?
• How to increase the stability of STP.
• What problem does MST solve and how to leverage it?
• The Design considerations for PoE.
• Why would WoL be something you would want to do?

Campus Layer 2 Infrastructures: DTP, VTP, and VLANs

Dynamic Trunking Protocol (DTP) is used to negotiate trunk links automagically. The design issue with this protocol is focused around what it allows to happen within your Enterprise Network. For example, what if a user plugged in a switch that supported DTP? If DTP was configured on your switch, then these two switches would automagically form up a trunk, without your knowledge as the Network Engineer. This would then extend your Layer 2 network and could lead to multiple forms of outages. For this reason, the DTP Design Consideration is to disable DTP and manually configure your trunks as you need them. Trunks are not access ports, they are not needed all over the environment. You as the Network Engineer, Network Designer, and Network Architect should be a part of the process of designing, creating, implementing, and validating your trunk links.

VLAN Trunking Protocol (VTP) is used to propagate VLANs among switches. There are three supported modes, Client, Server, and Transparent. The VTP device with the highest configuration revision number is the keeper, master of the VLAN database. This leads to a situation that happens often where a VTP client switch can have a better configuration revision number, and thus erase the VLAN Database configuration within the entire VTP domain. For those that have had this happen to you in a production network, the scars are visible. For those that haven’t had the opportunity of running into this yet, protect yourself and disable VTP. The VTP Design considerations include the following: If your network only supports VTPv2, don’t use it. Manually configure all switches in transparent mode. If you want to use VTP, use version 3. Keep in mind with Version 3, the default version is 2 on most devices. Also, VTPv3 is compatible with VTPv2 as on as you don’t use private or extended VLANs.

I always get the question “What is VLAN Pruning?” VLAN Pruning is a feature that allows the switch to add/remove VLANs on trunk links as needed. When enabled this is an automatic process. With the automatic process though, it doesn’t remove the STP instances for those pruned VLANs. Because of this efficiency limitation, the VLAN Pruning Design Consideration is to manually prune trunk links, thus removing the VLAN from the trunk (Pruning) but also removing any implications on STP. You can use the Cisco CLI command, just don’t forget the add/remove keywords when you are modifying the vlan list.

switchport trunk allow vlan

Here is a video discussing DTP, VTP, and VLANs

Campus Layer 2 Infrastructures: STP and MST

Spanning-tree protocol (STP) 802.1D is meant to prevent layer 2 loops in your network. To accomplish this, STP actually disables multiple paths in your network. The links are all still online, UP UP, but no data is forwarding through these disabled links. I’ve never been a fan of STP. If I run multiple links, I want to utilize them. Just a personal preference of mine. I would rather run Layer 3 all the way to the Access Switch, which then isolates and limits any layer 2 loops from forming. Even in this design situation though, you would still want to properly configure STP in case a user connects another switch, or heaven forbid a hub.

Natively STP has a drawback of slow convergence time. Meaning that it takes a relatively long time for a switchport to go through the STP process from blocking, listening, learning, to eventually forwarding traffic. This process can take upwards to a minute, which in these days is way too slow for most of our companies, businesses, and users.

Here are some STP Design Considerations:

• Do not disable STP in a Layer 2 Network! (I know I hate STP, but don’t do this)
• Make sure you are properly Designing your Root Bridge Placements (Per VLAN)
• For Better convergence use Rapid PVST+ or MST
• The lower the root ID the better it is, that switch will be the root bridge. Don’t leave your Root Bridges to chance. Make proper Design Decisions and manually configure your Root Bridges.

To mitigate STP’s slow convergence issues three other flavors of STP were created:

1. Per VLAN Spanning Tree + (PVST+)
2. Rapid Per VLAN Spanning Tree + (Rapid-PVTS+)
3. Multiple Spanning-Tree (MST)

To mitigate the performance issues with STP, new features were created, UplinkFast, BackboneFast, and PortFast.

UplinkFast allows for your access switches to have a fast uplink failover when an issue is determined. BackboneFast allows for a faster convergence time between devices with STP changes occur. PortFast allows a port, usually an access port, to transition to the forwarding state. These features are critical in mitigating the slow convergence time of STP.

From a network design perspective, we need to familiarize ourselves with the different STP stability options of BPDU Guard, BPDU Filter, Root Guard, and Loop Guard. below is a graphic that you can use as a reference on where these features are configured.

I always recommend to new Network Designers that they need to protect their root bridges. To do so, you need to leverage Root Guard. Root Guard prevents external switches from becoming root.

Now when there are multiple links and we have some sort of STP failure situation, it would be good for us to be able to validate that we are in fact receiving BPDUs on our alternate links, that’s what Loop Guard does. Loop Guard prevents an alternate port from becoming the designated port if no BPDUs are received.

With BPDU Guard, it disables a PortFast enabled port if a BPDU is received on it. The idea here is that we should never receive a BPDU on an access port so if we do, let’s disable that port immediately.

The last STP stability feature I want to highlight is BPDU Filter. BPDU Filter suppresses BPDUs on the port it’s configured on. This is a bi-directional suppression of BPDUs. I get the question a lot from new network designers, “where would I use BPDU Filter?”. This is a great question and I have always seen BPDU filter used when there is some sort of demarcation of network devices. This could be at your POP devices between your provider devices. In most cases there is no reason to allow a BPDU to come in from your provider’s network. At the same time, there is usually no reason for you to send a BPDU to your provider, this BPDU Filter is a great use case here to limit BPDUs from traversing these two networks.

One last STP flavor to discuss is Multiple Spanning Tree (MST) protocol. The entire purpose of MST is to reduce the number of spanning-tree instances being ran within your Layer 2 Network. MST allows us as network designers to combine like traffic flows into a single MST instance. Now in this single instance, STP is calculated once for the entire MST instance, even if that instance is including 10, 100, or 1000 VLANs. Why would this be used over the other STP options you ask? To save resources (CPU, Memory) and to save management overhead.

Here is a video discussing STP and MST

Campus Layer 2 Infrastructures: PoE and WoL

Power over Ethernet (PoE) is the capability for access switches to provide power to end devices. PoE follows 802.3af and 802.3at standards. The power provided can be in 15.4, 30, or 60 watts depending on what the access switch device supports. This feature allows the switch to power devices like Wireless Access Points, Voice over IP Phones, Security Cameras, Internet of Things (IoT), and so many more options.

What is the business reason for wanting your access switches to support and provide power to your devices? All of these devices require power, without PoE, they still need power! Think of your switch supporting 40 VoIP Phones, without PoE, each phone would require its own power outlet at the cubical. This means more wiring, more outlets, more work, money, and resources.

Wake on LAN (WoL) is a hardware and software feature that can wake up “sleeping” systems. The system is really shutdown, not sleeping. The network interface card (NIC) is sleeping. Your computer’s NIC can still receive information and process it. With WoL, there is whats called a magic packet (UDP). Your Computer’s NIC is listening for this magic packet and when it receives it, the NIC knowns to turn on the rest of your computer.

Now you have the ability to remotely bring devices online, patch them, re-image them, install software, and then shut them down when you are done. You didn’t have to go anywhere to do this. Such a huge benefit from an Operations and Management perspective.

Here is a video discussing PoE and WoL

Come hangout with Zig and the rest of the Zigbits community in our Discord Server.

Check out our current Zigbits giveaway here. Free is my favorite color! I love free stuff and I hope you do as well!

If you want Zigbits themed merchandise you can check out our store to see Zigbits branded t-shirts, hoodies, mugs, and stickers! Check out the Zigbits store here.