Design – Layer 2

#DTP and VTP – What are they?

Dynamic Trunking Protocol (DTP):
Automagically negotiates trunk links

VLAN trunking protocol (VTP):
-Used to propagate VLANs among switches
-Supported Modes: Client, Server, and Transparent
-The VTP device with the highest config revision is the keep (WARNING)

#DTP and VTP – Design considerations

Set interfaces to trunk or access and disable DTP

-If your network only supports VTPv2, don’t use it
—-Configure all switches in transparent mode
-If you want to use VTP, use version 3
—-Keep in mind the default version is 2
—-VTPv3 is compatible with VTPv2 as long as you don’t use private/extended VLANs

I always set the switch to Transparent first and then configure it. This resets the config revision, so you don’t bring down the network because the new switch has a higher revision #.

#VLAN Pruning

VLAN Pruning:
Automatic: Doesn’t remove STP instances
Manual: Better option but it is manual

#VLAN Pruning Design Considerations

Manually Prune Trunk links with the “switchport trunk allow vlan” command.
If you need to add a vlan, use the “switchport trunk allow vlan add” command. (WARNING)

Be aware if you use the “switchport trunk allow vlan” command, you will wipe out all your VLANs if you do not list out all the VLANs. You need to use the “switchport trunk allow vlan add” command.

#STP – What is it?

Loop avoidance/prevention

#STP – Issues using it?

-Using STP, you have redundant links but you will not use them. Only one will be active at a time to help prevent loops.
-You can run across a lot of issues spanning VLANs across locations
-You have one broadcast storm across multiple switches or multiple places on the network

#STP – Design Considerations

-Do not Disable STP in a Layer 2 Network!
-Root Bridge Place (Per VLAN)
-For better convergence use Rapid PVST+ or MST
-The lower the root ID the better it is, that switch will be the root bridge
—-Don’t leave your Root Bridges to chance! Manually configure them!

#STP – Recommendations

-Pick two, one Primary Root and one Backup Root
-When you add a new switch, you want to make sure it does not become the root bridge! It will reconfigure your spanning domain and could reroute traffic!
-With HSRP, make sure these configs line up with the Spanning Tree design
-UDLD is a great option to use since STP won’t always catch the loop

#STP – Non Rapid STP Improved Performance

UplinkFast: Fast Uplink failover, used on access switches
BackboneFast: Fast convergence between deices when STP changes occur
PortFast: Fast access port transition, moves directly to the forwarding state

#STP – Stability

BPDU Guard: Disabled PortFast enabled ports if BPDU is received
BPDU Filter: Suppresses BPDUs on ports
Root Guard: Prevents external switches from becoming root
Loop Guard: Prevents an alternate port from becoming the designated port if no BPDUs are received

#STP – Convergence

To mitigate STP’s slow convergence issues three other flavors of STP were created:
1. Per VLAN Spanning Tree + (PVST+)
2. Rapid Per VLAN Spanning Tree + (Rapid-PVTS+)
3. Multiple Spanning-Tree (MST)

To mitigate the performance issues with STP, new features were created, UplinkFast, BackboneFast, and PortFast.

UplinkFast allows for your access switches to have a fast uplink failover when an issue is determined.
BackboneFast allows for a faster convergence time between devices with STP changes occur.
PortFast allows a port, usually an access port, to transition to the forwarding state. These features are critical in mitigating the slow convergence time of STP.



#Multiple Spanning Tree (MST)

-Reduce the number of spanning-tree instances
-Combine like traffic flows into a single MST instance
—-Now STP is ran once for the entire MST instance, even if it includes 1000 VLANs

#Closing Comments

I always tell network designers that their root bridges need to be protected. You’ll need to use Root Guard to accomplish this. External switches are protected from becoming root by Root Guard.

When there are many links and an STP failure, it would be beneficial to verify that we are receiving BPDUs on our alternate links, precisely what Loop Guard performs. If no BPDUs are received, Loop Guard prevents an alternate port from becoming the selected port.

If a BPDU is received on a PortFast enabled port, BPDU Guard disables it. The notion is that we should never receive a BPDU on an access port, and if we do, we should immediately shut that port.

The BPDU Filter is the final STP stability element I’d want to emphasize. BPDU Filter disables BPDUs on the port it’s connected to. BPDUs are suppressed in both directions. “Where would I utilize BPDU Filter?” is a question I get a lot from new network designers. This is a fantastic question, and I’ve always seen the BPDU filter utilized when there is some kind of network device demarcation. This could happen between your provider devices and your POP devices. In most circumstances, there is no reason to allow a BPDU from your provider’s network to enter your network. At the same time, there’s usually no purpose to send a BPDU to your provider; therefore, our BPDU Filter is a wonderful way to prevent BPDUs from crossing these two networks.

The Multiple Spanning Tree (MST) protocol is the final STP variant to discuss. MST’s sole function is to reduce the number of spanning-tree instances running on your Layer 2 network. As network builders, MST allows us to group similar traffic flows into a single MST instance. Whether the MST instance contains 10, 100, or 1000 VLANs, STP is calculated only once for the entire MST instance. You might wonder why this is preferred over the other STP choices. To save resources (CPU, Memory), as well as administrative costs.

#STP and FHRP Design Alignment

The goal here is like I mentioned above, when useing different technologies/features/services, you want to make sure they align in your design.


Looking at the dashed green lows for the traffic flow, traffic will flow from Access-SW1 to Dist-SW1 because the gateway mac address is ACTIVE on Dist-SW2. This is a PROBLEM and a design flaw.

Below is the preferred routing path:


#First Hop Redundancy Protocols (FHRP)

Ask yourself, why do you need FHRP and what are you solving.

FHRP Drivers:
-Where is my default gateway?
-Provide routing redundancy for access layer
-Independent of routing protocols
-Capable of providing subsecond failover
-Provides load sharing capabilities (GLBP)

Three Options:

USE BFD if you will track the links/interfaces in designs where you need to track an interface for HSRP/VRRP to bring it down. When that link goes down, you want to make sure the default gateway goes down, and everyone fails over to another path. I’m talking about the default gateway here.

#HSRP vs VRRP Comparison:


-HSRP and VRRP are very similar in design and implantation.
-You want your Preemption higher than what it takes to get your device online! If that’s 10 minutes for the router for come back online, then you want you preemption delay to be like 15 minutes.
-With STP, your root bridge is going to come back online and that primary root bridge is going to be a device. So you want your root bridge and primary HSRP to be the same or else you’re going to have an incorrect traffic flow.
-Default priority is 100 so you want to make sure the priority for the “Active” device is above 100
-Why use Preempt? The HSRP router with the highest priority can instantly become the active router by using the standby preempt command. So the device with the highest priority becomes active thanks to preempt.
-Use decrements with IP SLA and Tracking on your Primary Active route so it will lower the Priority level below the secondary device forcing a failover


-Packet load sharing among multiple routers
-Automatic true load-sharing, with a single group and no management overhead

#GLBP – Design Considerations
Polarization issues (See Below)


It’s never going to do a re-arp request again because the device is locking it in until it’s cleared again. This happens all the time because of Stateful firewalls.

#Power over Ethernet (POE)

-Access switches provide power to end devices
—-Either 15.4, 30 watts, 60 watts (new POE)
—–Devices: Wireless Access Points, VOIP Phones

What’s the reason a business would want POE? What’s the why?
-All of these devices require power, without POE, still need power.
-40 VOIP phones on a switch would require 40 more power outlets
-Simpler cabling

#Wake on LAN (WoL)

-Hardware/Software features to wake up “sleeping” systems
—-Really the system is shutdown

-Leverages a magic packet
—-The sytem’s NIC is still powered, listending for this magic packet.
—-UDP based packet
——–Enable directed broadcast if from remote network

#Graceful Restart (GR)
-Route through temporary failures
-Requires NSF
—-“A” back before hold time expires at “B”

-Two Variances
—-Require GR capabile neighbors
——–Keep teh ADJ and forwarding traffic
—-Doesn’t require GR capable neighbors
——–Not Common


Graceful Restart – Similar Features