Day Four – Enterprise Switching (Layer 2)

ENTERPRISE SWITCHING
Shared LANs

On a shared Ethernet LAN all devices share and communicate through a common medium. All devices
participating on a shared medium are part of the same collision domain. Ethernet uses the carrier-sense
multiple access with collision detection (CSMA/CD) protocol to avoid and manage frame collisions. The
sample topology on the slide shows a series of nodes connected through a hub using a copper-based
physical medium. This type of implementation only allows a single stream of data at a time. All nodes
participating in this shared Ethernet LAN listen to verify that the line is idle before transmitting. If the
line is idle, the nodes begin transmitting data frames. If multiple nodes listen and detect that the line is
idle and then begin transmitting data frames simultaneously, a collision occurs. When collisions occur a
JAM signal is sent by the transmitting devices so all devices on the segment know a collision has
occurred and that the line is in use. When node receive the JAM signal, they stop transmitting
immediately and wait for a period of time before trying to send traffic. If the nodes continue to detect
collisions, they progressively increase the time between retransmissions in an attempt to find a time
when no other data is being transmitted on the LAN. The node uses a backoff algorithm to calculate the
increasing retransmission time intervals.

When a node does successfully transmit traffic, that traffic is replicated out all ports on the hub and is
seen by all other nodes on the shared Ethernet segment. This traffic-flooding approach, coupled with
collisions, consumes network resources and can pose security risks.

Juniper Business Use Only

Ethernet LANs were originally implemented for small, simple networks. Over time, LANs have become
larger and more complex. As an Ethernet LAN grows, the likelihood of collisions on that LAN also grows.
As more users are added to a shared Ethernet segment, each participating node receives an increase of
traffic from all other participating nodes for which it is not the actual destination. This unwanted
consumption of network resources along with an increase of collisions inevitably decreases the overall
efficiency on the LAN.

Switched LANs

Although similarities exist between shared and switched LANs, switched LANs do not have the same
issues found in shared LANs and highlighted on the previous slide. Switched LANs reduce the likelihood
of collisions by breaking a single collision domain into multiple smaller collision domains. As shown in
the sample diagram, switched LANs use switches rather than hubs. A collision domain in a switched LAN
consists of the physical segment between a node and its connected switch port. Using a switch increases
network performance and minimizes some types of security risks by only forwarding traffic to its
intended destination rather than always flooding traffic to all connected devices. Switches build and
maintain a forwarding table, also known as a bridge table, to make forwarding decisions.

Bridging Mechanisms

• Bridging builds and maintains bridge table using the following mechanisms:

Defined in the IEEE 802.1D-2004 standard, bridging addresses some of the inherent problems of large
shared Ethernet LANs. Bridging uses microsegmentation to divide a single collision domain into multiple,
smaller bridged collision domains. Reducing the size of a collision domain effectively reduces the
likelihood that collisions will occur. This approach also enhances performance by allowing multiple
streams of data to flow through the switch within a common LAN or broadcast domain.

Bridging allows a mixed collection of interface types and speeds to be logically grouped within the same
bridged LAN. The ability to logically group dissimilar interfaces in a bridged LAN environment provides
design flexibility not found in a shared Ethernet LAN environment.

Bridging builds and maintains a forwarding table, known as a bridge table, for all destinations within the
bridged LAN. The switch populates the bridge table based on the source MAC address of incoming
frames received from devices participating in the bridged LAN. The switch makes an intelligent
forwarding decision by comparing the destination MAC address of incoming frames to the contents of
the bridge table. This approach reduces unnecessary traffic on the LAN. As shown on the slide, several
mechanisms contribute to the bridging process.

Juniper Business Use Only

LEARNING

When a switch is first connected to an Ethernet LAN, it has no information about the devices connected
to the network. Learning is the process a switch uses to obtain the MAC addresses of nodes on the
network. The switch stores all learned MAC address in the bridge table. To learn MAC addresses, the
switch examines the Ethernet header information of all received frames from the LAN, looking for
source MAC addresses of sending nodes. The switch places learned MAC addresses into its bridge table,
along with two other pieces of information—the interface (or port) on which the traffic was received
and the time when the MAC address was learned. The port information is used to forward traffic to its
intended destination (forwarding mechanism) while the timestamp information is used to keep the
bridge table up-to-date (aging mechanism).

FORWARDING

The forwarding mechanism is used by the switch to deliver traffic, passing it from an incoming interface
to an outgoing interface that leads to (or toward) the destination. To forward frames, the switch

Juniper Business Use Only

consults the bridge table to see whether the table contains the MAC address corresponding to the
frames’ destination. If the bridge table contains an entry for the desired destination address, the switch
sends the traffic out the interface associated with the MAC address. The switch also consults the bridge
table in the same way when transmitting frames that originate on devices connected directly to the
switch. If the switch does not have a MAC entry in its bridge table, it floods the frame out all other
interfaces belonging to the same broadcast domain (VLAN) as the interface on which the frame was
received. The frame is not sent back out the ingress interface.

To forward frames, the switch

consults the bridge table to see
whether the table contains the MAC
address corresponding to the
frames’ destination. The bridge
table is organized by VLAN to ensure
Layer 2 traffic is only forwarded out
switch ports belonging to the same
broadcast domain (VLAN) as the
interface on which the frame was
received.

FLOODING

Flooding is a transparent mechanism used to deliver packets to unknown MAC addresses. If the bridging
table has no entry for a particular destination MAC address or if the packet received is a broadcast or
multicast packet, the switch floods the traffic out all interfaces except the interface on which it was
received. (If traffic originates on the switch, the switch floods that traffic out all interfaces.) When an
unknown destination responds to traffic that has been flooded through a switch, the switch learns the
MAC address of that node and updates its bridge table with the source MAC address and ingress port.

Juniper Business Use Only

FILTERING

The filtering mechanism is used to limit traffic to its associated segment or switch port. As the number
of entries in the bridge table grows, the switch pieces together an increasingly complete picture of the
individual network segments—the picture clarifies which switch ports are used to forward traffic to a
specific node. The switch uses this information to filter traffic. The slide illustrates how a switch filters
traffic. In this example the device associated with User B sends traffic destined to the device associated
with User C (MAC address 00:26:88:02:74:88). Because the destination MAC address 00:26:88:02:74:88
is also associated with ge-0/0/7, the switch filters or discards the traffic.

AGING

Juniper Business Use Only

Finally, the switch uses aging to ensure that only active MAC address entries are in the bridge table. For
each MAC address in the bridge table, the switch records a timestamp of when the information about
the network node was learned. Each time the switch detects traffic from a MAC address, it updates the
timestamp. A timer on the switch periodically checks the timestamp; if the timestamp is older than a
user-configured value, the switch removes the node’s MAC address from the bridge table. The default
aging timer interval is 300 seconds and can be altered through manual configuration.

Enterprise hierarchical design

Switched networks are often hierarchical and consist of multiple layers. The diagram on the slide
illustrates the typical layers, which include access, aggregation (or distribution), and core. Each of these
layers performs unique responsibilities. We cover the functions of each layer on a subsequent slide in
this section. Hierarchical networks are designed in a modular fashion. This inherent modularity
facilitates change and makes this design option quite scalable. When working with a hierarchical
network, the individual elements can be replicated as the network grows. The cost and complexity of
network changes is generally confined to a specific portion (or layer) of the network rather than to the
entire network. Because functions are mapped to individual layers, faults relating to a specific function
can be isolated to that function’s corresponding layer. The ability to isolate faults to a specific layer can
greatly simplify troubleshooting efforts.

Functions of the layer

When designing a hierarchical switched network, individual layers are defined and represent specific
functions found within a network. It is often mistakenly thought that the access, aggregation (or
distribution), and core layers must exist in clear and distinct physical devices, but this is not a
requirement, nor does it make sense in some cases. The layers are defined to aid successful network
design and to represent functionality that exists in many networks.

Juniper Business Use Only

Viewing the MAC address table or Bridge table

VIRTUAL LOCAL AREA NETWORK (VLAN)

A virtual LAN is a collection of network nodes that are logically grouped together to form separate
broadcast domains. A VLAN has the same general attributes as a physical LAN, but it allows all nodes for
a particular VLAN to be grouped together, regardless of physical location. One advantage of using VLANs
is design flexibility. VLANs allow individual users to be grouped based on business needs. Connectivity
within a VLAN is established and maintained through software configuration, which makes VLANs such a
dynamic and flexible option in today’s networking environments

Juniper Business Use Only

VLANs allow network administrators to group hosts together even if the hosts are not directly
connected to the same network switch. Because VLAN membership can be configured through software,
this can greatly simplify network design and deployment. Without VLANs, grouping hosts according to
their resource needs the labor of relocating nodes or rewiring data links. VLANs allow networks and
devices that must be kept separate to share the same physical cabling without interacting, improving
simplicity, security, traffic management, or economy.

Here are the main reasons why VLANs are used:

 VLANs increase the number of broadcast domains while decreasing their size.
 VLANs reduce security risks by reducing the number of hosts that receive copies of frames that
the switches flood.
 You can keep hosts that hold sensitive data on a separate VLAN to improve security.
 You can create more flexible network designs that group users by department instead of by
physical location.
 Network changes are achieved with ease by just configuring a port into the appropriate VLAN.

IEEE 802.1Q TAG

IEEE 802.1Q, often referred to as Dot1q, is the networking standard that supports virtual LANs (VLANs)
on an IEEE 802.3 Ethernet network. The standard defines a system of VLAN tagging for Ethernet frames
and the accompanying procedures to be used by bridges and switches in handling such frames. Portions
of the network which are VLAN-aware (i.e., IEEE 802.1Q conformant) can include VLAN tags.

When a frame enters the VLAN-aware portion of the network, a tag is added to represent the VLAN
membership.

Frames that have been inserted with the 802.1Q tag are commonly called as Tagged traffic, when the
frame does not include this tag is called untagged traffic.

SWITCH PORT DESIGNATIONS

Layer 2 interfaces can be assigned to operate in either access or trunk mode. By default, all installed
switch ports on an EX Series switch are configured as access ports. In the factory-default configuration,
these same switch ports are associated with the default VLAN and are tagged with the VLAN ID 1.

If you intend to use VLANs in your network, you will need to configure some ports on a switch as access
ports and other as trunk ports. Here is a description each port type:

Access port

Access ports typically connect to end-user devices such as computers, IP phones, and printers. Access
ports typically belong to a single VLAN and send and receive untagged Ethernet frames.

Juniper Business Use Only

Trunk port

A trunk port typically connects to another switch or to an edge router. Interfaces configured for trunk
mode handle traffic for multiple VLANs, multiplexing the traffic for all configured VLANs over the same
physical connection, and separating the traffic by tagging it with the appropriate VLAN ID. Trunk ports
can also carry untagged traffic when configured with the native-vlan-id statement. We cover the native-
vlan-id configuration option later in this chapter

What if you need to pass layer 2 traffic through trunk ports?

The default behavior on EX Series switches for trunk ports is to only send and receive tagged traffic. So,
what can you do if you needed to pass untagged Layer 2 traffic through trunk ports? For those cases we
can use the native vlan.

NATIVE VLAN

The native-vlan-id Option As previously mentioned, a trunk port typically connects one switch to
another switch or to an edge router. Interfaces configured for trunk mode handle traffic for multiple
VLANs, multiplexing the traffic for all configured VLANs over the same physical connection, and
separating the traffic by tagging it with the appropriate VLAN ID. Trunk ports can also carry untagged
traffic when configured with the native-vlan-id configuration option. This option must be enabled on all
trunk ports expected to pass untagged traffic

VOICE VLAN

Typically, network administrators choose to treat VoIP traffic differently from user data traffic. To treat
these types of traffic differently, you must be able to separate common user data traffic from voice
traffic. The voice VLAN feature is used for this purpose. The voice VLAN enables a single access port to
accept untagged data traffic as well as tagged voice traffic and associate each type of traffic with distinct
and separate VLANs. By doing this, a network’s class-of-service (CoS) implementation can treat voice
traffic differently, generally with a higher priority than common user data traffic.

LINK LAYER DISCOVERY PROTOCOL (LLDP)

The Link Layer Discovery Protocol (LLDP) is a vendor-neutral link layer protocol used by network devices
for advertising their identity, capabilities, and neighbors on a local area network based on IEEE 802
technology, principally wired Ethernet.

Juniper Business Use Only

he topology of an LLDP-enabled network can be discovered by crawling the hosts and querying this
database. Information that may be retrieved include:

 System name and description

 Port name and description
 VLAN name
 IP management address
 System capabilities (switching, routing, etc.)
 MAC/PHY information
 MDI power
 Link aggregation

Integrated routing and bridging (irb) interfaces

An integrated routing and bridging (IRB) interface is a logical Layer 3 VLAN interface used to route traffic
between VLANs. The Layer 3 VLAN interface functions as the gateway IP address for end-user devices on
the subnet associated with the corresponding VLAN. Note that proper routing information must exist on
the end-user devices, which typically comes in the form of a default gateway.

Unicast vs broadcast flooding

The bridge table (BT) is used to direct traffic to specific ports based on the VLAN number and the
destination MAC address of the frame. When there is no entry corresponding to the frame's destination
MAC address in the incoming VLAN, the (unicast) frame will be sent to all forwarding ports within the
respective VLAN, which causes flooding, otherwise known as unicast flooding.

A broadcast frame does not check the bridge table (BT), it is basically simply a method deployed by a
sender to deliver a packet to all possible recipients, by using a broadcast address.

The term unicast refers to a one-to-one transmission from one point in the network to another point.
Conventionally, unicast is considered more secure because the frame is delivered solely to the intended
recipient and not to multiple hosts. This diagram illustrates the unicast transmission of a frame from one
network host to another:

When a switch receives a unicast frame with a destination address not in the switch’s forwarding table,
the frame is treated like a broadcast frame and sent to all hosts on a network:

Juniper Business Use Only

Traffic Storms

A traffic storm is generated when certain types of traffic (broadcast, multicast, and unknown unicast) is
flooded throughout a network at a level significant enough that network resources and the end-users’
experience is negatively affected. Some traffic prompts a receiving node to respond by broadcasting its
own messages on the network. This, in turn, prompts further responses, creating a snowball effect. The
LAN is suddenly flooded with packets, creating unnecessary traffic that leads to poor network
performance or even a complete loss of network service. Broadcast, multicast, and unicast packets are
part of normal LAN operations. To recognize a traffic storm, you must be able to identify when traffic
has reached a level that is abnormal for your LAN. You should suspect a storm when operations begin
timing out and network response times slow down. As more packets flood the LAN, network users might
be unable to access servers or e-mail.

STORM CONTROL

Storm control enables the switch to monitor traffic levels and to drop broadcast, multicast, and
unknown unicast packets when a specified traffic level—called the storm control level—is exceeded. By
dropping packets that contribute to a traffic storm, a switch can prevent those packets from
proliferating and degrading the LAN.

Storm control enables you to prevent network outages caused by broadcast storms on the LAN. You can
configure storm control on Juniper switches to rate limit broadcast traffic, multicast, and unknown
unicast traffic at a specified level and to drop packets when the specified traffic level is exceeded, thus
preventing packets from proliferating and degrading the LAN The factory default configuration enables
storm control on all switch interfaces, with the storm control level set to 80 percent of the combined
broadcast, multicast, and unknown unicast streams. You can change the storm control level by creating
a customized storm control profile with a bandwidth value for the combined broadcast, multicast, and
unknown unicast traffic streams. You then must apply the custom profile to the appropriate interfaces.
You can also selectively disable storm control for broadcast, multicast, or unknown unicast streams by
deleting the storm control feature from the interface.

Changing the Default Storm Control Configuration

Broadcast, multicast, and unicast packets are part of normal LAN operation, so to recognize a storm, you
must be able to identify when traffic has reached a level that is abnormal for your LAN. Before altering
the default storm control configuration, you should monitor the level of broadcast, multicast, and
unknown unicast traffic in the LAN when it is operating normally. You should then use this data as a

Juniper Business Use Only

benchmark to determine when traffic levels are too high. Once the benchmark data has been compiled
and evaluated, you should then configure storm control and set the level at which you want to drop
broadcast traffic, multicast, unknown unicast traffic, or all three.

Storm Control Actions

By default, when the storm control level is exceeded the switch drops all offending traffic. You can alter
the default behavior so that interfaces through which a storm control level violation occurs are shut
down.

Q-IN-Q

EXPANDING A BRIDGED NETWORK:

IEEE 802.1Q VLAN tagging makes it possible for a customer’s bridged network to scale. Instead of
needing to add more bridging equipment to a growing network, VLAN tagging allows for the logical
separation of a bridged network into many broadcast domains (or VLANs). With a 12-bit length VLAN ID,
4094 VLANs are available for use on a single physical Ethernet network. Because of its simple nature,
service provider customers generally understand Ethernet. For a long time, service providers have
searched for ways to deliver Ethernet virtual connections (EVCs) to the customer premises. To a
customer, an EVC between two sites should appear as a simple Ethernet link or VLAN through the
service provider’s network. IEEE 802.1Q VLAN tagging does not provide the scalability service providers'
require to deliver that type of service. From the service provider’s point of view, the following is a list of
some of the scaling issues that might arise:

• Because only one VLAN tag field exists in an 802.1Q frame, customers and the service provider
need to coordinate the use of VLAN ID space. Considering that a service provider might have
thousands of customers, this coordination would be an overly extreme effort.
• To pass Ethernet frames between customer sites, the service provider bridges must learn
customer MAC addresses. Maintaining a bridge table for internal MAC addresses as well as the
MAC addresses of each customer can be a daunting task for some bridges and might be too
much to handle.
• To provide redundant links between customers and the service provider, running a form of the
Spanning Tree Protocol (STP), which is generally not a viable solution, might be necessary. The
STPs of today cannot scale to support all service provider and customer bridges of the world in a
single spanning-tree domain.

Q-IN-Q

Q-in-Q tunneling is defined under IEEE 802.1ad. It was developed to allow a service provider to provide a
more scalable EVC service to its customers. IEEE 802.1ad has standardized the methodology of stacking
VLAN tags. The slide shows the frame format that the standard introduced. The standard gives a new
name to the 802.1Q VLAN tag: the Customer VLAN (C-VLAN) tag (C-TAG). It also introduces a new tag

Juniper Business Use Only

named the Service VLAN (S-VLAN) tag (S-TAG). By adding the S-TAG to the frame, much less
coordination is necessary between the customer and the service provider. At the customer site, the
customer can continue to use 802.1Q tagging using C-VLAN IDs that are relevant only to their network
(not the service provider’s network). As 802.1Q-tagged frames arrive at the edge of the service
provider’s bridged network, the provider edge bridge adds an S-TAG to the frame. The S-TAG, using a
single S-VLAN ID, can carry any or all of the 4094 C-VLANs that are possibly in use by the customer.

A typical provider bridged network using Q-in-Q tunneling provides for C-VLAN tagging and forwarding
at the edge of the network using the ports that face the customer. For all ports that face the core of the
provider bridged network, the provider bridges forward based only on the S-VLAN tag. In the simplest
case, a service provider can allocate a single S-VLAN ID to represent each of its individual customers,
which allows the service provider to potentially support up to 4094 customers.

IEEE 802.1ad also allows for the translating of S-VLAN IDs at the edge of a service provider’s bridged
network, which helps in the coordination of VLAN ID usage between service providers. Although IEEE
802.1ad helps to solve the issue of the limited VLAN ID space that we discussed in relation to IEEE
802.1Q tagging, it does not solve the MAC learning problem. That is, for frames to be forwarded
between bridges in the service provider’s network, the bridges each must learn, and store MAC
addresses learned from the customer networks.

A service provider can help alleviate this problem by limiting the number of learned MAC addresses or
charging the customer more for the EVC service if they exceed the MAC address limit.

Tag FORMATS

• S-vlan tag:

• Tag protocol identifier

• Priority

• Unique vlan identifier

• C-vlan tag:

• Tag protocol identifier

• Priority

o Unique vlan identifier

Juniper Business Use Only

Key terms in a q-in-q environment

The following terms are used in a provider bridged network:

• Provider Bridged Network: A network of provider bridges that provide transparent EVC service to the
service provider’s customers.
• Provider Bridge: A bridge in the service provider’s network that performs IEEE 802.1ad VLAN tagging
and forwarding. These bridges learn and store the MAC addresses of the service provider’s customers.
• Provider Edge Bridge: Accepts and forwards IEEE 802.1Q frames to and from customers. These bridges
also encapsulate the received customer frames using the IEEE 802.1ad format to forward customer
frames across the provider bridged network.
• S-VLAN Bridge: A nonedge provider bridge that forwards frames based only on the S-VLAN tag.
• Customer Edge Port: A port on a provider edge bridge that connects to customer equipment and
receives and transmits C-VLAN tagged frames. These are access ports.
• Provider Network Port: A port on a provider edge bridge that receives and transmits S-VLAN tagged
frames. These are trunk ports

Frame Processing Example:

Juniper Business Use Only

In the example, the service provider delivers an Ethernet circuit to each of the customer premises. To
provide connectivity between Customer Bridge 1 and Customer Bridge 2, the customer must enable an
IEEE 802.1Q VLAN using VLAN ID 100 on the service provider-facing ports. The service provider has
allocated an S-VLAN tag of 200 to transparently forward the customer’s frames across its network. We
evaluate the required configuration, from the service provider’s perspective, on a subsequent slide.
Over the next several slides we look at the frame processing steps for traffic traversing a Q-in-Q tunnel.

Juniper Business Use Only

When S-VLAN-tagged frames arrive at Bridge C (an S-VLAN bridge) the interface must be able to process
the 0x8100 ether-type. Bridge C performs a MAC-table lookup based on the VLAN associated with the
customer (VLAN-ID 200). If Bridge C has previously learned the destination MAC address of the frame, it
forwards the frame to the appropriate outbound interface (ge-0/0/16.0 in this case) and the interface
sends the frame unchanged to the next bridge.

Juniper Business Use Only

When S-VLAN-tagged frames arrive at Bridge D, Bridge D pops the S-VLAN tag and performs a MAC-table
lookup based on the C-VLAN tag. If Bridge D has previously learned the destination MAC address of the
frame, it forwards the frame to the appropriate outbound interface (ge-0/0/0.0 in this case) and the
interface sends the C-tagged frame to the attached customer bridge.

The slide shows the frame format of the Ethernet frame as it arrives at Customer Bridge 2. Note that the
frame looks exactly as it did when Customer Bridge 1 transmitted it. At this point, Customer Bridge 2 will
perform its own MAC-table lookup and forward the frame on to their intended destination, if known. If
the destination MAC address is unknown, Customer Bridge 2 will flood frame out all other interfaces
associated with VLAN-ID 100.

Tunneling Layer 2 Protocols

While Q-in-Q tunneling does tunnel Layer 2 traffic across a provider bridged network, it does not, by
itself, effectively tunnel Layer 2 protocol traffic. Layer 2 protocol tunneling (L2PT) allows you to send
Layer 2 PDUs across a service provider network and between customer edge switches connected
through a service provider network. L2PT is useful when you want to run Layer 2 protocols on a network
that includes switches located at remote sites that are connected across a service provider network.
L2PT encapsulates Layer 2 PDUs, tunneling them across a service provider network, and decapsulates
them for delivery to their destination switches. L2PT encapsulates Layer 2 PDUs by enabling the ingress
provider edge bridge to rewrite the PDUs’ destination MAC addresses before forwarding them onto the
service provider network. The provider bridges treat the encapsulated PDUs as multicast Ethernet
packets. Upon receipt of the PDUs, the egress provider edge bridge decapsulates them by replacing the
destination MAC addresses with the address of the Layer 2 protocol that is being tunneled before
forwarding the PDUs to their destination customer edge switch.

Juniper Business Use Only