Switching levels l1 l2 l3. Cisco Router vs. L3 Switch Comparison

This is the first article in the "Networks for the little ones" series. Maxim aka Gluck and I thought for a long time where to start: routing, VLANs, equipment setup. As a result, we decided to start with the fundamental and, one might say, the most important thing: planning. Since the cycle is designed for complete beginners, we will go all the way from start to finish.

It is assumed that you have at least read about the OSI reference model, about the TCP / IP protocol stack, know about the types of VLANs that exist, about the most popular port-based VLAN now, and about IP addresses. We understand that "OSI" and "TCP/IP" are scary words for beginners. But don't worry, we're not using them to scare you. This is what you will have to deal with every day, so during this cycle we will try to uncover their meaning and relation to reality.

Let's start with setting the task. There is a certain company engaged, for example, in the production of elevators that go only up, and therefore it is called Lift Me Up LLC. They are located in an old building on the Arbat, and rotten wires plugged into burnt and burnt 10Base-T time switches do not expect new servers to be connected via gigabit cards. So, they have a catastrophic need for network infrastructure and chickens do not peck for money, which gives you the opportunity for limitless choice. This is a wonderful dream of any engineer. And you passed the interview yesterday, and in a difficult struggle, you rightfully received the position of network administrator. And now you are the first and only one of its kind in it. Congratulations! What's next?

It is necessary to specify the situation a little:

  1. At the moment, the company has two offices: 200 square meters on the Arbat for jobs and a server room. There are several providers. Another on Rublyovka.
  2. There are four user groups: accounting (B), financial and economic department (FEO), production and technical department (PTO), other users (D). And there are also servers (C), which are placed in a separate group. All groups are separated and do not have direct access to each other.
  3. Users of groups C, B and FEO will only be in the Arbat office, PTO and D will be in both offices.

Having estimated the number of users, required interfaces, communication channels, you prepare a network diagram and an IP plan.

When designing a network, you should try to adhere to a hierarchical network model, which has many advantages compared to a “flat network”:

  • easier understanding of network organization
  • the model implies modularity, which means that it is easy to expand capacity exactly where it is needed
  • easier to find and isolate the problem
  • increased fault tolerance due to duplication of devices and / or connections
  • distribution of functions to ensure network performance across various devices.

According to this model, the network is divided into three logical levels: network core(Core layer: high-performance devices, the main purpose is fast transport), distribution level(Distribution layer: provides security policy enforcement, QoS, VLAN aggregation and routing, defines broadcast domains), and access level(Access-layer: usually L2 switches, purpose: connecting end devices, marking traffic for QoS, protection against network rings (STP) and broadcast storms, providing power for PoE devices).

On a scale like ours, the role of each device is blurred, but it is possible to logically separate the network.

Let's make an approximate diagram:


In the presented diagram, the core (Core) will be the router 2811, the switch 2960 will be assigned to the distribution level (Distribution), since all VLANs are aggregated into a common trunk on it. The 2950 switches will be Access devices. End users, office equipment, servers will be connected to them.

We will name the devices as follows: the abbreviated name of the city ( msk) - geographical location (street, building) ( arbat) — the role of the device in the network + serial number.

According to their roles and location, we select hostname:

  • router 2811: msk-arbat-gw1(gw=GateWay=gateway);
  • switch 2960: msk-arbat-dsw1(dsw=Distribution switch);
  • 2950 switches: msk-arbat-aswN, msk-rubl-asw1(asw=Access switch).

Network Documentation

The entire network must be strictly documented: from the circuit diagram to the name of the interface.

Before proceeding with the setup, I would like to list the necessary documents and actions:

  • network diagrams L1, L2, L3 in accordance with the layers of the OSI model (physical, channel, network);
  • IP address plan = IP plan;
  • VLAN list;
  • signatures ( description) interfaces;
  • a list of devices (for each, you should specify: the hardware model, the installed IOS version, the amount of RAM\NVRAM, the list of interfaces);
  • labels on cables (from where and where it goes), including on power and ground cables and devices;
  • a single regulation that defines all the above parameters and others.

Bold is what we will monitor as part of the simulator program. Of course, all changes to the network must be made to the documentation and configuration to keep them up to date.

When we talk about labels / stickers on cables, we mean this:

This photo clearly shows that each cable is marked, the value of each machine on the shield in the rack, as well as each device.

Let's prepare the documents we need:

VLAN List

Each group will be allocated to a separate vlan. This way we will limit broadcast domains. We will also introduce a special VLAN for device management. VLAN numbers 4 to 100 are reserved for future use.

IP plan

The allocation of subnets is generally arbitrary, corresponding only to the number of nodes in this local network, taking into account possible growth. In this example, all subnets have the standard mask /24 (/24=255.255.255.0) - these are often used in local networks, but not always. We advise you to read about classes of networks. In the future, we will turn to classless addressing (cisco). We understand that links to technical articles on Wikipedia are bad manners, but they give a good definition, and we, in turn, will try to transfer this to the picture of the real world.

By a Point-to-Point network, we mean the connection of one router to another in point-to-point mode. Usually, addresses with a mask of 30 are taken (returning to the topic of classless networks), that is, containing two host addresses. Later it will become clear what is at stake.

IP plan
IP addressNoteVLAN
172.16.0.0/16
172.16.0.0/24 Server farm 3
172.16.0.1 Gateway
172.16.0.2 web
172.16.0.3 file
172.16.0.4 Mail
172.16.0.5 — 172.16.0.254 reserved
172.16.1.0/24 Control 2
172.16.1.1 Gateway
172.16.1.2 msk-arbat-dsw1
172.16.1.3 msk-arbat-asw1
172.16.1.4 msk-arbat-asw2
172.16.1.5 msk-arbat-asw3
172.16.1.6 msk-rubl-aswl
172.16.1.6 — 172.16.1.254 reserved
172.16.2.0/24 Point-to-point network
172.16.2.1 Gateway
172.16.2.2 — 172.16.2.254 reserved
172.16.3.0/24 VET 101
172.16.3.1 Gateway
172.16.3.2 — 172.16.3.254 Pool for users
172.16.4.0/24 FEO 102
172.16.4.1 Gateway
172.16.4.2 — 172.16.4.254 Pool for users
172.16.5.0/24 Accounting 103
172.16.5.1 Gateway
172.16.5.2 — 172.16.5.254 Pool for users
172.16.6.0/24 Other users 104
172.16.6.1 Gateway
172.16.6.2 — 172.16.6.254 Pool for users

Equipment connection plan by ports

Of course, now there are switches with a bunch of 1Gb Ethernet ports, there are switches with 10G, there are 40Gb on advanced operator hardware that costs a lot of thousands of dollars, 100Gb is in development (and according to rumors, there are even such boards that have gone into industrial production). Accordingly, in the real world, you can choose switches and routers according to your needs, without forgetting your budget. In particular, a gigabit switch can now be bought inexpensively (20-30 thousand) and this is with a margin for the future (if you are not a provider, of course). A router with gigabit ports is already significantly more expensive than one with 100Mbps ports, but it's worth it because FE models (100Mbps FastEthernet) are outdated and their throughput is very low.

But in the emulator / simulator programs that we will use, unfortunately, there are only simple equipment models, so when modeling the network, we will start from what we have: cisco2811 router, cisco2960 and 2950 switches.

Device namePortNameVLAN
AccessTrunk
msk-arbat-gw1FE0/1uplink
FE0/0msk-arbat-dsw1 2,3,101,102,103,104
msk-arbat-dsw1FE0/24msk-arbat-gw1 2,3,101,102,103,104
GE1/1msk-arbat-asw1 2,3
GE1/2msk-arbat-asw3 2,101,102,103,104
FE0/1msk-rubl-asw1 2,101,104
msk-arbat-asw1GE1/1msk-arbat-dsw1 2,3
GE1/2msk-arbat-asw2 2,3
FE0/1webserver3
FE0/2Fileserver3
msk-arbat-asw2GE1/1msk-arbat-asw1 2,3
FE0/1mailserver3
msk-arbat-asw3GE1/1msk-arbat-dsw1 2,101,102,103,104
FE0/1-FE0/5PTO101
FE0/6-FE0/10FEO102
FE0/11-FE0/15Accounting103
FE0/16-FE0/24Other104
msk-rubl-asw1FE0/24msk-arbat-dsw1 2,101,104
FE0/1-FE0/15PTO101
FE0/20administrator104

Why VLANs are distributed in this way, we will explain in the following parts.

Network diagrams

Based on these data, all three network diagrams can be drawn at this stage. To do this, you can use Microsoft Visio, some free application, but tied to its format, or graphics editors (you can also freehand, but it will be difficult to keep up to date :)).

Not for open source propaganda, but for a variety of means, let's use Dia. I consider it to be one of the best diagramming applications for Linux. There is a version for Windows, but, unfortunately, there is no compatibility in Visio.

L1

That is, in the L1 diagram, we reflect the physical devices of the network with port numbers: what is connected where.


L2

In the L2 diagram, we indicate our VLANs.


L3

In our example, the third-layer scheme turned out to be rather useless and not very visual, due to the presence of only one routing device. But over time, it will acquire details.


As you can see, the information in the documents is redundant. For example, VLAN numbers are repeated both in the diagram and in the port plan. It's like someone is on to something. As you feel more comfortable, do it. This redundancy makes it difficult to update in case of a configuration change, because you need to fix it in several places at once, but on the other hand, it makes it easier to understand.

We will return to this first article more than once in the future, just as you will always have to return to what you originally planned. The actual task for those who are just starting to learn and are ready to make an effort for this: read a lot about vlans, ip-addressing, find Packet Tracer and GNS3 programs. As for fundamental theoretical knowledge, we advise you to start reading Cisco press. This is something you absolutely need to know. In the next part, everything will be in an adult way, with a video, we will learn how to connect to equipment, deal with the interface and tell you what to do to a negligent admin who has forgotten the password.

Original article:

tags

Cisco

As a rule, if you want to connect all network and client devices to the network, is one of the main devices most suitable for this purpose. As the diversity of network applications increases and the number of converged networks increases, the new layer 3 network switch is effectively used in both data centers and complex enterprise networks, commercial applications and more complex client projects.

What is a layer 2 switch?

A Layer 2 switch (Layer2 or L2) is designed to connect multiple devices on a local area network (LAN) or multiple segments of a given network. Layer 2 switch processes and registers MAC addresses of incoming frames, performs physical addressing and data flow control (VLAN, multicast filtering, QoS).

The terms ''Layer 2'' & ''Layer 3'' are originally derived from the Open Network Interconnection Protocol (OSI), which is one of the main models used to describe and explain how network communications work. The OSI model defines seven levels of system interaction: the application layer, the presentation layer, the session layer, the transport layer, the network layer, the data link layer (link layer) and the physical layer, among which the network layer is layer 3, and the data link layer is the layer 2.

Figure 1: Layer 2 and Layer 3 in the Open Network Interconnection (OSI) protocol.

Layer 2 enables direct data transfer between two devices on a local network. During operation, the layer 2 switch maintains a MAC address table, which processes and registers the MAC addresses of incoming frames and remembers the equipment connected through the port. Data arrays switch in MAC addresses only within the local network, which allows data to be stored only within the network. When using a layer 2 switch, it is possible to select specific switch ports for data flow control (VLAN). The ports, in turn, are on different layer 3 subnets.

What is a layer 3 switch?

(Layer 3 or L3) are actually routers that implement routing mechanisms (logical addressing and selection of the data delivery path (route) using routing protocols (RIP v.1 and v.2, OSPF, BGP, proprietary routing protocols, etc.) not in the software of the device, but with the help of specialized hardware (microcircuits).

The router is the most common Layer 3 network device. These switches perform the functions of routing (logical addressing and selection of the delivery path) packets to the destination IP (Internet Protocol) address. Layer 3 switches look at the source and destination IP addresses of each data packet in their IP routing table and determine the best address to forward the packet to (router or switch). If the destination IP address is not found in the table, the packet will not be sent until the destination router is determined. For this reason, the routing process is carried out with a certain time delay.

Layer 3 switches (or multilayer switches) have some of the functionality of layer 2 switches and routers. Basically, they are three different devices designed for different applications, which depend heavily on the features available. However, all three devices also share some common features.

Layer 2 Switch VS Layer 3 Switch: What's the difference?

The main difference between layer 2 and layer 3 switches is the routing function. The layer 2 switch works only with MAC addresses, ignoring IP addresses and higher layer elements. A layer 3 switch performs all the functions of a layer 2 switch. In addition, it can perform static and dynamic routing. This means that a layer 3 switch has both a MAC address table and an IP address routing table, and also connects multiple VLAN devices and provides packet routing between different VLANs. A switch that only performs static routing is usually referred to as Layer 2+ or Layer 3 Lite. In addition to routing packets, Layer 3 switches also include some features that require knowledge of IP address data in the switch, such as tagging VLAN traffic based on IP address instead of manually configuring a port. Moreover, Layer 3 switches have higher power consumption and higher security requirements.

Layer 2 Switch vs Layer 3 Switch: How to Choose?

When choosing between Layer 2 and Layer 3 switches, it's worth considering where and how the switch will be used. If you have a layer 2 domain, you can just use a layer 2 switch. However, if you need to route between the internal VLAN, you should use a layer 3 switch. The layer 2 domain is where hosts connect to ensure stable operation of the layer 2 switch This is commonly referred to as the access layer in network topology. If you need to switch to aggregating multiple access switches and perform routing between VLANs, you must use a layer 3 switch. In network topology, this is called a distribution layer.

Figure 2: Router, Layer 2 Switch, and Layer 3 Switch Use Cases

Since a Layer 3 switch and a router have a routing function, the difference between them must be defined. It doesn't really matter which device to choose for routing, as each has its own advantages. If you need a large number of routers with switch functions to build a VLAN, and you do not need further routing (ISP) / WAN, then you can safely use a layer 3 switch. Otherwise, you need to choose a router with a lot of layer 3 functions.

Layer 2 Switch VS Layer 3 Switch: Where to Buy?

If you are looking to buy a layer 2 or layer 3 switch to build your network infrastructure, there are certain key parameters that we recommend you pay attention to. In particular, packet forwarding speed, backplane bandwidth, number of VLANs, MAC address memory, data transfer latency, etc.

The transfer rate (or throughput) is the forwarding capability of the backplane (or switch fabric). When the forwarding capability is greater than the combined speed of all ports, the backplane is said to be non-blocking. The transfer rate is expressed in packets per second (pps). The formula below calculates the forwarding speed of a switch:

Forwarding rate (pps) = number of 10 Gbps ports * 14,880,950 pps + number of 1 Gbps ports * 1,488,095 pps + number of 100 Mbps ports * 148,809 pps

The next parameter to consider is backplane bandwidth or switch bandwidth, which is calculated as the sum of the speeds of all ports. The speed of all ports is counted twice, one for the Tx direction and one for the Rx direction. Backplane bandwidth is expressed in bits per second (bps or bps). Backplane bandwidth (bps) = port number * port baud rate * 2

Another important parameter is the configurable number of VLANs. Generally, 1K = 1024 VLANs is enough for a layer 2 switch, and the standard number of VLANs for a layer 3 switch is 4k = 4096. MAC address table memory is the number of MAC addresses that can be stored in a switch, usually expressed as 8k or 128k . Latency is the amount of time the data transfer is delayed. The delay time should be as short as possible, so latency is usually expressed in nanoseconds (ns).

Conclusion

Today we tried to understand the differences between layers 2 and 3 and the devices commonly used in these layers, including a layer 2 switch, a layer 3 switch, and a router. The main conclusion that I would like to highlight today is that a more advanced device is not always better and more efficient. Today it is important to understand why you are going to use the switch, what are your requirements and conditions. A clear understanding of the initial data will help you choose the right device for you.

Tags:

 0

 2

With a kind smile, now I remember how humanity anxiously expected the end of the world in 2000. Then this did not happen, but a completely different event happened, and also very significant.

Historically, at that time the world entered a real computer revolution v. 3.0. - start cloud technologies for distributed storage and data processing. Moreover, if the previous "second revolution" was a massive transition to "client-server" technologies in the 80s, then the first can be considered the beginning of simultaneous work of users using separate terminals connected to the so-called. "mainframes" (in the 60s of the last century). These revolutionary changes took place peacefully and unnoticed by users, but affected the entire world of business along with information technology.

When transferring IT infrastructure to and remote data centers (data processing centers), the organization of reliable communication channels from the client immediately becomes a key issue. On the Web, there are often offers from providers: “physical leased line, optical fiber”, “L2 channel”, “VPN” and so on ... Let's try to figure out what is behind this in practice.

Communication channels - physical and virtual

1. The organization of a “physical line” or “channel of the second level, L2” is usually called the service of providing a dedicated cable (copper or fiber optic) or a radio channel between offices and those sites where data center equipment is deployed. When ordering this service, in practice, most likely you will receive a dedicated fiber optic channel for rent. This solution is attractive because the provider is responsible for reliable communication (and in case of cable damage, it restores the channel on its own). However, in real life, the cable throughout its entire length is not solid - it consists of many interconnected (welded) fragments, which somewhat reduces its reliability. On the path of laying a fiber optic cable, the provider has to use amplifiers, splitters, and modems at the end points.

In marketing materials, this solution is referred to the L2 (Data-Link) layer of the OSI or TCP / IP network model conditionally - it allows you to work, as it were, at the Ethernet frame switching level in the LAN, without worrying about many packet routing problems at the next IP network layer. For example, it is possible to continue using your so-called "private" IP addresses in client virtual networks instead of registered unique public addresses. Since it is very convenient to use private IP addresses in local networks, special ranges have been allocated to users from the main addressing classes:

  • 10.0.0.0 - 10.255.255.255 in class A (with mask 255.0.0.0 or /8 in alternative mask notation format);
  • 100.64.0.0 - 100.127.255.255 in class A (with mask 255.192.0.0 or /10);
  • 172.16.0.0 - 172.31.255.255 in class B (masked 255.240.0.0 or /12);
  • 192.168.0.0 - 192.168.255.255 in class C (masked 255.255.0.0 or /16).

Such addresses are self-selected by users for "internal use" and can be repeated simultaneously in thousands of client networks, so data packets with private addresses in the header are not routed on the Internet - to avoid confusion. To access the Internet, you have to use NAT (or another solution) on the client side.

Note: NAT - Network Address Translation (the mechanism for replacing network addresses of transit packets in TCP / IP networks, is used to route packets from the client's local network to other networks / Internet and in the opposite direction - inside the client's LAN, to the destination).

This approach (and we are talking about a dedicated channel) has an obvious drawback - if the client's office moves, there may be serious difficulties with connecting to a new location and there may be a need to change the provider.

The assertion that such a channel is much safer, better protected from attacks by intruders and errors of low-skilled technical personnel, upon closer examination, turns out to be a myth. In practice, security problems often arise (or are deliberately created by a hacker) right on the client side, with the participation of the human factor.

2. Virtual circuits and VPNs (Virtual Private Networks) built on them are widely distributed and allow solving most of the client's tasks.

The provision by the provider of "L2 VPN" involves the choice of several possible services of the "second layer", L2:

VLAN - the client receives a virtual network between his offices, branches (in fact, the client's traffic goes through the provider's active equipment, which limits the speed);

Point-to-point connection PWE3(in other words, "pseudowire end-to-end emulation" in packet-switched networks) allows Ethernet frames to be passed between two nodes as if they were directly connected by a cable. For the client in this technology, it is essential that all transmitted frames are delivered to the remote point without changes. The same thing happens in the opposite direction. This is possible due to the fact that the client frame arriving at the provider's router is further encapsulated (added) to a higher-level data block (MPLS packet), and extracted at the endpoint;


Note: PWE3 - Pseudo-Wire Emulation Edge to Edge (a mechanism whereby, from the user's point of view, he receives a dedicated connection).

MPLS - MultiProtocol Label Switching (data transfer technology in which packets are assigned transport / service labels and the path of transmission of data packets in networks is determined only based on the value of the labels, regardless of the transmission medium, using any protocol. During routing, new labels can be added (when necessary) or removed when their function has ended (the contents of the packets are not parsed or modified).

VPLS is a LAN simulation technology with multipoint connections. In this case, the provider's network looks from the client side like a single switch that stores a table of MAC addresses of network devices. Such a virtual "switch" distributes the Ethernet frame that came from the client's network, according to its destination - for this, the frame is encapsulated in an MPLS packet, and then extracted.


Note: VPLS - Virtual Private LAN Service (a mechanism by which, from the user's point of view, its geographically dispersed networks are connected by virtual L2 connections).

MAC - Media Access Control (media access control method - a unique 6-byte address-identifier of a network device (or its interfaces) in Ethernet networks).


3. In the case of deploying "L3 VPN", the provider's network in the eyes of the client looks like a single router with several interfaces. Therefore, the junction of the client's local network with the provider's network occurs at the L3 level of the OSI or TCP/IP network model.

Public IP addresses for network junction points can be determined in agreement with the provider (belong to the client or be received from the provider). IP addresses are configured by the client on their routers on both sides (private - from the side of their local network, public - from the provider), further routing of data packets is provided by the provider. Technically, to implement such a solution, MPLS is used (see above), as well as GRE and IPSec technologies.


Note: GRE - Generic Routing Encapsulation (tunneling protocol, packing network packets, which allows you to establish a secure logical connection between two endpoints - using protocol encapsulation at the L3 network layer).

IPSec - IP Security (a set of data protection protocols that are transmitted using IP. Authentication, encryption and packet integrity check are used).

It is important to understand that the modern network infrastructure is built in such a way that the client sees only that part of it that is defined by the contract. Dedicated resources (virtual servers, routers, live data and backup storage), as well as running programs and memory contents are completely isolated from other users. Several physical servers can work in concert and simultaneously for one client, from the point of view of which they will look like one powerful server pool. Conversely, many virtual machines can be created simultaneously on one physical server (each one will look like a separate computer with an operating system to the user). In addition to the standard ones, individual solutions are offered, which also meet the accepted requirements regarding the security of processing and storing customer data.

At the same time, the configuration of the “L3 level” network deployed in the cloud allows scaling to almost unlimited sizes (the Internet and large data centers are built on this principle). Dynamic routing protocols, such as OSPF, and others in L3 cloud networks, allow you to choose the shortest paths for routing data packets, send packets in several ways at the same time for the best load and increase channel bandwidth.

At the same time, it is possible to deploy a virtual network at the “L2 level”, which is typical for small data centers and outdated (or highly specific) client applications. In some of these cases, even "L2 over L3" technology is used to ensure network compatibility and application operability.

Summing up

To date, the tasks of the user / client in most cases can be effectively solved by organizing virtual private networks VPN using GRE and IPSec technologies for security.

It makes little sense to oppose L2 and L3, just as it makes no sense to consider the L2 channel offer the best solution for building reliable communication in your network, a panacea. Modern communication channels and provider equipment allow a huge amount of information to pass through, and many dedicated channels leased by users are, in fact, even underloaded. It is reasonable to use L2 only in special cases when it is required by the specifics of the task, take into account the limitations of the possibility of future expansion of such a network and consult with a specialist. On the other hand, L3 VPNs, other things being equal, are more versatile and easier to operate.

This overview briefly lists modern standard solutions that are used when migrating local IT infrastructure to remote data centers. Each of them has its own consumer, advantages and disadvantages, the correct choice of solution depends on the specific task.

In real life, both levels of the network model L2 and L3 work together, each is responsible for its task and opposing them in advertising, providers are frankly cunning.

Buy L2 Switch

Switches are the most important component of modern communication networks. This section of the catalog features both managed Layer 2 switches, Gigabit Ethernet, and unmanaged Fast Ethernet switches. Depending on the tasks to be solved, access level switches (2 levels), aggregation and cores, or switches with many ports and a high-performance bus are selected.

The principle of operation of devices is to store data on the correspondence of their ports to the IP or MAC address of the device connected to the switch.

Networking Diagram

Gigabit Ethernet (GE) and 10 Gigabit Ethernet (10GE) switch technology is widely used to achieve high speeds. The transmission of information at high speeds, especially in large-scale networks, implies the choice of a network topology that allows flexible distribution of high-speed streams.

A multi-level approach to creating a network using managed Layer 2 switches optimally solves such problems, since it implies the creation of a network architecture in the form of hierarchical levels and allows you to:

  • scale the network at each level without affecting the entire network;
  • add different levels;
  • expand the functionality of the network as needed;
  • minimize resource costs for troubleshooting;
  • quickly solve problems with network congestion.

The main applications of the network based on the proposed equipment are Triple Play services (IPTV, VoIP, Data), VPN, implemented through the universal transport of various types of traffic - IP network.

Gigabit Ethernet layer 2 managed switches allow you to create a network architecture consisting of three levels of hierarchy:

  1. Core Layer. Formed by core level switches. Communication between devices is carried out via fiber optic cable according to the “redundant ring” scheme. Core switches support high network bandwidth and enable 10Gigabit traffic between large population centers, such as between urban areas. The transition to the next level of the hierarchy - the level of distribution, is carried out via an optical channel at a speed of 10Gigabit through optical XFP ports. A feature of these devices is a wide bandwidth and packet processing from L2 to L4.
  2. Distribution Layer. Formed by border switches. Communication is carried out via fiber optic cable according to the "redundant ring" scheme. This level allows you to organize the transmission of a stream at a speed of 10Gigabit between points of congestion of users, for example, between residential areas or a group of buildings. Distribution level switches are connected to the lower level - access level via 1Gigabit Ethernet optical channels through optical SFP ports. Features of these devices: wide bandwidth and packet processing from L2 to L4, as well as support for the EISA protocol, which allows you to restore communication within 10ms when the optical ring is broken.
  3. Access Layer. It is made up of managed Layer 2 switches. Communication is carried out via fiber optic cable at 1Gigabit speeds. Access level switches can be divided into two groups: with only an electrical interface and those with optical SFP ports to create a ring at their level and connect to the distribution level.

We will build such a network on cisco devices

Network description:
VLAN1(default-IT) - 192.168.1.0/24
VLAN2(SHD) - 10.8.2.0/27
VLAN3(SERV) - 192.168.3.0/24
VLAN4(LAN) - 192.168.4.0/24
VLAN5(BUH) - 192.168.5.0/24
VLAN6(PHONE) - 192.168.6.0/24
VLAN7(CAMERS) - 192.168.7.0/24

VLAN9(WAN) - 192.168.9.2/24

Devices:
Switches cisco s2960 L2-level - 3pcs
Switch cisco s3560 L2 and L3-level - 1 pc
All switches will be in VLAN1 and have a network of 192.168.1.0/24

Any router (I have Mikrotik RB750) - 1 pc

Server Win2008 (DHCP) - for distributing ip addresses
Each VLAN has 2 computers as end devices.

Let's start.


First, let's configure the cisco L2 switch of level sw1
By default, all ports are in VLAN1, so we will not create it.
  1. We connect to the console: telnet 192.168.1.1
  2. Enter password
  3. sw1>enable(Go to privileged mode to enter commands)
  1. sw# conf-t (go to configuration mode)
  2. sw(config)# vlan 2 (Create VLAN)
  3. sw(config-vlan)# name SHD (we assign a name to this VLAN2)
  4. sw(config-vlan)# exit
  5. sw#

We define ports for connecting computers to VLAN2

On the first and second switch port I will have VLAN1

On the third and fourth port VLAN2

On the fifth and sixth VLAN3

  1. sw# conf-t (go to configuration mode)
  2. sw(config)# int fa0/3 (for one port Select interface)
  3. sw(config)# int fa0 / 3-4 (for several ports at once Choose an interface)
  4. sw(config-if)#
  5. sw(config-if)# switchport access vlan 2 (assign VLAN2 to this port)
  6. sw(config-if)#
  7. sw(config-if)# exit
  8. sw#

To connect our switch (sw1 -cisco 2960-L2) to the switch (sw2 -cisco 3560-L2L3)

we need to transfer the created VLANs (if necessary) to another switch, for this we will configure the TRUNK port (our VLANs walk in the trunk port)

We select the fastest port (since several VLANs (subnets) will walk on it)

  1. sw# conf-t (go to configuration mode)
  2. sw(config)#
  3. sw(config)#
  4. sw(config-if)#
  5. sw(config-if)# switchport trank allowed vlan 2.3, (specify which VLAN will go through)
  6. sw(config-if)# no shutdown (enable interface)
  7. sw(config-if)# exit
  8. Repeat steps for required ports

SUMMARY of setting up the L2 switch:

  1. Since we have this device L2, it does not understand what ip-addresses are.
  2. Computers connected to these ports can see each other within their given VLAN. Ie from VLAN1 I will not get into VLAN2 and vice versa.
  3. Configured a gigabit port for VLAN transmission to the switch sw2-cisco 3560-L2L3.
______________________________________

We add to the network we have already created on the L2 switch (sw1), the switch (sw2) cisco-3560 L2L3

Let's configure our 3560 L3 device (understands ip addresses and makes routing between VLANs)


 1. You need to create all VLANs that will describe your network topology, since this L3 switch will route traffic between VLANs.

Create VLAN (commands for vlan are created on all devices in the same way)

  1. sw# conf-t (go to configuration mode)
  2. sw(config)# vlan 4 (Create VLAN)
  3. sw(config-if)# name LAN (we assign a name to this VLAN2)
  4. sw(config-if)# exit
  5. Repeat the steps if you need to add a VLAN
  6. sw# show vlan brief (see which VLANs have been created)
2. Determine the ports for connecting computers.

- on the first port of the switch I will have VLAN9

- on the third and fourth port VLAN7

  1. sw# conf-t (go to configuration mode)
  2. sw(config)# int fa0/1 (for one port Select interface)
  3. sw(config)# int fa0 / 3-7 (for several ports at once Choose an interface)
  4. sw(config-if)# switchport mode access (Specify that this port will be for devices)
  5. sw(config-if)# switchport access vlan 9 (assign VLAN9 to this port)
  6. sw(config-if)# no shutdown (enable interface)
  7. sw(config-if)# exit
  8. Repeat steps for required ports
  9. sw# show run (see what device settings)
3. Create trunk ports

We select the fastest port (since several VLANs (subnets) will walk on it)

  1. sw# conf-t (go to configuration mode)
  2. sw(config)# int gi0/1 (for one port Select interface)
  3. sw(config)# int gi0 / 1-2 (for several ports at once Choose an interface)
  4. Since we are setting up L3, we need to transfer IP addresses from the physical port to the virtual port and vice versa (encapsulation)
  5. sw(config-if)# switchport trunk encapsulation dot1q (Specify encapsulation)
  6. sw(config-if)# switchport mode trunk (We indicate that this port will be for VLAN)
  7. sw(config-if)# switchport trank allowed vlan 1-7, (specify which VLAN will go through)
  8. sw(config-if)# no shutdown (enable interface)
  9. sw(config-if)# exit
  10. Repeat steps for required ports
4. Transfer the router to L3 mode
  1. sw# conf-t (go to configuration mode)
  2. sw(config)# ip routing (enable routing)
5. Since our switch is L3 level, we hang up ip addresses on VLANs on ports for traffic routing.
For VLAN interworking (so that you can get from VLAN2 to VLAN3, etc.)

We set all virtual interfaces VLAN, ip addresses

  1. sw# conf-t (go to configuration mode)
  2. sw(config)# int vlan 2 (on VLAN2 we hang the ip address)
  3. sw(config)# ip address 10.8.2.1 255.255.255.224 (this address will be the gateway for this subnet)
  4. sw(config-if)# no shutdown (enable interface)
  5. sw(config-if)# exit
  1. sw# conf-t (go to configuration mode)
  2. sw(config)# int vlan 3 (on VLAN3 we hang the ip address)
  3. sw(config)# ip address 192.168.3.1 255.255.255.0 (this address will be the gateway for this subnet)
  4. sw(config-if)# no shutdown (enable interface)
  5. sw(config-if)# exit
  6. Repeat steps for required interfaces