Access Ports at Distribution Layer

Answered Question
Jul 9th, 2007

In the Cisco BCMSN Study-Guide it says that Root Guard should be applied on Access Ports at the Distribution Layer. I am a little perplexed, I thought the Distribution Layer is intended as an aggregation of Access Layer, and a translation from Layer2 to Layer3 traffic. Therefore what, if any, devices are appropriate for the Distribution Layer switches?

I have this problem too.
0 votes

Your access layer may consist of dumb layer 2 switches which are not capable of trunking forcing you to use access ports in your distribution layer to put those hosts connected to those access switches in the correct vlan. For security reasons you may also want to limit the number of trunks in a network to prevent vlan hopping or double tagging attacks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Amit Singh Mon, 07/09/2007 - 07:38

Mark,

In a redundant configuration, your distribution layer switches are configured as Primary and secondry root bridges for you access layer switches. To maintain a stable topology it is always suggested enable root guard on all ports where the root bridge should not appear. In a way, you can configure a perimeter around the part of the network where the STP root is able to be located.

Please see the link below for more understanding :

http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a00800ae96b.shtml

HTH,Please rate if it does.

-amit singh

mark.j.hodge Mon, 07/09/2007 - 08:06

Amit,

I don't have a problem with Root Guard, that seems straightforward enough. What I don't get is why there would be Access Ports at the Distribution Layer. Surely Access Ports should be at the Access Layer, hence the name, at least in a perfect Cisco modelled environment. In real life things may be different.

Correct Answer

Your access layer may consist of dumb layer 2 switches which are not capable of trunking forcing you to use access ports in your distribution layer to put those hosts connected to those access switches in the correct vlan. For security reasons you may also want to limit the number of trunks in a network to prevent vlan hopping or double tagging attacks.

Actions

This Discussion