Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Access Ports at Distribution Layer

In the Cisco BCMSN Study-Guide it says that Root Guard should be applied on Access Ports at the Distribution Layer. I am a little perplexed, I thought the Distribution Layer is intended as an aggregation of Access Layer, and a translation from Layer2 to Layer3 traffic. Therefore what, if any, devices are appropriate for the Distribution Layer switches?

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: Access Ports at Distribution Layer

Your access layer may consist of dumb layer 2 switches which are not capable of trunking forcing you to use access ports in your distribution layer to put those hosts connected to those access switches in the correct vlan. For security reasons you may also want to limit the number of trunks in a network to prevent vlan hopping or double tagging attacks.

3 REPLIES
Cisco Employee

Re: Access Ports at Distribution Layer

Mark,

In a redundant configuration, your distribution layer switches are configured as Primary and secondry root bridges for you access layer switches. To maintain a stable topology it is always suggested enable root guard on all ports where the root bridge should not appear. In a way, you can configure a perimeter around the part of the network where the STP root is able to be located.

Please see the link below for more understanding :

http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a00800ae96b.shtml

HTH,Please rate if it does.

-amit singh

Re: Access Ports at Distribution Layer

Amit,

I don't have a problem with Root Guard, that seems straightforward enough. What I don't get is why there would be Access Ports at the Distribution Layer. Surely Access Ports should be at the Access Layer, hence the name, at least in a perfect Cisco modelled environment. In real life things may be different.

New Member

Re: Access Ports at Distribution Layer

Your access layer may consist of dumb layer 2 switches which are not capable of trunking forcing you to use access ports in your distribution layer to put those hosts connected to those access switches in the correct vlan. For security reasons you may also want to limit the number of trunks in a network to prevent vlan hopping or double tagging attacks.

101
Views
0
Helpful
3
Replies