• A Layer 2 switch works at the second layer (data link layer) of the OSI model and

forwards data packets based on MAC addresses.

• A Layer 2 switch maintains a MAC address-to-port mapping table — known as the

MAC address table — by parsing and learning source MAC addresses of Ethernet
frames. When receiving an Ethernet frame, a switch searches its MAC address table for
the outbound port based on the destination MAC address of the frame.
• Ports on a Layer 2 switch send and receive data independently and belong to different
collision domains. Collision domains are therefore isolated at the physical layer,
preventing uneven traffic rates from causing collisions between hosts (or networks)
connected through this Layer 2 switch.
• As networks grow in scale, users require backbone networks to provide higher
bandwidth and reliability. In conventional technologies, a common practice to increase
the bandwidth is to use high-speed LPUs or devices that support high-speed LPUs,
which is costly and inflexible.

• Unlike these conventional technologies, link aggregation bundles multiple physical

interfaces into a logical interface to increase the link bandwidth without upgrading
hardware. In addition, link aggregation provides link backup mechanisms, improving
link reliability greatly.
• A link aggregation group (LAG) is a logical link that bundles multiple Ethernet links,
also known as the Eth-Trunk link. Each LAG corresponds to a unique logical interface,
known as a LAG interface or an Eth-Trunk interface.

• Link aggregation has the following advantages:

▫ Increased bandwidth: The maximum bandwidth of an Eth-Trunk interface is the

sum of bandwidth of its member interfaces.
▫ Higher reliability: When an active link fails, traffic can be switched to other
available member links.
▫ Load balancing: Traffic load can be balanced among the active member links in a
LAG.
• If the IP address of packets changes frequently, using load balancing based on the
source IP address, destination IP address, or both can better balance traffic among
physical links.

• If the MAC address of packets changes frequently but the IP address is fixed, using
load balancing based on the source MAC address, destination MAC address, or both
can better balance traffic among physical links.
• If a load balancing mode does not match the actual service characteristics, traffic may
be unevenly load balanced. As a result, some member links may be heavily loaded,
while other member links are idle. For example, if the source and destination IP
addresses of packets change frequently but the source and destination MAC addresses
are fixed, choosing source and destination MAC addresses-based load balancing may
cause all traffic to be carried over only one member link.
• MSTP divides a switching network into multiple regions, each of which has multiple
spanning trees that are independent of each other.

• Each spanning tree is called an MSTI.

• An MSTI is a collection of VLANs.

• Binding multiple VLANs to a single MSTI reduces communication costs and resource
utilization.
• The topology of each MSTI is calculated independently, and traffic can be load
balanced among MSTIs.

• Multiple VLANs with the same topology can be mapped to a single MSTI. The
forwarding state of VLANs for an interface is determined by the interface state in the
MSTI.
• OSPF classifies networks into the following four types based on the link layer protocol
type. OSPF operations vary according to interface types.

▫ Broadcast

▫ Non-broadcast multiple access (NBMA)

▫ Point-to-multipoint (P2MP)
▫ Point-to-point (P2P)

• In this example, spine and leaf nodes are connected using Ethernet interfaces, and
OSPF adjacency relationships are established using VLANIF interfaces. Therefore, the
network type of these interfaces is broadcast by default. During the establishment of
neighbor relationships, OSPF elects a designated router (DR) in each network segment,
which takes some time. However, this time-consuming DR election process is actually
unnecessary, because these links are actually point-to-point connections from a logical
point of view. To improve OSPF efficiency and speed up the establishment of adjacency
relationships, you can change the network type of the interconnection interfaces to
P2P.
• The Dynamic Host Configuration Protocol (DHCP) dynamically configures and
uniformly manages IP addresses of hosts. It simplifies network deployment and scale-
out, even for small networks.
• DHCP dynamically assigns an IP address to each host, instead of specifying a static IP
address for each host.
• DHCP also allocates other configuration parameters, such as the startup configuration
file to a client, so that the client can obtain all the required configuration information
through only one message.
• DHCP is defined in RFC 2131 and uses the client/server communication model. A DHCP
client requests configuration information from a DHCP server, and the server returns
the configuration information allocated to the client.
• DHCP supports dynamic and static IP address allocation. Network administrators can
use either mechanism to allocate IP addresses to hosts based on their network
requirements.
▫ Dynamic allocation: DHCP allocates an IP address with a limited validity period
(known as a lease) to a client. This mechanism applies to scenarios where hosts
temporarily access the network and the number of idle IP addresses is less than
the total number of hosts.
▫ Static allocation: DHCP allocates fixed IP addresses to clients as configured.
Compared with manual IP address configuration, DHCP static allocation prevents
manual configuration errors and enables unified maintenance and management.
• DHCP has the following benefits:
▫ Reduced client configuration and maintenance costs
▫ Centralized management
• Network Time Protocol (NTP) is an application layer protocol in the TCP/IP suite. NTP
synchronizes time between distributed time servers and clients. NTP is implemented
based on IP and UDP. NTP packets are transmitted over UDP using port 123.

• As network topologies become increasingly complex, clock synchronization becomes

more important for all devices within a network. Manual configuration of system
clocks by network administrators is both labor-intensive and error-prone, potentially
affecting clock precision. To address this problem, NTP is designed to synchronize the
clocks of devices within a network.
• NTP is used when the clocks of all devices on a network need to be consistent. For
example:
▫ Network management: The logs and debugging information collected from
different routers need to be analyzed based on time.

▫ Charging system: The clocks of all devices must be consistent.

▫ Several systems work together to process a complex event: The systems must
refer to the same clock to ensure proper sequencing of operations.

▫ Incremental backup between the backup server and clients: Clocks on the backup
server and clients must be synchronized.

▫ System time: Some applications need to know the user login time and file
modification time.

• Switches can function as an NTP server or client.

• LLDP is a standard Layer 2 topology discovery protocol defined in IEEE 802.1AB. LLDP
collects local device information including the management IP address, device ID, and
port ID and advertises the information to the neighboring devices, which then save the
received information in their management information bases (MIBs). The NMS can use
data in MIBs to query the link status.
• As networks grow in scale, an NMS must be capable of managing network devices
with diverse functions and complex configurations. Most NMSs can detect Layer 3
network topologies, but cannot obtain detailed topology information or configuration
conflicts. Therefore, a standard protocol is required to exchange Layer 2 information
between network devices.

• LLDP provides a standard link-layer discovery method. Layer 2 information obtained

from LLDP allows an NMS to detect the topology of neighboring devices, and display
paths between clients, switches, routers, application servers, and network servers. The
NMS can also detect configuration conflicts between network devices and identify
causes of network failures. Enterprise users can use an NMS to monitor the link status
on devices running LLDP and quickly locate network faults.
• OpenFlow is a communication protocol between the control and forwarding planes in
the Software Defined Networking (SDN) architecture. OpenFlow provides standard,
open interfaces to separate the control and forwarding planes. OpenFlow allows
iMaster NCE to directly access and operate the forwarding plane of a network device,
which can be a physical or virtual switch.
• As server virtualization is gaining wider use on DCs, the growing number of virtual
machines complicate network management and slow down service provisioning. To
cope with these problems, network devices must be easy to operate, provide high
scalability, and support centralized control and management of forwarding behaviors.
However, traditional network devices feature integrated control and forwarding planes.
Therefore, these devices have poor scalability and long technology update period. In
addition, it is difficult to centrally control and manage these devices and quickly
provision services on traditional networks. SDN separates the control and forwarding
planes. As the communication channel between the control and forwarding planes in
the SDN architecture, OpenFlow can centrally control and manage the forwarding
service on the entire network, implementing fast service provisioning.
• Forwarding database: iMaster NCE collects data of some protocols that is huge in
volume and changes frequently, calculates the data, and generates the forwarding
database. It then delivers the database to devices through OpenFlow. This enhances
the compute capability of the devices. For example, the forwarding database generated
by a controller may include IP addresses and MAC addresses. The devices store the
forwarding information and generate ARP entries after calculation to direct packet
forwarding.
• User policy table: iMaster NCE delivers the user policy table to devices running
OpenFlow. The user policy table is manually created on iMaster NCE to direct packet
forwarding. The devices match packets against the user policy table and process
matching packets. The entries of the same level are matched according to their
priorities. Currently, a device supports only one-level user policy table. A user policy
table can contain multiple entries.
• ACL composition:
▫ ACL number: Each ACL needs to be allocated an ACL number, which identifies an
ACL. The ACL number range varies according to the ACL type, which will be
described later.

▫ Rule: As mentioned above, an ACL consists of several permit or deny statements,

and each statement is a rule.
▫ Rule ID: Each ACL rule has an ID that identifies the rule. Rule IDs can be manually
defined or automatically allocated by the system. A rule ID ranges from 0 to
4294967294. All rules are arranged in the ascending order of rule ID.

▫ Action: Each rule contains a permit or deny action. ACLs are usually used
together with other technologies, and the meanings of the permit and deny
actions may vary according to scenarios.

▪ For example, if an ACL is used together with traffic filtering technology

(that is, the ACL is invoked in a traffic filter), the permit action allows traffic
to pass through and the deny action rejects traffic.

▫ Matching option: ACLs support various matching options. In the preceding

example, the matching option is the source IP address. The ACL also supports
other matching options, such as Layer 2 Ethernet frame header information
(including source and destination MAC addresses and Ethernet frame protocol
type), Layer 3 packet information (including destination IP address and protocol
type), and Layer 4 packet information (including TCP/UDP port number).
• VRF is a key technology in the Multiprotocol Label Switching (MPLS) VPN architecture
and is similar to a virtual device.
• A VRF instance is a logical division of a physical device. With VRF, multiple virtual
devices (or VRF instances) can be created on a physical device (such as a router,
switch, or firewall), and each virtual device works as an independent device. Each
virtual device has an independent routing table, independent route selection process,
and independent interface.
• Security zones on a firewall must have different security priorities.
• Each interface on the firewall must be added to a security zone to ensure correct data
forwarding.

• Each interface of a firewall can belong to only one security zone.

• A security zone of a firewall can have multiple interfaces.

• The default security zone of the system cannot be deleted. Users can self-define
security zone as required.
• Leveraging encryption and authentication, IPsec secures service data transmission over
the Internet through:

• Data origin authentication: The receiver can authenticate the sender's identity.

• Data encryption: The sender encrypts data packets and transmits them in cipher text
over the Internet. The receiver decrypts or directly forwards the received data packets.
• Data integrity: The receiver verifies the received data to determine whether the packets
have been tampered with during transmission.

• Anti-replay: The receiver rejects old or duplicate data packets to prevent malicious
users from launching attacks by repeatedly sending obtained packets.
• The static VXLAN solution does not have a control plane. VTEP discovery and learning
of host information (including IP addresses, MAC addresses, VNIs, and gateway VTEP
IP addresses) are performed through traffic flooding on the data plane. As a result,
there is a lot of flooded traffic on VXLAN networks. To address this problem, EVPN is
introduced as the control plane of VXLAN. EVPN allows VTEPs to exchange BGP EVPN
routes to implement automatic VTEP discovery and host information advertisement,
preventing unnecessary traffic flooding.

• Problems in configuring VXLAN in static mode:

▫ If N devices need to establish VXLAN tunnels, you need to manually configure the
ingress replication list a maximum of N x (N – 1)/2 times.
▫ A static VXLAN tunnel only has the data forwarding plane.

▫ Remote MAC addresses can be learned only through broadcast ARP packets.
• Answer:
1. ACD
2. C