layer-2 connection between 2 VTP domains

Answered Question
Feb 1st, 2008
User Badges:

We have 2 large sites, both different VTP domains.

On both sites we have equal VLAN's, like vlan 10, 20 etc, but also different Vlan's.

We want to connect both sites now through layer-2.

This presents a problem, because when you connect 2 VTP-domains with equal VLAN's, spanning-tree will elect only 1 root and 1 backup-root switch.


We want to connect vlan 10, 20 and 30 through this layer-2 connection only and not the other vlan's.

And we want to have a root-switch and a backup-root switch on both sites.

So spanning-tree should not run between the 2 sites.

This can be done by adding the bpdufilter command to the interface configuration, which connects both sites.


This works, but we find this not a very good solution.

Because, if we would introduce a 3rd site, a spanning-tree loop could occur.


Does anyone know how to connect these 2 sites in another way (MST), so that we can connect 2 vlan's?


Correct Answer by jorgenolla about 9 years 3 months ago

Here is the documentation for MST:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3560/12244se/scg/swmstp.htm


It will provide you with a better understanding on how to MST works, and the configuration parameters. I would suggest you run the new MST setup on a lab environment and perform some testing before you implement it on a production environment.


"That means 3 spanning-tree instances, isn't it? "


It depends on how you assign your VLANs per instance, but yes, that is the basic idea. MST region 1, will run bridge elections for all VLANs it's region it has assigned; MST region 2, will go through the same process. Afterwords the two instances will run bridge election for the CST, for the shared VLANs.


"So we do not want to change the spanning-tree mode to MST, just now.

But what we want is a connection (Layer-2) between these 2 sites, only for the vlan's 10,20 amd 30. "


For this to work you must ensure you don't have a loop in your topology between the 2 sites. So I would ask:


Is there more than one link connecting the two sites?

If there is more than one link connecting the sites, you will in fact have a loop in your topology, thus the need for spanning tree.


With one link:


interface FastEthernet0/13

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 10,20,30

switchport mode trunk

spanning-tree bpdufilter enable

end



To add resilience to your network, and provide more BW between sites, I would configure an Ether-Channel port between the two sites:


interface Port-channel1

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 10,20,30

switchport mode trunk

spanning-tree bpdufilter enable

end




If you try to add multiple links between the switches on each site without the Ether-Channel, and enabling bpdufilter you will receive VLAN flapping messages. That configuration will look like this:


interface range FastEthernet0/13 - 15

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 10,20,30

switchport mode trunk

spanning-tree bpdufilter enable

end


The Ether-Channel seems to me like a good solution, given that no other switches are connecting site 1 to site 2, to avoid a bridging loop. This in fact presents the problem of each switch becoming the single point of failure for the connection between the sites.


If you add a 3rd site, and connect the 3rd site to both site 1 and sit 2, you will create a bridging loop. You would have to connect site 3 to only one other site to avoid the bridging loop.


I'm not sure what is the specific needs of your network, but another solution (but the least preferred in my opinion), would be to run proxy arp between sites.


Best Regards

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
jorgenolla Fri, 02/01/2008 - 19:12
User Badges:

"when you connect 2 VTP-domains with equal VLAN's"


Connecting VTP domains has nothing to do with spanning-tree, spanning-tree runs independently from VTP. Meaning your VTP assignment does not affect the election of the root or secondary bridges. The broadcast domain for which the switches are taking part off, causes them to be part of the election for spanning-tree. In this case when you extend the VLAN's to the other group of switches, you are extending the broadcast domain, thus they become part of the spanning-tree election.




"So spanning-tree should not run between the 2 sites.

This can be done by adding the bpdufilter command to the interface configuration, which connects both sites.


This works, but we find this not a very good solution.

Because, if we would introduce a 3rd site, a spanning-tree loop could occur"



This is actually a contradiction. If you filter BPDU's (turn off spanning-tree) and have a loop in your broadcast domain, you are likely to create a Bridging Loop (not a spanning-tree loop).


Only one bridge acts as the root bridge in any given network per VLAN.

jorgenolla Fri, 02/01/2008 - 19:38
User Badges:

You can configure 2 MST Regions. Each region will run on each site, and they will share a CST for the VLANs allowed on the trunk; but election for the root and secondary bridges for the CST will take place for the VLANs you are allowing on the trunk.

pvanliere Sat, 02/02/2008 - 07:20
User Badges:

Jorge,


Many thanks for your reply!

We have 2 large sites, at this moment configured with standard PVST.

So we do not want to change the spanning-tree mode to MST, just now.

But what we want is a connection (Layer-2) between these 2 sites, only for the vlan's 10,20 amd 30.


So is it then a good idea to use an MST between the 2 PVST's?

Layout is:

1.

(site A with PVST - vlan 1 through 999)

2.

(2 stacked 3750 switches -> cross-stack port-channel -> 2 stacked 3750 switches), which is an MST region - vlan 10, 20 and 30.

3.

(site B with PVST -> vlan 1 through 999)


That means 3 spanning-tree instances, isn't it?

A root switch for all vlan's in site A and B separately.

A root switch for vlan 10, 20 and 30 in the MST region (spanning all sites).


Is that a solution?


Regards.

Correct Answer
jorgenolla Sat, 02/02/2008 - 09:14
User Badges:

Here is the documentation for MST:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3560/12244se/scg/swmstp.htm


It will provide you with a better understanding on how to MST works, and the configuration parameters. I would suggest you run the new MST setup on a lab environment and perform some testing before you implement it on a production environment.


"That means 3 spanning-tree instances, isn't it? "


It depends on how you assign your VLANs per instance, but yes, that is the basic idea. MST region 1, will run bridge elections for all VLANs it's region it has assigned; MST region 2, will go through the same process. Afterwords the two instances will run bridge election for the CST, for the shared VLANs.


"So we do not want to change the spanning-tree mode to MST, just now.

But what we want is a connection (Layer-2) between these 2 sites, only for the vlan's 10,20 amd 30. "


For this to work you must ensure you don't have a loop in your topology between the 2 sites. So I would ask:


Is there more than one link connecting the two sites?

If there is more than one link connecting the sites, you will in fact have a loop in your topology, thus the need for spanning tree.


With one link:


interface FastEthernet0/13

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 10,20,30

switchport mode trunk

spanning-tree bpdufilter enable

end



To add resilience to your network, and provide more BW between sites, I would configure an Ether-Channel port between the two sites:


interface Port-channel1

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 10,20,30

switchport mode trunk

spanning-tree bpdufilter enable

end




If you try to add multiple links between the switches on each site without the Ether-Channel, and enabling bpdufilter you will receive VLAN flapping messages. That configuration will look like this:


interface range FastEthernet0/13 - 15

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 10,20,30

switchport mode trunk

spanning-tree bpdufilter enable

end


The Ether-Channel seems to me like a good solution, given that no other switches are connecting site 1 to site 2, to avoid a bridging loop. This in fact presents the problem of each switch becoming the single point of failure for the connection between the sites.


If you add a 3rd site, and connect the 3rd site to both site 1 and sit 2, you will create a bridging loop. You would have to connect site 3 to only one other site to avoid the bridging loop.


I'm not sure what is the specific needs of your network, but another solution (but the least preferred in my opinion), would be to run proxy arp between sites.


Best Regards

pvanliere Sun, 02/03/2008 - 03:50
User Badges:

Jorge,


your replies are very helpfull.

Again, many thanks.

You are a great help.


Regards,


Peter van Liere.

Actions

This Discussion