cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
680
Views
4
Helpful
8
Replies

MST Configuration Help

brett.harrison
Level 1
Level 1

I have two 4507 Switches as the primary core and a secondary core in a separate buildings. The core's will connect to 3560 distribution/access layer switches. One connection back to the primary core and a redundant connection back to the secondary core. currently all the VLAN's are configured on the 4507's. Each 3560 will have multiple VLAN's associated with it such as a workstation network/wireless network/ and unsecured wireless network. My original plan was to use a default route back to the core from the 3560's and use GLBP or HSRP between cores to limit the amount of VLAN's created on the core. However, this will not work as we purchased 3560's with the Standard Image and not the Enterprise Image.

I was told that I could use MST between the 3560 switches and the Cores, however, I am having a hard time understanding how this will work. Do I need to create all the VLAN's for all the networks on each switch and core? I really do not want to do that, as I wanted to limit the amount of VLAN's on the core.

Example. Building 3 on the core will be represented by VLAN 3 with IP address 10.3.1.1 On the 3560 the networks will consist of 10.3.110.0/24 for workstations

and 10.3.111.0/24 for Wireless. These would be the only two networks at this time on the 3560 with a default-gateway to 10.3.1.1

essentially all the building's will have 3560's with this exact setup. a total of 16 3560's.

How do I use MST with this type of setup?

1 Accepted Solution

Accepted Solutions

I posted this about an hour ago but it didn't show up, hopefully it doesn't pop up twice.

Ok, I think we're back to my first recommendation. You can't meet your requirement to keep the VLANs & subnets off the core switches using layer 2 techniques, so instead you need to use routed uplinks to the 3560s. To use HSRP/GLBP for fast failover, they need to be in the same vlan. For this you'll need one extra vlan spanning the three switches and a small subnet for the uplink. Here's a sample (using vlan 333 for the uplink):

4507s:

vlan 333

!

int gig 0/1

description Link to other core

switchport trunk encap dot1q

switchport mode trunk

!

int gig0/2

description Link to 3560

switchport mode access

switchport access vlan 333

!

int vlan 333

ip address 10.3.254.# 255.255.255.248

standby ip 10.3.254.1

!

ip route 10.3.1.0 255.255.255.0 10.3.254.4

ip route 10.3.2.0 255.255.255.0 10.3.254.4

!

3560:

ip routing

!

vlan 3

vlan 4

vlan 333

!

int gig0/1

description Link to core 1

switchport mode access

switchport access vlan 333

!

int gig0/2

description Link to core 2

switchport mode access

switchport access vlan 333

!

int vlan 3

ip address 10.3.1.11 255.255.255.0

!

int vlan 4

ip address 10.3.2.11 255.255.255.0

!

int vlan 333

ip address 10.3.254.4 255.255.255.248

!

ip route 0.0.0.0 0.0.0.0 10.3.254.1

!

This will give you very fast failover with HSRP. Routed uplinks have inherently faster failover than switched, although MST and Rapid STP do converge quite fast.

An even better solution than this would be to run two routed uplinks (i.e. instead of using the same vlan for the two uplinks use two different vlans or routed ports) and run a dynamic routing protocol like EIGRP across the uplinks. That would be a little more complex but it's more like the ideal routed situation show here:

http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns656/net_design_guidance0900aecd804ab689.pdf

Depending on your IGP you might not be able to do this with the standard image in the 3560.

How's that sound?

R.

View solution in original post

8 Replies 8

4rmorris
Level 1
Level 1

I'm surprised you can't do this with routing in your 3560. In recent releases (12.2(25)SE and up?) the standard image does static routing, EIGRP stub and (I think) RIP.

So if you're using HSRP on a VLAN interface on the 4507s and that VLAN is also configured on the 3560s with an L3 VLAN interface and IP, configure the 4507 HSRP address as the default route for the 3560 and away you go.

To do this you'll need to turn on ip routing (make sure the command "ip routing" is in the 3560 config) and use the "ip route 0.0.0.0 0.0.0.0 x.x.x.x" command, not the default-gateway command in the 3560. You need one additional VLAN interface over the 2 you described to cover the two uplinks to the 4507s. On this VLAN I would use a small subnet (like /48). You don't really need to advertise the VLAN using VTP or MST as long as the uplink port is assigned to the correct VLAN on the 4507 and the 3560.

You may need some static routes in the 4507s (or run a routing protocol with the 3560) to make sure the local building routes go where you want them.

Good luck! If you need further clarification or a sample config let me know.

Ryan Morris

CCIE #18953

Thank you for the information. My initial thoughts were that that release 12.2.(25) and up should allow for IP routing. In my current environment we are using static routes on the 3560's using 12.2.(37) Advanced IP Services. I didn't think it would differ much if the switch was using the standard release for routing. However, another engineer mentioned that I would not be able to do this and mentioned the use of MST.

If this does work and I can use a default route back to the core what will happen to the second link connecting to the redundant core if I use static routing with GLBP or HSRP running on the redundant cores? I see you stated that I should assign an addition VLAN to this connection. I am a little confused. A sample config for the 3560 would be helpful. Thank you again!

Example: On the 3560 I will have VLAN 3 as the building VLAN with an IP for the device 10.3.1.11 the default route back to the core would be 0.0.0.0 0.0.0.0 10.3.1.1 (10.3.1.1 will be the logical IP address on the HSRP configuration between the two cores and VLAN 3) Now, what happens with the second link to the backup core? I guess that's where I am getting a little confused.

Regards,

Brett Harrison

I originally thought you wanted to have the default gateway ip for the wired and wireless lans configured on a VLAN interface in the 3560. That would require an additional subnet for a routed uplink.

I think I see what you're saying now. You need the default gateway in the core switch for both the wired and wireless networks in the building, and the 3560's management IP is in the wired device subnet. Here's what I would do:

Wired vlan: 3

Wireless vlan: 4

Configure vlan 3 and 4 on the two core switches and make sure both vlans are sent on a trunk link between them (default behaviour if you have a trunk).

Configure your layer 3 VLAN interfaces with HSRP for vlan 3 and 4 on the core switches

Configure vlan 3 and 4 on the 3560.

Configure a layer 3 vlan interface on the 3560 with the management IP (interface vlan3)

Contrary to my earlier note, in this case you could turn off ip routing in the 3560 (no ip routing), and use the ip default-gateway command. If you choose to leave ip routing on, you need the ip route 0.0.0.0 0.0.0.0 10.3.1.1 command.

Configure a default-gateway (ip default-gateway 10.3.1.1 or ip route 0.0.0.0 0.0.0.0) to the HSRP IP on the core switch.

Configure the uplink to the 4507s as trunks and make sure they carry vlan 3 & 4

Optionally, all the vlan information can be distributed between the switches using VTP (this will make your life easier) and you can filter the number of vlans on the trunk using pruning.

If you don't use VTP, you can manually limit the vlans on the trunks to the 3560 using the "switchport trunk allowed vlan" interface command.

In this config your 3560 is a pretty simple switch, and you definitely don't need anything but the basic feature set. We use exactly this setup throughout our network (with VTP). It's actually very straightforward once you get it going.

Sample config (assuming port gig0/1 is a link between the two 4507s and gig0/2 is the downlink to the 3560. No VTP setup here:

4507s:

vlan 3

vlan 4

int gig 0/1

description Link to other core

switchport trunk encap dot1q

switchport mode trunk

int gig0/2

description Link to 3560

switchport trunk encap dot1q

switchport mode trunk

switchport trunk allowed vlan 3,4

int vlan 3

ip address 10.3.1.# 255.255.255.0

standby ip 10.3.1.1

int vlan 4

ip address 10.3.2.# 255.255.255.0

standby ip 10.3.2.1

3560:

no ip routing

vlan 3

vlan 4

int gig0/1

description Link to core 1

switchport trunk encap dot1q

switchport mode trunk

switchport trunk allowed vlan 3,4

int gig0/2

description Link to core 2

switchport trunk encap dot1q

switchport mode trunk

switchport trunk allowed vlan 3,4

int vlan 3

ip address 10.3.1.11 255.255.255.0

ip default-gateway 10.3.1.1

I think that's more what you're trying to do. You should also tweak spanning tree root parameters to make sure your primary core becomes the root of the spanning tree.

R.

Ok, I got what you are saying here. I was trying to avoid this because it would force me to create multiple VLANS for each of the buildings plus the wired and wireless networks for the buildings on the core which would then have to be trunked to the 3560 switches. My original plan was to have the 10.x.x.x networks reside on the core's. then on the 3560's break down the networks even further and route back to the core.

Example: on the core I would have the VLAN's for each building so for this example I will use Building 3 and Building 4 with the matching VLAN's for simplicity sake. The IP address for these VLAN's will be 10.3.1.1 and 10.4.1.1

Now, I will have two links going from each core to the 3560 switches. Two connections to the Building 3 3560 and 2 connections the building 4 3560 and so on for the other devices.

On the 3560's I would like to have multiple VLAN's such a wireless network and a wired network and any future networks to be added in the near future.

ex: 3560 in building 3

VLAN 110 - wired network 10.3.110.0 /24

VLAN 111 - wireless network 10.3.111.0 /24

default-route 0.0.0.0 0.0.0.0 10.3.1.1 going back to the core.

VLAN xxx - TBD

ex:3560 in building 4

VLAN 110 - wired network 10.4.110.0 /24

VLAN 111 - wireless network 10.4.111.0 /24

VLAN 120 - wired network 2nd floor 10.4.120.0 /24

vlan 121 - wireless network 2nd floor 10.4.121.0 /24

default-route 0.0.0.0 0.0.0.0 10.4.1.1 going back to the core.

Core running HSRP or GLBP and VLANS

VLAN 3 - 10.3.1.1 /24 - Building 3

VLAN 4 - 10.4.1.1 /24 - Building 4

VLAN 5 - 10.5.1.1 /25 - Building 5

VLAN 128 - 10.128.1.1 /24 - server network

and so on.

This should explain things a little better.

The problem I am facing is that I have two connections for each switch. What do I do about the second connection? I need to have the fastest failover in case of the primary link failing.

Sorry for the confusion and thank you again for your assistance.

Regards,

Brett

I posted this about an hour ago but it didn't show up, hopefully it doesn't pop up twice.

Ok, I think we're back to my first recommendation. You can't meet your requirement to keep the VLANs & subnets off the core switches using layer 2 techniques, so instead you need to use routed uplinks to the 3560s. To use HSRP/GLBP for fast failover, they need to be in the same vlan. For this you'll need one extra vlan spanning the three switches and a small subnet for the uplink. Here's a sample (using vlan 333 for the uplink):

4507s:

vlan 333

!

int gig 0/1

description Link to other core

switchport trunk encap dot1q

switchport mode trunk

!

int gig0/2

description Link to 3560

switchport mode access

switchport access vlan 333

!

int vlan 333

ip address 10.3.254.# 255.255.255.248

standby ip 10.3.254.1

!

ip route 10.3.1.0 255.255.255.0 10.3.254.4

ip route 10.3.2.0 255.255.255.0 10.3.254.4

!

3560:

ip routing

!

vlan 3

vlan 4

vlan 333

!

int gig0/1

description Link to core 1

switchport mode access

switchport access vlan 333

!

int gig0/2

description Link to core 2

switchport mode access

switchport access vlan 333

!

int vlan 3

ip address 10.3.1.11 255.255.255.0

!

int vlan 4

ip address 10.3.2.11 255.255.255.0

!

int vlan 333

ip address 10.3.254.4 255.255.255.248

!

ip route 0.0.0.0 0.0.0.0 10.3.254.1

!

This will give you very fast failover with HSRP. Routed uplinks have inherently faster failover than switched, although MST and Rapid STP do converge quite fast.

An even better solution than this would be to run two routed uplinks (i.e. instead of using the same vlan for the two uplinks use two different vlans or routed ports) and run a dynamic routing protocol like EIGRP across the uplinks. That would be a little more complex but it's more like the ideal routed situation show here:

http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns656/net_design_guidance0900aecd804ab689.pdf

Depending on your IGP you might not be able to do this with the standard image in the 3560.

How's that sound?

R.

I think you just solved my problem. Now, for each switch I would need to create that additional VLAN to route back to the core over the alternate link? Thanks again!

Right. You'll need a different vlan and a small subnet for each set of building uplinks.

Glad I could help!

Ryan

One more quick question. Since two interfaces will be assigned to the VLAN that is routing back to the core would this create a routing loop?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: