Campus LAN Access-Distribution design

Answered Question
Jul 28th, 2010
User Badges:

I am struggling with a couple of people on designing a new campus in regards to layer 2 and spanning tree.  We have an established distributino layer with dual 6509 chassis that are innerconnected with a layer 2 trunk.  The access closets are dual connected, one to each distribution switch.  Where i am struggling is with their decision to have the voice and data vlans from each access switch trunked between on the inner connect between the two distribution switches, as well as the two uplinks from the access switch.  Each vlan is unique per closet so they do not reside in other access switches in the campus.  Currently one of the two uplinks is blocking on STP at the access switch.  Their arguement is that since it is Rapid PVST that this is an ok design give the recovery would be 200ms in the event the non blocking uplink fails and the blocked uplink starts to forward the VLAN traffic.  My thought process is to remove the VLANs between the distribution innerconnection and thereby have no need for any blocking and STP setup as a safeguard.  I have yet to find any design guides that recommend having an active STP in the dist/access layer.  We are running IP phones in this model and my concern is how they will react in the desing with Rapid PVST actively blocking.  Layer 3 routing is on both dist switches with HSRP.


Am i missing something with their design?

Correct Answer by Jon Marshall about 6 years 11 months ago

Okay so the links are trunk links.


Yes i was suggesting running Rapid-PVST+ and having one of the uplinks blocked by STP. Failover time for a major failure with Rapid-PVST+ is about 1 - 2seconds but i would suggest testing.  If these times are not good enough for your VOIP setup then yes the only other way would be to remove the vlan from the distro interconnect and have both uplinks forwarding.


Quicker failover then Rapid-PVST+ can b achieved with EIGRP/OSPF but as we have already discussed this cannot be done within your network at present.


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Reza Sharifi Wed, 07/28/2010 - 08:08
User Badges:
  • Super Bronze, 10000 points or more
  • Cisco Designated VIP,

    2017 LAN

Since this is a new design and you are using 6500 in the distro, you may want to look into using VSS.  Have a look at this link for some good info:


http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/vss.html


With VSS, you don't have to worry about STP in your distro latyer and no need for VRRP or HSRP since the 2 6500s logically become one.


HTH

Reza

m-martynowski Wed, 07/28/2010 - 08:23
User Badges:

we are looking at VSS long term, unfortunately the current distribution layer is in existance with 60+ access closets on it.  We had to run a layer 2 trunk between the two distribution switches due to a small number of vlans that span multiple access switches.  The majority of vlans are unique to each access switch.  Right now they have all vlans going between the trunk on the distribution switches.  Thus all closet vlans are blocking on one uplink due to STP.  I am looking for some guidance on best practive.  I know we have to keep the layer 2 in the equation between the two disti switches, but if the vlan is unique to an access switch and not present anywhere else on the campus would not best practive dictate removing it from the trunk between the two disti switches thus creating a V design between disti and access allowing both uplinks to be forwarding on the access layer.  Thanks

Reza Sharifi Wed, 07/28/2010 - 08:50
User Badges:
  • Super Bronze, 10000 points or more
  • Cisco Designated VIP,

    2017 LAN

Since you have unique vlans per access closet, than the best practice is to have a layer-3 link between your 2 distro layer switches.  This way there is no layer-2 loops and no blocked links.


HTH

Reza

Jon Marshall Wed, 07/28/2010 - 09:32
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

You can do this ie. remove the vlan from the interconnect link between the distro switches and then both access-switch uplinks will be forwarding. Bear in mind that your HSRP messages then have to go via the access-layer switch because HSRP requires L2 adjacency and you have removed the direct path between the 2 distro switches by removing that vlan from the trunk link.


I have seen this setup when the interconnect between the 2 distro switches is a L3 routed link and the uplinks are L2 to the access-layer switches. Bear in mind if the access-layer switch fails then both distro switches will go active with HSRP. If the vlan is restricted to that one switch then it really doesn't matter i guess as no traffic will be passing via HSRP in that vlan.


Personally i would use Rapid-PVST+ and if you only have one vlan per switch then you don't even need to make the uplinks trunks. If you have a management vlan as well then yes make them trunks and use the "switchport trunk allowed vlan ..." command to limit the vlans allowed on that trunk and hence the spread of STP.


If you can get to the stage where you do not need to span vlans across multiple access-layer switches i would look at a L3 routed design from the access-layer or VSS as Reza suggested.


Having said all that if you absolutely want to get rid of STP in the sense of blocking ports you could indeed do what you are proposing.


Jon

Mohamed Sobair Wed, 07/28/2010 - 11:37
User Badges:
  • Gold, 750 points or more

I strongly agree with Jon's reply on this. and I suggest you look at Campus routed Access design based on your previous describtion.


you will ensure fast convergence with this design unless you are limited to features on the Access switches. If so, then I would remove the Routed layer at the distribution leaving layer-2 between the Access and Distribution.



HTH

Mohamed

m-martynowski Wed, 07/28/2010 - 14:33
User Badges:

First off, thank you for your comments, very helpful.  Unfortunately we are stuck with a layer 2 trunk between the disti switches with some vlans spanning multiple access switches.  So i must deal with spanning tree in some capacity.  Like i said earlier, we are looking at VSS moving forward but have to deal with this in the interim.   Jon, you had a statement i would like to discuss:


1.  The access closet actually have multiple vlans (i.e. one for voice, one for data, one for security, etc.) so there will be 3-4 unique VLANS per access switch on the majority of access switches so i will need to trunk them to disti.  You mentioned Rapid PVST+ as a solution.  Are you indicating that you would have the vlans on both uplinks and the trunk between disti and have Rapid PVST+ handle the blocking?  If so what would the recovery time be if the non-blocking uplink failed and the uplink the had the VLAN in blocking mode went forwarding?  Or am i misunderstanding how Rapid PVST+ works?


Given we have to deal with layer 2 in the disti connection, i am just trying to figure out the best way to support IP phones in the access layer from a recovery standpoint.  Either have STP active or use the "V" solution with STP configured but not active given no loop.  Thanks again for your comments.

Correct Answer
Jon Marshall Wed, 07/28/2010 - 15:01
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Okay so the links are trunk links.


Yes i was suggesting running Rapid-PVST+ and having one of the uplinks blocked by STP. Failover time for a major failure with Rapid-PVST+ is about 1 - 2seconds but i would suggest testing.  If these times are not good enough for your VOIP setup then yes the only other way would be to remove the vlan from the distro interconnect and have both uplinks forwarding.


Quicker failover then Rapid-PVST+ can b achieved with EIGRP/OSPF but as we have already discussed this cannot be done within your network at present.


Jon

m-martynowski Wed, 07/28/2010 - 18:59
User Badges:

Thanks for your input Jon and others.  Looks like it is time to create in the lab and test the overall affect of both scenarios.

Actions

This Discussion