Point-to-Point Requirement 802.1q trunking

Unanswered Question
May 26th, 2012
User Badges:
  • Blue, 1500 points or more

Cisco documentation says that trunks (802.1q as well as ISL) are point-to-point connecitons and I already found a discussion about that:

https://supportforums.cisco.com/message/161538#161538

We have a similar  request by our customer which want to use layer-2 crypto boxes in a so called point-to-multipoint mode in order to connect 2 sites redundantly and cryptographically secured.

Each of our switches will  have a (p2p) connection to one crypto box and all of the boxes together act like a single switch, in other words: We have something like a single LAN connecting our Switches.

Actually we're still in the planning phase and discussing the use of tagged frames to be more flexible in case of changing demands.

I can't think of a reason why this shouldn't work. Of couse we will run full duplex mode and fixed configuration (no DTP).

Am I overlooking something?


Thanks,

Rolf

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (3 ratings)
Loading.
Sergey Fer Sat, 05/26/2012 - 07:02
User Badges:
  • Bronze, 100 points or more

It is much like a situation when you are connecting a number of switches to a hub using trunk ports. 802.1Q itself will work. Why not? But, of course, you need to consider a number of additional things:

- CDP, probably, will start crowding

- VTP may be also...

- DTP will not work (and you are right - it must be off)

- STP... probably you will get a nightmare with it

- LACP/PAGP - I do not know, it depends...


There exist a number of technologies that allow span VLANs through a tunnel (OTV for example). Your crypto box, I think, implements one of such technologies.

Rolf Fischer Sun, 05/27/2012 - 02:03
User Badges:
  • Blue, 1500 points or more

Sergey,

thanks for the answer.

That's what I think too, just during discussing posible solutions a colleague had doubts if trunks would work in that "multipoint" environment.

Btw: STP won't be that bad - we'll allow only the VLAN we need for routing protocol comunication and that one will be loop-free.

Sergey Fer Sun, 05/27/2012 - 02:30
User Badges:
  • Bronze, 100 points or more

Good luck

You need to consider that for example RSTP automatically assigns P2P type to any port that is in full duplex state. This means that in multipoint environment it will be confused... It doesn't matter how many VLANs will you allow in trunks. So you are to turn STP off at all.

Rolf Fischer Sun, 05/27/2012 - 08:29
User Badges:
  • Blue, 1500 points or more

Indeed, until now i didn't consider this.

And setting the interfaces to STP link type "shared" means eliminating fast transition.

So we'll have to think about that too.


I don't like the idea of disabling STP and I'm sure my colleages neither.


Another option discussed was the use of routed ports. SVIs just seemed to be a more flexible solution at first.


In any case I now have some new stuff for a decision memo...


Thanks once again,

Rolf

Sergey Fer Sun, 05/27/2012 - 09:18
User Badges:
  • Bronze, 100 points or more

Routed ports are in fact untagged, so there you will not have any troubles, of course. Using STP here may be tricky also in some other cases. You need to consider that RPVST in fact is not RSTP in every VLAN. It is a special protocol that uses special L2 multicast addresses and that is compatible with RSTP. For spanning-tree to be built in any VLAN you need to properly send traffic in VLAN 1. I do not know, of course, how your crypto box works and will it send L2 MCast properly...

Actions

This Discussion

Related Content