How to manage a "standalone" group of 3550 switches

jason.bailey · ‎08-19-2003

Hey all,

I have a problem with managing a network of stacked 3550 switches. This network needs to be separated from the rest of the Campus, for application requirements. So I have created a separate backbone across closets with 3550 switches connected together via redundant GBICs.

Although this network is physically separate, I still need to monitor the devices for faults using Ciscoworks or minimally Syslog, SNMP traps, etc. I have considered connecting one or each switch to my main campus with a port and only allowing my management vlan 1 on the link. However even though I am using a separate VTP domain for the network, is there any possibility of spanning-tree loops or other STP/VTP issues causing instability of this separate network when I connect it? Also, will VLAN 1 on the different VTP domains talk to each other?

Thanks in advance!

Cheers,

-Jason

konigl · ‎08-19-2003

If you have two separate VTP domains, one for the main campus and the other for this unique application, then creation and deletion of VLANs in one VTP domain will not propagate to the other.

If you connect a patch cable between the two networks, and that patch cable connects to a VLAN access port at each end, then traffic will be bridged between the two VTP domains for those connected VLANs only. If you make it VLAN 1, your management VLAN, on both sides, then you can assign IP addresses on that VLAN and monitor those switches as though they were a part of your network. (Which they will be, for switch management purposes only.)

If you connect a patch cable between the two networks, and that patch cable connects to a VLAN trunk port at each end, then traffic will be bridged between the two VTP domains for those VLANs whose tag numbers exist on both ends of the connection. (Also, if you use 802.1Q tagging, the untagged or native VLANs on the two connected ports will also be bridged together. It's a really good idea to make them both the same VLAN number; or, less common, create a "dummy" VLAN in each VTP domain, and assign no access ports to it, just use that VLAN as the native VLAN at each end of the inter-VTP-domain VLAN trunk. The VLAN numbers wouldn't even have to match, because it's not going to be used for actual transport of anything.)

Spanning Tree loops will only come into play if you have two or more connections from your campus network to this special application network. Normal STP rules apply, that is, per-VLAN; STP is ignorant of VTP domains, so whatever VLANs you connect between domains will be involved in the STP calculations.

If you want to make sure none of the switches in the special application VTP domain ever become the root bridge or switch for any VLAN of your campus network, a simple solution is to run Spanning-Tree UplinkFast on each of the "special" switches. This will give each one of them a bridge priority of 49152 (default is 32768; the lower the number, the more likely it is to be elected root bridge or switch per-VLAN). NOTE: This will not preclude them from being elected root bridge or switch for VLANs which exist exclusively in the "special application" VTP domain; in fact, you would want a switch in the "special" network to be the root bridge for that network's VLANs.

VLAN 1 in two different VTP domains will talk to one another if connected. Also, if you have a VLAN trunk making the connection, VLAN 1 is the only VLAN you CANNOT prune off the link. This is the VLAN that the switches use to communicate VTP information across VLAN trunks. (VLAN access ports do not communicate VTP information.)

Hope this helps.