We currently have 3 sites connected by a VPLS network, 1 HQ and 2 remote offices. All sites are connected by a single link into the VPLS using a dedicated SVI on the terminating switch for the VPLS network - VLAN 10 - 192.168.10.x. OSPF is running on on the VPLS interfaces in area 0.
We are planning to add a second VPLS link to our HQ office for redundancy and I need to work out the best way to configure the switches. If I add the second switch with a trunk to the first, create a new SVI in VLAN 10 on the new switch and connect to the VPLS, I assume a loop will form and block one of the VLAN 10 interfaces, see attached (I can manipulate STP to block the second VPLS link instead of VLAN 10 on the trunk). If the primary link fails then the second VPLS will start forwarding.
Is this an acceptable design for VPLS and has anyone had any experiences with this type of setup?
I did consider changing the VPLS interfaces to routed interfaces or disabling VLAN 10 on the trunk to prevent STP but rememebered that we have firewalls attached to the HQ switch in the VPLS network provding a default route for all sites. Is it recommend to have firewalls in area 0 or should these be moved to a seperate subnet in a seperate area?
When you bring up your second link let your SP know about the setup.Your SP should run STP on their u-PE's then it shouldnt be a problem as STP will look after the loop problem. This is a common setup that you have where the customer has a backdoor trunk between the switches.at a particular site.
You can place the FW's in the same Area , that shouldnt be a problem.
If you will run OSPF why not use it to provide backup? You can have trunk links between switches and STP will take care of loops (make sure the management vlan is same on both switches), then create a static route pointing to the backup path you want to have and change the AD (greater than OSPF AD) for static route. OSPF will use the main link and if it goes down then will add static route to routing table.
I will configure the new switch with a VLAN 10 SVI and trunk between the switches, I will et the ISP know this and hopefully STP will block the secondary link.
I will still be using OSPF to provide redundacy in the event that one of the switches fail. I assume that even though one of the VPLS links are blocked, both HQ switches will still appear in VLAN 10 and will maintain an active OSPF adjacency with all of the VPLS switches.
One other question, as the remote offices only have a single link into the VPLS, is it recommended to filter BDPUs on the remote switch VPLS interfaces?
The ports facing the VPLS will just be access ports configured in VLAN 10. If I configure BDPU guard on these ports wont they go into error disable when they recevice BDPUs over the VPLS from the HQ switches which have to participate in STP?
An acess port should not receive BPDUs and BPDU guard protects that switch from going into trunking mode if it receives a BPDU ( usualy if you have RSTP running a port changes from access to trunking if it receives a BPDU).
We are pleased to announce availability of Beta software for 16.6.3.
16.6.3 will be the second rebuild on the 16.6 release train targeted
towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are
looking for early feedback from customers befor...
Introduction Featured Speakers Luis Espejel is the Telecommunications
Manager of IENova, an Oil & Gas company. Currently he works with Cisco
IOS® and Cisco IOS XE platforms, and NX to some extent. He has also
worked as a Senior Engineer with the Routing P...
In this session you can learn more about Layer 3 multicast and the best
practices to identify possible threats and take security measures. It
provides an overview of basic multicast, the best security practices for
use of this technology, and recommendati...