Solved: Why the port of the vlan 20

vd123_cisco · ‎10-07-2014

Hello Everyone,

I would like to get some clarification on the following scenario.

We have two sites which are connected point to point. The switches which connect these sites are managed by our service provider.

Our core switch will be directly connected to service provider switch with an access port (10GB) but there is no redundancy from our core switch to service provider's switch. They would like us to connect another link (2 x 1GB port-channel) to their switches until we get the second 10Gb link which will port-channeld with the 10GB link (2 x10GB). Please see the attached diagram for more details.

On our core switch, we have vlan10 configured which has a SVI 192.168.10.1. The 10GB port connected to the service provider switch is an access port in vlan 10. The service provide switch has vlan 20 configured with SVI 192.168.10.2 and the ports connected to our core switch is an access port.

My question is would there a loop if I connect the second port (2GB link) to their switch? or if the service provider switch with vlan 20 has lower priority than ours then it will become the root our vlan10?

I am guessing if we enable BPDU filter on our core switches then it will create a loop? is that right?

is it better to have only layer 3 connection and disable BPDUs on the ports connected to the service provider switch.

Really appreciate you help.

Thanks

Jay

milan.kulik · ‎10-08-2014

Hi,

IMHO:

As it's impossible to include 1 GB and 10 GB lines into a single Ethernhannel, the new line will work as a backup connection only anyway.

So if you want to add a second L2 connection (2 x 1GB port-channel) to your provider, you need STP running to break the loop.

At the moment you you enable STP on the links (both sides), either the IPS switch will become a root within your VLAN 10 STP or your switch will become a root within the ISP's VLAN20.

It possibly happened already? (If not, the ISP might be blocking BPDUs on his side?)

If you want to keep your STP separated, you could wait for the second 10GB line

and create an Etherchannel of 2x10GB with BPDUs blocked.

That should also work if configured correctly on both sides.

But in the meantime you will have no backup line.

Another possibility would be creating two pure L3 connections to the ISP and configuring some load-balanciong over them (using OSPF, e.g.).

But that would require a total redesign of your connection, I'm afraid?

BR,

Milan

View solution in original post

milan.kulik · ‎10-09-2014

Hi Jay,

I'd say Yes, you are correct in your understanding.

Only regarding the BPDU system ID:

If extended system ID is used, then the VLAN number is also used for the calculation also on access ports.

Read a nice explanation here:

https://learningnetwork.cisco.com/thread/21718

Best regards,

Milan

View solution in original post

Walter Astori · ‎10-08-2014

Why the port of the vlan 20 (switch ISP) and the port of the vlan 10 are in access mode ?

The STP between two switch is active when there are more than one connession between it. In the diagram i see that there is only one connession.

vd123_cisco · ‎10-08-2014

Hi Walter,

Apologies, I should have been more specific. I have updated the original post.

The 10Gb link shown in the diagram is not connected yet. It is just we have realised that there is no redundancy for the 10GB link. we have been advised to have another 2GB link from our core to their switch which they say will be blocked by spanning tree. I would like to understand how is spanning tree going to block that.

will there be chance that the SP switch can become the root bridge for vlan 10 even though the vlan is not configured SP switch? vLAN 20 can become the root for vlan 10?

Regards,

Jay

Walter Astori · ‎10-08-2014

I think that you must configure root vlan 10 primary in one switch and root vlan 10 secondary in another switch.

milan.kulik · ‎10-08-2014

Hi,

if you connect your switch access port assigned to VLAN 10 to an access port on ISP switch assigned to VLAN 20 (your case, I guess) you are creating a common VLAN10_20 in fact.

Remember: Data frames are not tagged with any VLAN IDs when sent out from access ports and also STP BPDUs are not!

So there will be one common STP tree spread over both VLANs in such a case with a single root switch!

Am I clear here?

BR,

Milan

vd123_cisco · ‎10-08-2014

Hi Milan,

Thank you for your reply.

Really appreciate your assistance.

so when the BPDUs are sent from our core switch, it wont have any vLAN id attached to it? is that right?

This means that when the SP switch receives the BPDU it will put the packet in its vLAN 20 and if the root bridge priority on SP switch is lower than our core switch then it will become the root and our core switch would see SP switch as a root for vLAN 10. is that right?

Another question, when the BPDUs are sent from our core to the SP switch, what system ID would it have? system ID would be priority + vLAN and since the port is not tagging the vLAN id, would it just have the priority and mac address and the vLAN id would be 0.

Correct me if I am wrong here, usually you wouldn't send the STP information from your environment to the SP and vice versa.

I guess if we go ahead with this design it will only affect one vLAN 10. The root would be either SP switch or our core switch. It would not affect any other vLANs as it is only a access port, for e.g I can vlan 20(root) in my environment and this would not affect SP switch? is that right?

Thank you,

Jay

milan.kulik · ‎10-09-2014

Hi Jay,

I'd say Yes, you are correct in your understanding.

Only regarding the BPDU system ID:

If extended system ID is used, then the VLAN number is also used for the calculation also on access ports.

Read a nice explanation here:

https://learningnetwork.cisco.com/thread/21718

Best regards,

Milan

vd123_cisco · ‎10-20-2014

Hi Milan,

Apologies for the late reply.

yes, you are correct and thank you for the information.

Regards,

Jay

milan.kulik · ‎10-08-2014

Hi,

IMHO:

As it's impossible to include 1 GB and 10 GB lines into a single Ethernhannel, the new line will work as a backup connection only anyway.

So if you want to add a second L2 connection (2 x 1GB port-channel) to your provider, you need STP running to break the loop.

At the moment you you enable STP on the links (both sides), either the IPS switch will become a root within your VLAN 10 STP or your switch will become a root within the ISP's VLAN20.

It possibly happened already? (If not, the ISP might be blocking BPDUs on his side?)

If you want to keep your STP separated, you could wait for the second 10GB line

and create an Etherchannel of 2x10GB with BPDUs blocked.

That should also work if configured correctly on both sides.

But in the meantime you will have no backup line.

Another possibility would be creating two pure L3 connections to the ISP and configuring some load-balanciong over them (using OSPF, e.g.).

But that would require a total redesign of your connection, I'm afraid?

BR,

Milan

Spanning-tree question