Solved: Re: LAN to LAN peering and spanning-tree - Page 2

dazni · ‎03-14-2022

Hello,

We would like to create a "lan to lan peering" between our infrastrucre (Site A) and our partner's infrastructure (Site B).
The link between us will be an optical fiber connection between both switches (SW-A and SW-B) and will carry a vlan ( ID 99) to the firewalls, where an Layer3 interface will be created to handle the traffic between the two sites.

We want to prevent any spanning tree issue when connection both LAN to each other (spanning tree topology recalculation, root bridge changing...).

What would be the recommandations for this kind of architecture please ?

Disabling spanning tree on the Gi1/1 ports with bpdu filter ?
Using BPDU Guard/Root Guard ? (but with this feature I suppose each interface will be in an error-disabled state as the bpdu frames will be detected on both sides )

Thank you.
Regards,
Dazni

dazni · ‎03-15-2022

It could be a solution yes but I don't have many interfaces on the firewall. For now we'll be only connected to this partner, I could connect his infrastructure directly to the firewall, but in a near futur we'll need to add another peering with another partner so that's why I'm thinking about this diagram with a switch before the firewall.

A switch will be used as a dedicated switch for this kind of peering. With this config, I'll only need one physical interface on the firewall (or two if I want to create an LACP) and I'll just have to create subinterfaces on the firewall for each partner's VLAN :

MHM Cisco World · ‎03-15-2022

Again forgive my little info. about the InterConnect DC but I try to help you in best design.
are all Site within same geographic location? if Yes
then FW will separate the L2 traffic and inspect it for security then resend it to other Site.
for example NAS1 and NAS2 send L2 frame to each other,
SW have port of VLAN X "use by NAS" point to ASA, ASA will inspect the traffic re-write the VLAN to VLAN 99"this interConnect the DC site" then the traffic go to ASA of other DC site,
ASA inspect the traffic and re-wrtie the VLAN to be VLAN X.
here both NAS see as that both connect to same subnet.
https://www.cisco.com/c/en/us/td/docs/security/asa/asa97/configuration/general/asa-97-general-config/intro-fw.html

please read this doc. it mention which frame can pass through ASA "allow by default".

dazni · ‎03-15-2022

The trafic between the two NAS has to go directly from NAS A to NAS B, without going to the firewall because it is not sized to handle as much trafic. That's why we are adding this interconnect between the sites.
Site A and Site B are in the same datacenter but not the same datahall.

Please find below the diagram updated with the 2 NAS (vlan 98). The trafic will go from NAS A to NAS B from switch A to switch B :

MHM Cisco World · ‎03-15-2022

https://www.cisco.com/c/en/us/td/docs/security/asa/asa91/asdm71/general/asdm_71_general_config/intro_fw.pdf

paul driver · ‎03-14-2022

Hello
The link does not have to be a trunk if its only carrying a single vlan, however if you want to carry multiple vlans eventually then it has to be a trunk, But just allow specific vlans to traverse it, you could in fact just make up a couple of new vlan ids for that connection as such stp wont loop as they won’t be carried anywhere else within the stp environments
If you have vtp active I would recommend manually prune the new vlans off any other trunks not required.

As for STP are the switchs running the same stp mode?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

dazni · ‎03-15-2022

Hello,
yes, both switches are running rstp mode. VTP isn't enbled.