ā05-26-2012 05:47 AM - edited ā03-07-2019 06:55 AM
Cisco documentation says that trunks (802.1q as well as ISL) are point-to-point connecitons and I already found a discussion about that:
https://supportforums.cisco.com/message/161538#161538
We have a similar request by our customer which want to use layer-2 crypto boxes in a so called point-to-multipoint mode in order to connect 2 sites redundantly and cryptographically secured.
Each of our switches will have a (p2p) connection to one crypto box and all of the boxes together act like a single switch, in other words: We have something like a single LAN connecting our Switches.
Actually we're still in the planning phase and discussing the use of tagged frames to be more flexible in case of changing demands.
I can't think of a reason why this shouldn't work. Of couse we will run full duplex mode and fixed configuration (no DTP).
Am I overlooking something?
Thanks,
Rolf
ā05-26-2012 07:02 AM
It is much like a situation when you are connecting a number of switches to a hub using trunk ports. 802.1Q itself will work. Why not? But, of course, you need to consider a number of additional things:
- CDP, probably, will start crowding
- VTP may be also...
- DTP will not work (and you are right - it must be off)
- STP... probably you will get a nightmare with it
- LACP/PAGP - I do not know, it depends...
There exist a number of technologies that allow span VLANs through a tunnel (OTV for example). Your crypto box, I think, implements one of such technologies.
ā05-27-2012 02:03 AM
Sergey,
thanks for the answer.
That's what I think too, just during discussing posible solutions a colleague had doubts if trunks would work in that "multipoint" environment.
Btw: STP won't be that bad - we'll allow only the VLAN we need for routing protocol comunication and that one will be loop-free.
ā05-27-2012 02:30 AM
Good luck
You need to consider that for example RSTP automatically assigns P2P type to any port that is in full duplex state. This means that in multipoint environment it will be confused... It doesn't matter how many VLANs will you allow in trunks. So you are to turn STP off at all.
ā05-27-2012 08:29 AM
Indeed, until now i didn't consider this.
And setting the interfaces to STP link type "shared" means eliminating fast transition.
So we'll have to think about that too.
I don't like the idea of disabling STP and I'm sure my colleages neither.
Another option discussed was the use of routed ports. SVIs just seemed to be a more flexible solution at first.
In any case I now have some new stuff for a decision memo...
Thanks once again,
Rolf
ā05-27-2012 09:18 AM
Routed ports are in fact untagged, so there you will not have any troubles, of course. Using STP here may be tricky also in some other cases. You need to consider that RPVST in fact is not RSTP in every VLAN. It is a special protocol that uses special L2 multicast addresses and that is compatible with RSTP. For spanning-tree to be built in any VLAN you need to properly send traffic in VLAN 1. I do not know, of course, how your crypto box works and will it send L2 MCast properly...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide