Re: Two ports on one switch connected to each other - Page 2

rickpastor · ‎12-26-2007

Hello,

I'd like to rephrase a submission I made week, for which there were no replies... Does anyone know the STP ramifications when two ports on the same switch are connected to each other?

Thanks for any input.

xcz504d1114 · ‎12-31-2007

Rick,

Looking over that document, I can see how traffic might not be shaped the way you want it to be.

So it seems that your IPS is acting as a VLAN "router" I guess is a simple way to describe it. It takes a packet destined for the server, but the workstations and servers are on seperate VLAN's, so it merely routes the traffic to the other VLAN for the PC.

Personally, I feel a router would be a better option in this case, or a L3 switch.

Given what I know about how the device is working now, running a routing protocol is the only thing I can think of that would be that dynamic, STP is a great redundancy protocol, but using it like that I don't think you will get the results you are looking for.

The way you have it setup right now, STP has no way to detect a problem with the IPS and reconverge the network, I think your best option to ensure the packets are both routed properly and have the ability to failover is to use a router.

Have the IPS connected to the router which is connected to teh switch, trunk the inter face from the switch to the router and then the interface to the IPS is also trunked, if the IPS link fails the router still knows how to get to VLAN 33. You will have to adjust the route paths a little bit manually, but ultimately I think it would work much better than the STP option.

There is no concievable way to have STP manipulate ports 33 and 34 in the way you are looking to do. Since the ports are access ports, no VLAN information is passed so the switch does not see them independant VLAN's, it jsut sees the BPDU information and sees it as a loop. Putting them into trunked interfaces also does not help your situation because as a packet leaves port 34 on vlan 34, it has no way to get to VLAN 33.

HTH

Craig

rickpastor · ‎12-31-2007

Thanks Craig,

Having looked now into the agreed-upon implementation here, it looks as though they're interested in keeping the failover ports both forwarding, which seem to me will cause mac addresses flapping between ports, meaning half the packets won't be inspected by the IPS. I don't yet know how they justify this reasoning, and plan on reading up on some published deployment scenarios.

If it comes to where routing is necessary, then that's what we'll do. I appreciate your suggestions on this. Assuming I reach a resolution at some point, I'll publish it in this thread. Thanks to you, Jon, and Rick for your contributions.

Happy new year

Rick P.

xcz504d1114 · ‎01-03-2008

I talked to one of the guys I work with today about it to see if it made sense to him. It didn't, we both agreed that you will see duplicate traffic, and most likely the IPS will not even be used after the switch establishes it's path it wants to use. Or by some stroke of luck you will actually have all your traffic going through the IPS, it will be determined by which interface recieves the returning frame last.

He did however mention that he had heard somethign when he went through his CISSP course about the IPS having an ability to shunt different ports open and closed, essentially lettign the IPS control the ports in a way, but I couldn't find anything about that specifically.

Good luck with your setup.

Craig

rickpastor · ‎01-03-2008

Interesting. I'll let you know. Thanks, man.

Rick