09-02-2011 06:09 PM - edited 03-07-2019 02:02 AM
Hi,
I "manage" a network quite a bit more complex than I could design and implement. Despite having managed to pick up a thing or two here and there, I can't quite get my head around the following:
Two sites, a 6509 at each site.
The 6509s are in 2 separate VTP domains - LANE and DO.
On one end, we have:
router ospf 1
log-adjacency-changes
redistribute static subnets route-map red-static
passive-interface default
no passive-interface Vlan7
no passive-interface Vlan200
no passive-interface Vlan202
network 10.10.0.0 0.0.255.255 area 0
interface Vlan202
description DOv0202_District_Laney_Vlan
ip address 10.10.202.2 255.255.255.0
no ip redirects
no ip proxy-arp
ip flow ingress
ip route-cache flow
ipx input-sap-filter 1000
ipx network A0ACA00
ipx output-sap-filter 1000
standby 202 ip 10.10.202.1
standby 202 priority 200
standby 202 preempt
end
interface GigabitEthernet3/7
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
no ip address
end
On the other end (apologies, this one is still running CatOS...):
router ospf 1
log-adjacency-changes
network 10.10.202.0 0.0.0.255 area 0
network 10.30.0.0 0.0.255.255 area 0
network 10.38.0.0 0.0.255.255 area 0
interface Vlan202
description LAv0202_Laney_District_Vlan
ip address 10.10.202.5 255.255.255.0
no ip redirects
no ip proxy-arp
ipx input-sap-filter 1000
ipx network A0ACA00
ipx output-sap-filter 1000
end
set port broadcast 2/1 50.00% violation drop-packets multicast disable unicast disable
clear trunk 2/1 1-201,203-1005,1025-4094
set trunk 2/1 nonegotiate dot1q 202
set port qos 2/1-16 trust trust-dscp
set port channel 2/1-16 mode off
The connection between the two is fiber port 3/7 on the first side, port 2/1 on the other.
I think I get it that at either end we have an interface in the same subnet, just like if you had physical router interfaces at each end.
What I don't get is why the VTP domains don't try to duke it out... But my "knowledge" is very sketchy in that area, pretty much amounts to once upon a time, when we had a real engineer on site doing some work, I answered Yes to a question for which the true answer was No, and the whole network came down (5 sites) because he connected something in the LANE VTP domain to something in the DO VTP domain. By the time I'd learned enough to wonder what exactly he did, I couldn't remember enough to figure it out...
Any further knowledge that comes my way will be most definitely appreciated...
Solved! Go to Solution.
09-02-2011 11:17 PM
You are routing over vlan 202 as this is the only vlan allowed from the CatOS side.
For consistency and probably also security-wise It is advisable to configure the other side identical:
interface GigabitEthernet3/7
switchport trunk allowed vlan 202
The reason why the vtp domains do not bite eachother is simple:
Updates are only exchanged when the vtp domain name is identical.
Hence this is a legal way to make the interconnection.
My personal preference is to never link trunks over a WAN if there is no very specific requirement to do so.
It is always better to make a clean separation between vtp domains, by separating them via layer3 links.
Especially because of the inherent risk of stp and/or vtp-related issues.
So in your case I would consider making the ports access-ports and route untagged packets.
This is probably something you want to save until you have someone on site to support you in the change.
regards,
Leo
09-02-2011 11:17 PM
You are routing over vlan 202 as this is the only vlan allowed from the CatOS side.
For consistency and probably also security-wise It is advisable to configure the other side identical:
interface GigabitEthernet3/7
switchport trunk allowed vlan 202
The reason why the vtp domains do not bite eachother is simple:
Updates are only exchanged when the vtp domain name is identical.
Hence this is a legal way to make the interconnection.
My personal preference is to never link trunks over a WAN if there is no very specific requirement to do so.
It is always better to make a clean separation between vtp domains, by separating them via layer3 links.
Especially because of the inherent risk of stp and/or vtp-related issues.
So in your case I would consider making the ports access-ports and route untagged packets.
This is probably something you want to save until you have someone on site to support you in the change.
regards,
Leo
09-06-2011 02:50 PM
As it happens, it's expected that I can do stuff like this for myself... Fortunately, I'm exceptionally risk averse, am not inclined to bash on just because off the top of my head I can't think of what could go wrong, and am make SURE that I kow ow to back out quickly, so it usually works out...
Your information is very helpful - I see now that what when wrong the last time was because each site has the same VLans, but has different subnets for those same vlans, so routing was getting different subnets on the "same" interface.
Funny how you can read stuff, learn all the details, but not really get how it works till you do something wrong!
thanks again!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide