Solved: VLan interfaces, physical interfaces, VTP domains, routing

linnea.wren · ‎09-02-2011

Hi,

I "manage" a network quite a bit more complex than I could design and implement. Despite having managed to pick up a thing or two here and there, I can't quite get my head around the following:

Two sites, a 6509 at each site.

The 6509s are in 2 separate VTP domains - LANE and DO.

On one end, we have:

router ospf 1

log-adjacency-changes

redistribute static subnets route-map red-static

passive-interface default

no passive-interface Vlan7

no passive-interface Vlan200

no passive-interface Vlan202

network 10.10.0.0 0.0.255.255 area 0

interface Vlan202

description DOv0202_District_Laney_Vlan

ip address 10.10.202.2 255.255.255.0

no ip redirects

no ip proxy-arp

ip flow ingress

ip route-cache flow

ipx input-sap-filter 1000

ipx network A0ACA00

ipx output-sap-filter 1000

standby 202 ip 10.10.202.1

standby 202 priority 200

standby 202 preempt

end

interface GigabitEthernet3/7

switchport

switchport trunk encapsulation dot1q

switchport mode trunk

no ip address

end

On the other end (apologies, this one is still running CatOS...):

router ospf 1

log-adjacency-changes

network 10.10.202.0 0.0.0.255 area 0

network 10.30.0.0 0.0.255.255 area 0

network 10.38.0.0 0.0.255.255 area 0

interface Vlan202

description LAv0202_Laney_District_Vlan

ip address 10.10.202.5 255.255.255.0

no ip redirects

no ip proxy-arp

ipx input-sap-filter 1000

ipx network A0ACA00

ipx output-sap-filter 1000

end

set port broadcast 2/1 50.00% violation drop-packets multicast disable unicast disable

clear trunk 2/1 1-201,203-1005,1025-4094

set trunk 2/1 nonegotiate dot1q 202

set port qos 2/1-16 trust trust-dscp

set port channel 2/1-16 mode off

The connection between the two is fiber port 3/7 on the first side, port 2/1 on the other.

I think I get it that at either end we have an interface in the same subnet, just like if you had physical router interfaces at each end.

What I don't get is why the VTP domains don't try to duke it out... But my "knowledge" is very sketchy in that area, pretty much amounts to once upon a time, when we had a real engineer on site doing some work, I answered Yes to a question for which the true answer was No, and the whole network came down (5 sites) because he connected something in the LANE VTP domain to something in the DO VTP domain. By the time I'd learned enough to wonder what exactly he did, I couldn't remember enough to figure it out...

Any further knowledge that comes my way will be most definitely appreciated...

lgijssel · ‎09-02-2011

You are routing over vlan 202 as this is the only vlan allowed from the CatOS side.

For consistency and probably also security-wise It is advisable to configure the other side identical:

interface GigabitEthernet3/7

switchport trunk allowed vlan 202

The reason why the vtp domains do not bite eachother is simple:

Updates are only exchanged when the vtp domain name is identical.

Hence this is a legal way to make the interconnection.

My personal preference is to never link trunks over a WAN if there is no very specific requirement to do so.

It is always better to make a clean separation between vtp domains, by separating them via layer3 links.

Especially because of the inherent risk of stp and/or vtp-related issues.

So in your case I would consider making the ports access-ports and route untagged packets.

This is probably something you want to save until you have someone on site to support you in the change.

regards,

Leo

View solution in original post

lgijssel · ‎09-02-2011

You are routing over vlan 202 as this is the only vlan allowed from the CatOS side.

For consistency and probably also security-wise It is advisable to configure the other side identical:

interface GigabitEthernet3/7

switchport trunk allowed vlan 202

The reason why the vtp domains do not bite eachother is simple:

Updates are only exchanged when the vtp domain name is identical.

Hence this is a legal way to make the interconnection.

My personal preference is to never link trunks over a WAN if there is no very specific requirement to do so.

It is always better to make a clean separation between vtp domains, by separating them via layer3 links.

Especially because of the inherent risk of stp and/or vtp-related issues.

So in your case I would consider making the ports access-ports and route untagged packets.

This is probably something you want to save until you have someone on site to support you in the change.

regards,

Leo

linnea.wren · ‎09-06-2011

As it happens, it's expected that I can do stuff like this for myself... Fortunately, I'm exceptionally risk averse, am not inclined to bash on just because off the top of my head I can't think of what could go wrong, and am make SURE that I kow ow to back out quickly, so it usually works out...

Your information is very helpful - I see now that what when wrong the last time was because each site has the same VLans, but has different subnets for those same vlans, so routing was getting different subnets on the "same" interface.

Funny how you can read stuff, learn all the details, but not really get how it works till you do something wrong!

thanks again!