Web and Unmanaged
1748089 Members
4682 Online
108758 Solutions
New Discussion

Re: Trunking (LAG) two HPE 1920-48G: Best practices with VLAN and STP.

 
SOLVED
Go to solution
parnassus
Honored Contributor

Trunking (LAG) two HPE 1920-48G: Best practices with VLAN and STP.

Hello, I inherited a simple LAN (basically two identical HPE OfficeConnect 1920-48G Switches) where, topologically speaking, one Switch acts as Access for Clients (all Clients are connected to to it) and the other acts as Core for Appliances (Servers, NAS and Firewall are connected to it).

The key point here is that Switches are actually connected with just one port Uplink.

That's the general picture.

Actually I'm not in the position to change the LAN topology as I want but I'm able to use at least more uplinks cables to enhance overall traffic throughput (since there are may Clients connecting to various Servers) and connection resiliency (against cable/port failure) between those Switches.

I'm going to redefine the actual inter-connection between those Switches by moving from a single port Uplink scenario (with involved interfaces actually set both with port link-type hybrid, port hybrid vlan 5 tagged and port hybrid vlan 1 untagged) to a new 4 ports LAG scenario that will use LACP (Dynamic).

What are the best practices to follow in doing such type of change?

VLANs were been defined yet on both Switches (VLAN 1 as default VLAN and VLAN 5 used for WiFi Guests traffic only), VLAN 5 has IP Address assigned; a specific physical Firewall port connected to the "Core" HPE 1920 Switch is dedicated to VLAN 5 traffic. Another physical Firewall port manages VLAN 1 (Default Gateway for the entire VLAN 1 Subnet).

AFAIK the STP is enabled in RSTP mode (stp mode rstp and stp enable).

For both new LAGs I'm going to use 4 ports (let me say from port 1/0/45 to port 1/0/48) on each Switch.

AFAIK I'm going to (please correct me if I'm wrong):

  1. Initially NOT connect the 4 dedicated ports (of the new LAG)
  2. Define the LAG (Trunk): members and protocol (LACP Dynamic) on each side
  3. Set the VLAN tagged/untagged on the new Trunk on each side
  4. Disconnect the actual single cable/port Uplink between Switches
  5. Connect the designated 4 ports of the LAG on each side
  6. Check the VLAN traffic passes through the new formed 4 aggregated ports' Trunk
  7. If all traffic (tagged/untagged) is flowing flawlessly reset the link-port type and VLANs settings set on ports initially used for the Uplink.

Is the above procedure sufficiently correct?

Are above steps summarized in the right order?

What's about STP over the new Trunk and, in general, globally on the Switches (Is recommended to use MSTP or is there a way to define the "Core" Switch as the primary?)?

What's about BPDU/Loop Protection on all (Edge) ports but Trunk ones?

Will be helpful a reboot of both Switches once the new setup is operational (STP recalculation)?

What I actually see is that all ports - Uplink ports included (marked with port link-type hybrid) - were set with stp edged-port enabled and port auto-power-down.

No other port/interface specific settings are defined.

Thanks in advance.


I'm not an HPE Employee
Kudos and Accepted Solution banner
11 REPLIES 11
16again
Respected Contributor
Solution

Re: Trunking (LAG) two HPE 1920-48G: Best practices with VLAN and STP.

Make sure to use trunk instead of hybrid mode.  I've got no clue why they used hybrid, other than the GUI which somehow has steered your predecessor in that direction.

Action plan seems OK.
For making core switch STP master, lower its root priority.
Indeed MSTP is preferrable, but harder to setup. With only 2 VLANs , it's also not that important

No need for reboot , STP will handle changes automatically, that what's its designed for.

parnassus
Honored Contributor

Re: Trunking (LAG) two HPE 1920-48G: Best practices with VLAN and STP.


@16again wrote:

Make sure to use trunk instead of hybrid mode.  I've got no clue why they used hybrid, other than the GUI which somehow has steered your predecessor in that direction.


Thanks 16again!

I agree with you about Trunk type (type trunk versus type hybrid)!

Speaking about the point (3) I did a configuration test on a spare HPE 1920-8G (JG920A) - without connecting it - and, at first sight, I realized I didn't fully understood if I need to set VLAN 5 Tagged Membership to both BAGG1 and GE1/0/1-GE1/0/4 (BAGG member ports) or if I need to set VLAN 5 Tagged Membership only to BAGG1 leaving its member ports VLAN 5 Untagged Members:

Here relevant parts of the config (with some screenshots) with - I hope - only BAGG1 set as Tagged Member of VLAN 5 while each GE1/0/1-GE1/0/4 port was left as Untagged Member of VLAN 5:

...
...
#
vlan 1
#
vlan 5
description VLAN 0005 WiFi Guest
#
...
...
#
interface Bridge-Aggregation1
port link-type trunk
port trunk permit vlan 1 5
link-aggregation mode dynamic
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk permit vlan 1 5
port trunk pvid vlan 5
port auto-power-down
stp edged-port enable
port link-aggregation group 1
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk permit vlan 1 5
port trunk pvid vlan 5
port auto-power-down
stp edged-port enable
port link-aggregation group 1
#
interface GigabitEthernet1/0/3
port link-type trunk
port trunk permit vlan 1 5
port trunk pvid vlan 5
port auto-power-down
stp edged-port enable
port link-aggregation group 1
#
interface GigabitEthernet1/0/4
port link-type trunk
port trunk permit vlan 1 5
port trunk pvid vlan 5
port auto-power-down
stp edged-port enable
port link-aggregation group 1
#
...
...

 So I'm in serious doubt about its correctness...

I'm trying to simulate BAGG and VLAN configurations in a 1920-8G <--> 1920-8G scenario because I'm going to have a very short time window during which doing the whole re-configuration (for the sake of completeness I'm going to change the actual HPE 1920-24G that acts like a core with a brand new HPE 1920-48G so the action plan will involve re-patching, re-ordening cables, updating existing Switch's Firmware to latest release and then optimizing discussed ports settings).

The requirement of transporting VLAN over the Trunk (as happens now on the single Uplink) is due to the fact there is a third HPE Switch (PoE) which is used only for Wireless APs access (they manage VLAN1 and VLAN 5), this third switch is connected with another single port uplink to the actual 48 ports "edge" Switch.

I'll post a PDF of the target topology (it's quite simple) just to be sure to do things correctly without relying on what was leaved.

 

Edit:

Forgot to say I found also IPv4 routing related to VLAN 5 defined on all three involved switches...hope to ask a not totally dumb question: is that (defining an IPv4 route for that VLAN other than assignin an IP Address on each Switch for that VLAN if then a dedicated Firewall port is used to manage traffic/DHCP for that specific VLAN) mandatory?

I see now that for VLAN 5 the Destination/Mask and NextHop are:

============================================================
  ===============display ip routing-table===============
============================================================
Routing Tables: Public
	Destinations : 8	Routes : 8

Destination/Mask    Proto  Pre  Cost         NextHop         Interface

10.0.0.0/24         Direct 0    0            10.0.0.102      Vlan1
10.0.0.102/32       Direct 0    0            127.0.0.1       InLoop0
10.10.10.0/24       Direct 0    0            10.10.10.6      Vlan5
10.10.10.6/32       Direct 0    0            127.0.0.1       InLoop0
127.0.0.0/8         Direct 0    0            127.0.0.1       InLoop0
127.0.0.1/32        Direct 0    0            127.0.0.1       InLoop0

And the NextHop IP Address is equal to the VLAN assigned IP Address (10.10.10.6) in this particular Switch.

The IP Address 10.0.0.102 is the actual Default VLAN (VLAN 1) IP Address assigned to Switch.

There is no reference (as NextHop?) about the Firewall IP Addresses used on LAN1 (for all Default VLAN 1 traffic) and LAN2 (only for VLAN 5 traffic) ports: neither for VLAN 1 (understandable) nor for the VLAN 5...it the above routing table somewhat correct?


I'm not an HPE Employee
Kudos and Accepted Solution banner
16again
Respected Contributor

Re: Trunking (LAG) two HPE 1920-48G: Best practices with VLAN and STP.

To be on safe side, just assign VLANs to BAGG as well as all its members.
Some brands, assigning extra VLAN to BAGG will auto-assign it to its member ports,

The routing table looks like you only assigned 2 VLAN interfaces a IP address.  This also enables routing between those VLANs, but attached clients must be aware of correct gateway.

If you just need L2 functionality  (no dhcp relay, no routing) , you have to assign only IP address to single VLAN

parnassus
Honored Contributor

Re: Trunking (LAG) two HPE 1920-48G: Best practices with VLAN and STP.

Thanks 16again for answering!


@16again wrote:

To be on safe side, just assign VLANs to BAGG as well as all its members.
Some brands, assigning extra VLAN to BAGG will auto-assign it to its member ports,

Yep, that's what I noticed too...on the HPE 1920-8g I used for test I assigned VLAN 5 tagged and VLAN 1 untagged to the BAGG1 only and I noticed that automatically these settings were reported down on member ports (GE1/0/1, 1/0/2, 1/0/3 and 1/0/4) as you can see below.

Through CLI I can see:

<HP 1920G Switch>display port trunk 
Interface                PVID  VLAN passing
BAGG1                    1     1, 5, 
GE1/0/1                  5     1, 5, 
GE1/0/2                  5     1, 5, 
GE1/0/3                  5     1, 5, 
GE1/0/4                  5     1, 5, 

<HP 1920G Switch>display vlan all
 VLAN ID: 1
 VLAN Type: static
 Route Interface: configured
 IPv4 address: 192.168.0.250
 IPv4 subnet mask: 255.255.255.0
 Description: VLAN 0001
 Name: VLAN 0001
 Tagged   Ports:
    GigabitEthernet1/0/1     GigabitEthernet1/0/2     GigabitEthernet1/0/3
    GigabitEthernet1/0/4
 Untagged Ports:
    Bridge-Aggregation1
    GigabitEthernet1/0/5     GigabitEthernet1/0/6     GigabitEthernet1/0/7
    GigabitEthernet1/0/8     GigabitEthernet1/0/9     GigabitEthernet1/0/10

 VLAN ID: 5
 VLAN Type: static
 Route Interface: configured
 IPv4 address: 10.0.0.254
 IPv4 subnet mask: 255.255.255.0
 Description: VLAN 0005 WiFi Guest
 Name: VLAN 0005
 Tagged   Ports:
    Bridge-Aggregation1
 Untagged Ports:
    GigabitEthernet1/0/1     GigabitEthernet1/0/2     GigabitEthernet1/0/3
    GigabitEthernet1/0/4

So it seems what I did was correct, at least in theory. Isn't it?

The routing table looks like you only assigned 2 VLAN interfaces a IP address.  This also enables routing between those VLANs, but attached clients must be aware of correct gateway.

If you just need L2 functionality  (no dhcp relay, no routing) , you have to assign only IP address to single VLAN


AFAIK VLAN 5 Clients (that are Wireless Clients only) will receive their IP Addressing through DHCP Server on the Firewall's DMZ1 port (see below) so I doubt the actual configuration was made to do routing between the two VLANs. If so, I can't understand why since the topology is telling me that their goal was to keep VLAN 5 and VLAN 1 clients logically separated up to the Firewall's DMZ1 port...no matter how many Swichtes VLAN 5 tagged packets would traverse in flowing from the Ubiquiti Wireless AP to the Firewall's DMZ1 port.

The Routing Table that is actually defined on each running Switch wasn't configured by me and so I'm just reporting what I'm discovering, step by step.

Note: a strange/funny thing I noticed is that on the actual 48 ports Switch's Routing Table there is no reference for the same defined VLAN 5 as instead happens on the others two (the PoE and the 24 ports "Core")...this because in that Switch the VLAN 5 has not an IP Address assigned at all. That's very strange.

On two remaining Switches the same VLAN 5 was set with different IP Addresses (let's say VLAN 5 on the PoE Switch has 10.10.10.7, on the 24 port "Core" Switch it has 10.10.10.6; on both Routing Table the next hop IP Addresses for related VLAN Subnets - 10.10.10.0/24 - are equal to the VLAN 5 IP Addresses assigned).

I admit I didn't try to see if, currently, the actual setup does what I think it should do *correctly* (I mean: no routing between VLANs, which is not required): the goal is - and IMHO was - to separately transport VLAN 5 tagged packets from the PoE Switch tagged port (Ubiquiti Wireless AP) up to the dedicated physical port (DMZ1) on the Fortinet FortiGate Firewall by traversing two Switches (on that DMZ1 port the Default Gateway is 10.10.10.1/24, there is DHCP Server running and it has a DNS Resolver defined on the DHCP pools so  Wireless Clients are autonomous).

I attach an image of the final topology I'm going to deploy: actually the only difference (BAGG and VLAN Settings apart, as discussed above) is that the Switch on the top right (the one I called "Core") is just a 24 ports and is going to be replaced by another 48 ports (JG927A).


I'm not an HPE Employee
Kudos and Accepted Solution banner
16again
Respected Contributor

Re: Trunking (LAG) two HPE 1920-48G: Best practices with VLAN and STP.

Better set PVID on BAG port and its member identical. Now they aren't.
Looking at your setup, better keep VLAN 5 isolated, by not using L3 interface on the switches

parnassus
Honored Contributor

Re: Trunking (LAG) two HPE 1920-48G: Best practices with VLAN and STP.

Hi 16again!

Do you mean I should set PVID = 1 on any port involved in the BAGG1 exactly as it is set now on BAGG1?

Is the PVID of the BAGG really so important since flowing packets that are traversing the LAG/Uplink are yet eventually tagged on the relevant egress port on the Switch they were coming from (the PoE one which has the Wireless AP)?

Yep, VLAN 5: isolated is a good idea and it's why it was though for.

Is it sufficient on each Switch to remove any IPv4 Routing Table entry related to VLAN 5 and just to keep the VLAN 5 assigned IP Addresses on each Switch or, better, remove both entries from all Switches?


I'm not an HPE Employee
Kudos and Accepted Solution banner
16again
Respected Contributor

Re: Trunking (LAG) two HPE 1920-48G: Best practices with VLAN and STP.

The BAGG and its members shoud have equal VLAN config, PVID determines which vlan is untagged. 
I can only guess what will go wrong when you break this rule  (VLAN5 packets ending up in VLAN1 or vice-versa, breaking VLAN1 protocols like STP....)
I'd just stay on safe side and not break the rule.

Just remove the VLAN5 IP address from the switch, it's associated routes will disappear automatically

 

parnassus
Honored Contributor

Re: Trunking (LAG) two HPE 1920-48G: Best practices with VLAN and STP.

Hello 16again,

I should change the Post's Title to "How to configure a BAGG?" since I found myself lost at best.

I reset the HP 1920-8G used for testing.

I started with these steps:

  1. Step 1 --> Created VLAN 5 (without its Interface, so no IP/Routing for it), added VLAN 5 tagged to GE1/0/1 - GE1/0/4 (future members of the BAGG), consequently Port Type changed from "Access" to "Hybrid".
  2. Step 2 --> Created BAGG1 with members ports GE1/0/1-GE1/0/4, set LACP Dynamic (not relevant here but I did so).
  3. Step 3 --> Change BAGG1 from Port Type "Hybrid" (automatically assigned) to "Trunk". Port BAGG1 yet not assigned as Tagged member of VLAN 5.
  4. Step 4 --> Change BAGG1 VLAN tagging assignment to VLAN 5 tagged.

Results:

After Step 1 all ports GE1/0/1-GE1/0/4 correctly changed their settings from (below I always represented GE1/0/1 settings only as reference):

#
interface GigabitEthernet1/0/1
 port auto-power-down
 stp edged-port enable
#

to:

#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid vlan 5 tagged
port hybrid vlan 1 untagged
port auto-power-down
stp edged-port enable
#

After Step 2 the BAGG1 definition appeared on configuration file and ports GE1/0/1-GE1/0/4 settings were updated accordingly:

#
interface Bridge-Aggregation1
 link-aggregation mode dynamic
#
interface GigabitEthernet1/0/1
 port link-type hybrid
 port hybrid vlan 5 tagged
 port hybrid vlan 1 untagged
 port auto-power-down
 stp edged-port enable
 port link-aggregation group 1
#

A quick CLI check testifies that BAGG1, since its Port Type is still "Hybrid" as per default, doesn't appear when display port trunk was run:

<HP 1920G Switch>display port hybrid 
Interface                PVID  VLAN passing
GE1/0/1                  1     Tagged:  5,Untagged:1, 
GE1/0/2                  1     Tagged:  5,Untagged:1, 
GE1/0/3                  1     Tagged:  5,Untagged:1, 
GE1/0/4                  1     Tagged:  5,Untagged:1, 

<HP 1920G Switch>display vlan all VLAN ID: 1 VLAN Type: static Route Interface: configured IPv4 address: 192.168.0.250 IPv4 subnet mask: 255.255.255.0 Description: VLAN 0001 Name: VLAN 0001 Tagged Ports: none Untagged Ports: Bridge-Aggregation1 GigabitEthernet1/0/1 GigabitEthernet1/0/2 GigabitEthernet1/0/3 GigabitEthernet1/0/4 GigabitEthernet1/0/5 GigabitEthernet1/0/6 GigabitEthernet1/0/7 GigabitEthernet1/0/8 GigabitEthernet1/0/9 GigabitEthernet1/0/10 VLAN ID: 5 VLAN Type: static Route Interface: not configured Description: Wireless Clients Guest Name: VLAN 0005 Tagged Ports: GigabitEthernet1/0/1 GigabitEthernet1/0/2 GigabitEthernet1/0/3 GigabitEthernet1/0/4 Untagged Ports: none <HP 1920G Switch>display port trunk <HP 1920G Switch>

After Step 3 the BAGG1 Link Type was changed from "Hybrid" to "Trunk" so, before this change, it seemed the BAGG1 was in a limbo state (nor Hybrid neither Trunk) but, at least, port trunk permit vlan 1 appeared:

#
interface Bridge-Aggregation1
 port link-type trunk
 port trunk permit vlan 1
 link-aggregation mode dynamic
#

Via CLI the Link Type change finally modified the response of display port trunk command:

<HP 1920G Switch>display port trunk
Interface                PVID  VLAN passing
BAGG1                    1     1, 

After Step 4 VLAN 5 tagging finally steps in at BAGG level (notice nothing changed at member ports level):

#
interface Bridge-Aggregation1
 port link-type trunk
 port trunk permit vlan 1 5
 link-aggregation mode dynamic
#

And via CLI it's possible to see that display port trunk result changed (while display port hybrid not):

<HP 1920G Switch>display port trunk  
Interface                PVID  VLAN passing
BAGG1                    1     1, 5, 
<HP 1920G Switch>display port hybrid 
Interface                PVID  VLAN passing
GE1/0/1                  1     Tagged:  5,Untagged:1, 
GE1/0/2                  1     Tagged:  5,Untagged:1, 
GE1/0/3                  1     Tagged:  5,Untagged:1, 
GE1/0/4                  1     Tagged:  5,Untagged:1,

Note here that the above result about display port trunk looks different from the one posted few days ago:

<HP 1920G Switch>display port trunk 
Interface                PVID  VLAN passing
BAGG1                    1     1, 5, 
GE1/0/1                  5     1, 5, 
GE1/0/2                  5     1, 5, 
GE1/0/3                  5     1, 5, 
GE1/0/4                  5     1, 5,

and, IMHO, this happens simply because the GE1/0/1-GE1/0/4 ports Link Type was automatically set to "Hybrid" and not "Trunk" after Step 1.

This procedure apparently removed the inconsistence about different PVIDs between BAGG1 and its members ports because now PVID is equal to 1 for all involved ports (BAGG1 and GE1/0/1-GE1/0/4).

Question: is that configuration procedure correct or should I have avoided the initial sub-task "added VLAN 5 tagged to GE1/0/1 - GE1/0/4 (future members of the BAGG), consequently Port Type changed from "Access" to "Hybrid"." on Step 1 leaving future members ports of the BAGG as "Access" without any GE port VLAN 5 tagging?

As soon as possible I'm going to re-start and test the whole procedure without that above initial sub-task to see how the Switch configuration will change (if any).

The final configuration is:

#
 version 5.20.99, Release 1112
#
 sysname HP 1920G Switch
#
 clock timezone Amsterdam add 01:00:00 
 clock summer-time summer-time repeating 02:00:00 2016 March last Sunday 03:00:00 2016 October last Sunday  01:00:00
#
 domain default enable system 
#
 ipv6
#
 telnet server enable 
#
 password-recovery enable
#
vlan 1
#
vlan 5
 description Wireless Clients Guest
#
domain system 
 access-limit disable 
 state active 
 idle-cut disable 
 self-service-url disable 
#
user-group system
 group-attribute allow-guest
#
local-user admin
 authorization-attribute level 3
 service-type telnet terminal
 service-type web
#
 stp mode rstp
 stp enable
#
interface Bridge-Aggregation1
 port link-type trunk
 port trunk permit vlan 1 5
 link-aggregation mode dynamic
#
interface NULL0
#
interface Vlan-interface1
 ip address 192.168.0.250 255.255.255.0 
#
interface GigabitEthernet1/0/1
 port link-type hybrid
 port hybrid vlan 5 tagged
 port hybrid vlan 1 untagged
 port auto-power-down
 stp edged-port enable
 port link-aggregation group 1
#
interface GigabitEthernet1/0/2
 port link-type hybrid
 port hybrid vlan 5 tagged
 port hybrid vlan 1 untagged
 port auto-power-down
 stp edged-port enable
 port link-aggregation group 1
#
interface GigabitEthernet1/0/3
 port link-type hybrid
 port hybrid vlan 5 tagged
 port hybrid vlan 1 untagged
 port auto-power-down
 stp edged-port enable
 port link-aggregation group 1
#
interface GigabitEthernet1/0/4
 port link-type hybrid
 port hybrid vlan 5 tagged
 port hybrid vlan 1 untagged
 port auto-power-down
 stp edged-port enable
 port link-aggregation group 1
#
interface GigabitEthernet1/0/5
 port auto-power-down
 stp edged-port enable
#
interface GigabitEthernet1/0/6
 port auto-power-down
 stp edged-port enable
#
interface GigabitEthernet1/0/7
 port auto-power-down
 stp edged-port enable
#
interface GigabitEthernet1/0/8
 port auto-power-down
 stp edged-port enable
#
interface GigabitEthernet1/0/9
 stp edged-port enable
#
interface GigabitEthernet1/0/10
 stp edged-port enable
#
 dhcp-snooping
#
 ntp-service unicast-server 193.234.225.237
 ntp-service unicast-server 94.23.66.89
#
 load xml-configuration 
#
user-interface aux 0
 authentication-mode scheme
user-interface vty 0 15
 authentication-mode scheme
#
return

Edit: forgot to mention that I didn't set an Access port to be VLAN 5 tagged; that's just a configuration to see how BAGG and VLAN work between switches.


I'm not an HPE Employee
Kudos and Accepted Solution banner
16again
Respected Contributor

Re: Trunking (LAG) two HPE 1920-48G: Best practices with VLAN and STP.

The end result of config steps is OK.

On step1 , I'd start turning ge1/0/1-4 into trunk ports first, then assign extra tagged vlans.
This way, these ports never turn into hybrid mode.