HPE Community
Aruba & ProVision-based
1753756 Members
4635 Online
108799 Solutions
New Discussion юеВ

Re: GVRP - Best Pratice ?

 
SOLVED
Go to solution
Magnus Tengmo
Advisor

тАО08-07-2007 11:51 PM - last edited on тАО03-03-2014 06:05 PM by

тАО08-07-2007 11:51 PM - last edited on тАО03-03-2014 06:05 PM by

GVRP - Best Pratice ?

Hi! I have read this PDF:
http://www.hp.com/rnd/support/config_examples/gvrp_use.pdf

But I don┬┤t understand if GVRP is a recommended solution to use ?
We got 2 x 5406 with about 15 VLANs routed in 5406, and 5 VLANs for different DMZs only located in our datacenter.
As edge switches we got a mix with 2626 (15) and 2810-48g (6).
In the future we will probably setup 802.1x for dynamic VLANs for different users and unauth users.

Any advice how to use or not use gvrp ?
I have got MSTP and VRRP up and running.

Best Regards, Magnus

 

 

P.S. This thread has been moevd from Switches, Hubs, Modems (Legacy ITRC forum) to ProCurve / ProVision-Based. - Hp Forum Moderator

0 Kudos
6 REPLIES 6
Matt Hobbs
Honored Contributor

тАО08-08-2007 12:30 AM

тАО08-08-2007 12:30 AM

Solution

Re: GVRP - Best Pratice ?

With GVRP one of its limitations is that all GVRP learned VLANs will always be in the IST of your MSTP which limits the load balancing capability that you could potentially achieve with your VRRP configuration.

The advantage of GVRP is that you only need to configure the VLAN on one switch (probably your core switch), the edge switches will then learn it automatically.

Not many people use it though and generally prefer to use static VLANs.

I just noticed another limitation with GVRP is that: While GVRP is enabled on the switch, you cannot apply any ACLs to VLANs configured on the same switch.

If you are using 802.1x though, you could work around this by applying RADIUS assigned port-based ACL's on the edge ports which is more efficient than ACL's in the core anyway. The Identity Driven Manager (IDM) software makes configuring these a lot easier if you are interested, although that is another large project in itself.

So really you need to weigh up the benefits of GVRP over the disadvantages:

1. GVRP makes adding a new VLAN to all your switches very easy and also reduces the chance that you misconfigure a static VLAN.
2. GVRP is not good for MSTP load balancing
3. GVRP prevents ACL's being applied on VLAN interfaces.
Andrew_291
Frequent Advisor

тАО08-08-2007 12:53 AM

тАО08-08-2007 12:53 AM

Re: GVRP - Best Pratice ?

Matt one question to You .
In switch with GVRP enabled I must manually assign ports to vlans or it must do workstations connected to such ports ?
0 Kudos
Matt Hobbs
Honored Contributor

тАО08-08-2007 01:20 AM

тАО08-08-2007 01:20 AM

Re: GVRP - Best Pratice ?

Generally you would manually configure the ports of the end nodes. First you would need to convert the VLAN to be static on that switch with the 'static-vlan' command, and then assign the port to this recently converted VLAN.

One security risk with GVRP is that unless you disable it on your edge-ports, someone could come in and plug another switch in which is also GVRP enabled, and then put themselves into any VLAN they wish. Just something to keep in mind anyway when considering GVRP.
0 Kudos
Magnus Tengmo
Advisor

тАО08-08-2007 01:51 AM

тАО08-08-2007 01:51 AM

Re: GVRP - Best Pratice ?

Thanks for input, I will not use GVRP :)

/Magnus
0 Kudos
Holger Hasenaug
Trusted Contributor

тАО08-09-2007 08:38 AM

тАО08-09-2007 08:38 AM

Re: GVRP - Best Pratice ?

I believe the manual is not specific enough regarding the following ACL statement:
"While GVRP is enabled on the switch, you cannot apply any ACLs to VLANs
configured on the same switch." I tried it on a 5400 switch and I can still assign ACLs to static configured VLANs. I believe they forgot to mention that it is for automatically learned VLANs only.

The full advantage with GVRP comes when using dynamically assigned VLANs doing 802.1X or MAC authentication. Than you do not need to configure the VLANs on the ports.
0 Kudos
Andrew_291
Frequent Advisor

тАО08-09-2007 06:43 PM

тАО08-09-2007 06:43 PM

Re: GVRP - Best Pratice ?

Holger You are right - ACL will not apply only to dynamic-learned vlans . But it works for statical vlans with enabled GVRP - it checked on 5308 and 4104 by me.

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.