Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

MSTP question again, vlan best practice

MSTP question again, vlan best practice

Hi!

I will setup a redundant core network with two 5406 and a mix of 2626 and 2810-48g/2900-24. We will use VRRP and MSTP and use about 30 VLANs (both DMZ and Server-vlans and edge-vlans)

What is best practice how to define vlans?
All vlans needs to be added to all switches to get MSTP to work, but I don´t want to have dmz-vlans trunked to all edge-switches.
Should I only define all vlan´s on all switches, but not tag trunk-ports on specific vlans ?
Is GVRP a good solution for vlan-registration?

/Magnus




13 REPLIES
cenk sasmaztin
Honored Contributor

Re: MSTP question again, vlan best practice

hi Magnus
very good configuration two core 5400 for redundancy.

you create vlans server and define users groups.
I say define user groups because you create on users access control lists on vlans and you make basic security feature(ACL) on 5400 switch
therefore you think users state and create vlan s


you say trunk port ;this term for cisco ,carry vlan information but procurve trunk term link aggregate protocol procurve called carry vlan info port tagging port

two 5400 core switch you create all vlans and
two 5400 between link all vlans tagging
for redundancy because one 5400 down other 5400 switch to provide network live (and vrrp config whit redundacy default gateway all network) Edge switch on possible only it belonging vlans and two 5400 uplink port on this vlan tagging status.

GVRP dynamic vlan registration protocol ;very good because you successfully complate this function you use vlan avare nic.

good luck...

cenk

Case Van Horsen
Frequent Advisor

Re: MSTP question again, vlan best practice

Magnus,

I've always statically defined on a switch all the VLANs that might use that switch as part of a redundant path. And, of course, those VLANs need to be tagged on the links between the switches.

If your DMZ vlans would never need to transit an edge, I would not create them on the edge switches.

But how does this reconcile with the requirement that all VLANs be defined on all switches in a single MST region?

I looked at the MST digest (show spanning-tree mst-config) on the 5406 switches in my lab. All switches in a single region must have the same digest. Switches could have different VLANs defined on them but would generate the same digest as long as the mapping of VLANs to instances was consistent. I could create a new VLAN on only one switch and the digest would not change as long as that VLAN was not assigned to another instance.

So I think the precise statement is that all VLANs that are assigned to the non-default instance must be consistently defined on all switches. If a VLAN will not be defined on all switches, it must reside in the default instance.

Note: this is based on testing and some (possibly) incorrect logic.

casevh

Re: MSTP question again, vlan best practice

Thanks for input.
I think I got 3 solution to setup this:

a) one mst region with all vlans and using gvrp to get all vlans to all switches

b) one mst region, and not using gvrp, simple setup, manually add all vlans on all switches.

c) using two mst regions one for datacenter and one for edge switches, no gvrp. More complex setup.


Is GVRP together with MSTP a good solution?
Any disadvantage?
Is it possible to connect switches with no gvrp to this setup and with no mstp region? (when I don´t have redundant links)


Best Regards, Magnus
Case Van Horsen
Frequent Advisor

Re: MSTP question again, vlan best practice

Magnus,

I would go with option b but only create the VLANs where they are needed. MSTP should be fine even you don't create all VLANs on all switches.

I think MSTP only requires that the VLANs assigned to a non-default instance are uniformly defined. If all the VLANs are in the default instance, MSTP behaves just like RSTP. If you create a second instance for a subset of VLANs, those VLANs and that instance should be defined on all switches. This is the behavior I see between 5406 switches.

If you don't need to load balance traffic across the redundant uplinks, you could force all the switches to RSTP.

casevh
Matt Hobbs
Honored Contributor

Re: MSTP question again, vlan best practice

You really should tag all VLANs on all uplinks to ensure that your traffic always has a valid path through your spanning-tree topology.

If you do not tag all VLANs and have redundant paths, it is possible that you can unintentionally isolate VLANs during a failure of a link or switch.

This is one of the key things that is taught in the ProCurve BPRAN course - http://www.hp.com/rnd/training/technical/BPRAN.htm

Re: MSTP question again, vlan best practice

I still not sure how do build my network.
I don´t want to have all vlans assigned to all trunkports.
Should I build two different spanning-tree regions, one for datacenter and one for edge switches? Or is it possible two more instances in same region ?
Some vlans should be trunked on both datacenter and edge switches.
I have tried to get in contact with a HP preferred partner, but not the easiest now, everyone have to much to do.

/Magnus
Case Van Horsen
Frequent Advisor

Re: MSTP question again, vlan best practice

Magnus,

You need to guarantee that all VLANs always have a complete path through any possible set of active links. The easiest (and best) way is to configure all VLANs on all switches and tag them on all uplinks. But if you want don't want to configure all VLANs on all switches, this is what I would do.

I'm assuming and you want to load balance traffic over the uplinks to the edge switches. (If you don't, you could force RSTP as the spanning tree protocol. MSTP give you the load balancing.)

0) All VLANs are created manually.

1) Create all VLANs on the two 5406 switches. Create a redundant link between those two switches. For example, a trunk using at least two interfaces from two different cards. Tag all VLANs on this link.

2) Create a seperate instance for the the VLANs that will be present on ALL switches. Let's refer to this as the EDGE instance. All other VLANs will be part of the DEFAULT instance.

3) For 5406#1, set the spanning tree priority on the DEFAULT instance to 0 and the EDGE instance to 1. For 5406#2, set the spanning tree priority on the DEFAULT instance to 1 and EDGE instance to 0.

4) Configure VRRP so that the active IP address is on the switch that is the active root for that particular VLAN.

5) Verify that the two 5406 switches can communicate even though a link or a card fails.

6) Configure the data center switches with all VLANs and all VLANs tagged on the uplink. Set the spanning tree priority to 2 for both EDGE and DEFAULT.

7) Test.

8) Configure the end-user edge switches with only the edge VLANs. Assign them to the EDGE instance. Let the priority stay the default.

9) Test again.

This should work. As long as the VLANs that DON'T go everywhere are left in the default instance, MSTP should be stable.

Having the redundant link directly between the two 5406 switches should ensure that all VLANs can flow between those switches. Specifying a priority of 2 on the data center switches (that have all the VLANs) will provide an alternate path even if the redundant link between the two 5406 switches were to fail.

Comments/Risks:

1) Someone plugging in a rouge or mis-configured switch.

2) If an end-user edge switch become the root of the topology, it will fail.

3) If the 5406 switches ever think a path through an end-user switch is best.

4) All uplinks should have consistent costs/speeds.

Disclaimer: Although I'm describing what I do, pay special attention to the testing.

casevh

Re: MSTP question again, vlan best practice

Hi again :)

I have read this guide, and in this guide they don´t tag all vlans on all trunk ports. Only those vlans needed per edge switches. Is that wrong ? Seems easy to setup, but will it work good?

http://cdn.procurve.com/training/Manuals/ProCurve-and-Cisco-STP-Interoperability.pdf

Best Regards, Magnus
Case Van Horsen
Frequent Advisor

Re: MSTP question again, vlan best practice

Hi Magnus,

You do not need to create each VLAN on each switch. But there are some requirements you must follow:

1) If you are using multiple instances (other than the default), you must use consistent VLAN-to-instance assignements everywhere. Technically, you only need to create the VLANs and associate them with their instance. You could skip the tagging but MSTP assumes that all VLANs are tagged on all links. The challenge is making sure that MSTP doesn't choose a path that all VLANs can't traverse.

2) You must guarantee that every VLAN can reach both 5406 switches regardless of a failure. A 2-way or 4-way bonded link using ports from 2 different cards is probably sufficient. Or a preferred path through another switch that can pass all VLANs. Or both, if you are really paranoid. ;-)

How many distinct groupings of VLANs do you plan to use?

Do you have a diagram of the proposed network?

casevh

Re: MSTP question again, vlan best practice

I want two have two "groups" of VLANs. VLANs belonged to datacenter (all servers) and VLANs för Edge switches for workstations. In datacenter we got dmz´s, different server networks as vlans, for workstations, we got one vlan / floor.

But will it be a problem if I only tag trunk ports conenct to edgeswitches (workstations) with workstations vlans, and all switchs in dc with all vlans belongs to them.

But I still need to add all vlans to all switches to have spanningtree ok. It´s not possible to add vlans to instances if they not exists in switches (2810,2626, works only with 5406).

/Magnus

Re: MSTP question again, vlan best practice

Sorry for last messages, to messy.

I want two have two "groups" of VLANs.
Group 1 (DCs) = DMZs, Server-networks, education networks ~ 20 vlans
Group 2 (Workstatations) = One vlan / floor, in the future dynamic vlan with 802.1x ~ 10 vlans

If I setup this with one region and two instances, (odd vlans in instance 1, and even vlans in instance 2),
and tag all trunk ports to "group 1" switches with all group 1 vlans, and tag "group 2" switches with group 2 vlans.
Will I be pretty safe with this design?

Or would it work to use two regions in core, and use one region for group 1 switches, and one region for group 2 switches? And still have odd/even vlans / instance / region?

Best Regards, Magnus

Re: MSTP question again, vlan best practice

I have read the manual again, now I understand that´s not possible to have multple regions in one switch.

/Magnus
Case Van Horsen
Frequent Advisor

Re: MSTP question again, vlan best practice

Hi Magnus,

Based on your description, I would define all the VLANs on all switches so you can create your instances as you'd like.

You can skip tagging the DMZ & server VLANs on the links to the edge switches as long as the link between the two 5406 switches never fails or one of the data center switches that has all VLANs is the preferred alternate path between the two 5406 switches.

casevh