- Community Home
- >
- Networking
- >
- Legacy
- >
- Switches, Hubs, Modems
- >
- Re: Spanning Tree Query
Switches, Hubs, and Modems
1753865
Members
7370
Online
108809
Solutions
Forums
Categories
Company
Local Language
юдл
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
юдл
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Go to solution
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-19-2010 08:35 AM
тАО12-19-2010 08:35 AM
Re: Spanning Tree Query
So taking this a potential step further...
These switches are in a triangular layout for a dedicated physically isolated iSCSI LAN.
Of course, it would be nice to be able to access the switches from the main LAN.
I could put the management interface on the iSCSI VLAN and access it via a firewall/router.
But, if I have a single management port on each switch that is on VLAN1 (our primary LAN doesn't use specific VLAN's yet), what are the implications of connecting each switch to the main network?
I'm in two minds whether it's worth the hassle vs. being able to manage the switches on the odd occasion that I may want to.
These switches are in a triangular layout for a dedicated physically isolated iSCSI LAN.
Of course, it would be nice to be able to access the switches from the main LAN.
I could put the management interface on the iSCSI VLAN and access it via a firewall/router.
But, if I have a single management port on each switch that is on VLAN1 (our primary LAN doesn't use specific VLAN's yet), what are the implications of connecting each switch to the main network?
I'm in two minds whether it's worth the hassle vs. being able to manage the switches on the odd occasion that I may want to.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-19-2010 09:34 AM
тАО12-19-2010 09:34 AM
Re: Spanning Tree Query
Being able to manage that iSCSI network would be a good thing imho...
I would instead of connecting each of those 3 switches to the main net:
1) simply connect a single connection, and then block BPDU's on each side of that link, so the STP stays isolated.
2) create a separate VLAN on those 3 strictly for mgmt from the "production" network. The mgmt vlan could be "tagged" across the 3 switches interlinks, then the single port out be "untagged" to match the other end of the prod net.
If you connect each of those 3 or even 2 of the switches, you then deal with STP...that can be a hassle.
So, with a single link, if that switch of the 3 dies, you would know there is an "issue" since you are managing that special network, and that means you should go investigate what happened, even though the iSCSI net is still operating due to its resilient design you now have.
hope this makes sense :-)
Cheers...Jeff
I would instead of connecting each of those 3 switches to the main net:
1) simply connect a single connection, and then block BPDU's on each side of that link, so the STP stays isolated.
2) create a separate VLAN on those 3 strictly for mgmt from the "production" network. The mgmt vlan could be "tagged" across the 3 switches interlinks, then the single port out be "untagged" to match the other end of the prod net.
If you connect each of those 3 or even 2 of the switches, you then deal with STP...that can be a hassle.
So, with a single link, if that switch of the 3 dies, you would know there is an "issue" since you are managing that special network, and that means you should go investigate what happened, even though the iSCSI net is still operating due to its resilient design you now have.
hope this makes sense :-)
Cheers...Jeff
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-19-2010 10:33 AM
тАО12-19-2010 10:33 AM
Re: Spanning Tree Query
Creating a management VLAN tagged across those three switches makes sense, the BPDU thing I'm a little unclear on though?
Right now the MSTP config on the iSCSI switches is as simple as "it's on" and Switch A is root, Switch B is backup.
For managing the iSCSI network, my inclination right now is to hook one of the ports on the iSCSI VLAN on one of the switches to an L3 interface on our main firewall - that way the iSCSI kit has connectivity to our LAN for stuff like DNS/NTP, and we have connectivity to it.
Day to day I'm envisaging we'd use an admin VM that would have dual NICs (prod and iSCSI).
Right now that seems to make more sense and be simpler than introducing "ip routing" and ACLs on the ProCurve kit for very limited access.
Right now the MSTP config on the iSCSI switches is as simple as "it's on" and Switch A is root, Switch B is backup.
For managing the iSCSI network, my inclination right now is to hook one of the ports on the iSCSI VLAN on one of the switches to an L3 interface on our main firewall - that way the iSCSI kit has connectivity to our LAN for stuff like DNS/NTP, and we have connectivity to it.
Day to day I'm envisaging we'd use an admin VM that would have dual NICs (prod and iSCSI).
Right now that seems to make more sense and be simpler than introducing "ip routing" and ACLs on the ProCurve kit for very limited access.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-20-2010 02:48 AM
тАО12-20-2010 02:48 AM
Re: Spanning Tree Query
If you were connecting the iSCSI network to the production in switch-to-switch configuration, you can enable some STP protection, so both networks would be isolated from each others STP config. Look at these features in the Advanced Security Guide set of manuals:
These features prevent your switch from malicious attacks or configuration errors:
├в ┬в BPDU Filtering and BPDU Protection: Protects the network from denial-of-service attacks that use spoofing BPDUs by dropping incoming BPDU frames and/or blocking traffic through a port.
├в ┬в STP Root Guard: Protects the STP root bridge from malicious attacks or configuration mistakes.
If instead you connect thru the f/w, that isolates at L3 and STP won't traverse, so you are safe there.
hth...Jeff
These features prevent your switch from malicious attacks or configuration errors:
├в ┬в BPDU Filtering and BPDU Protection: Protects the network from denial-of-service attacks that use spoofing BPDUs by dropping incoming BPDU frames and/or blocking traffic through a port.
├в ┬в STP Root Guard: Protects the STP root bridge from malicious attacks or configuration mistakes.
If instead you connect thru the f/w, that isolates at L3 and STP won't traverse, so you are safe there.
hth...Jeff
- « Previous
-
- 1
- 2
- Next »
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
News and Events
Support
© Copyright 2024 Hewlett Packard Enterprise Development LP