HPE Community
Switches, Hubs, and Modems
1753865 Members
7370 Online
108809 Solutions
New Discussion юеВ

Re: Spanning Tree Query

 
SOLVED
Go to solution
Paul Hutchings
Super Advisor

тАО12-19-2010 08:35 AM

тАО12-19-2010 08:35 AM

Re: Spanning Tree Query

So taking this a potential step further...

These switches are in a triangular layout for a dedicated physically isolated iSCSI LAN.

Of course, it would be nice to be able to access the switches from the main LAN.

I could put the management interface on the iSCSI VLAN and access it via a firewall/router.

But, if I have a single management port on each switch that is on VLAN1 (our primary LAN doesn't use specific VLAN's yet), what are the implications of connecting each switch to the main network?

I'm in two minds whether it's worth the hassle vs. being able to manage the switches on the odd occasion that I may want to.
0 Kudos
Jeff Carrell
Honored Contributor

тАО12-19-2010 09:34 AM

тАО12-19-2010 09:34 AM

Re: Spanning Tree Query

Being able to manage that iSCSI network would be a good thing imho...

I would instead of connecting each of those 3 switches to the main net:

1) simply connect a single connection, and then block BPDU's on each side of that link, so the STP stays isolated.

2) create a separate VLAN on those 3 strictly for mgmt from the "production" network. The mgmt vlan could be "tagged" across the 3 switches interlinks, then the single port out be "untagged" to match the other end of the prod net.


If you connect each of those 3 or even 2 of the switches, you then deal with STP...that can be a hassle.

So, with a single link, if that switch of the 3 dies, you would know there is an "issue" since you are managing that special network, and that means you should go investigate what happened, even though the iSCSI net is still operating due to its resilient design you now have.

hope this makes sense :-)

Cheers...Jeff
0 Kudos
Paul Hutchings
Super Advisor

тАО12-19-2010 10:33 AM

тАО12-19-2010 10:33 AM

Re: Spanning Tree Query

Creating a management VLAN tagged across those three switches makes sense, the BPDU thing I'm a little unclear on though?

Right now the MSTP config on the iSCSI switches is as simple as "it's on" and Switch A is root, Switch B is backup.

For managing the iSCSI network, my inclination right now is to hook one of the ports on the iSCSI VLAN on one of the switches to an L3 interface on our main firewall - that way the iSCSI kit has connectivity to our LAN for stuff like DNS/NTP, and we have connectivity to it.

Day to day I'm envisaging we'd use an admin VM that would have dual NICs (prod and iSCSI).

Right now that seems to make more sense and be simpler than introducing "ip routing" and ACLs on the ProCurve kit for very limited access.
0 Kudos
Jeff Carrell
Honored Contributor

тАО12-20-2010 02:48 AM

тАО12-20-2010 02:48 AM

Re: Spanning Tree Query

If you were connecting the iSCSI network to the production in switch-to-switch configuration, you can enable some STP protection, so both networks would be isolated from each others STP config. Look at these features in the Advanced Security Guide set of manuals:

These features prevent your switch from malicious attacks or configuration errors:
├в ┬в BPDU Filtering and BPDU Protection: Protects the network from denial-of-service attacks that use spoofing BPDUs by dropping incoming BPDU frames and/or blocking traffic through a port.
├в ┬в STP Root Guard: Protects the STP root bridge from malicious attacks or configuration mistakes.


If instead you connect thru the f/w, that isolates at L3 and STP won't traverse, so you are safe there.

hth...Jeff
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.