Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

Spanning Tree Query

SOLVED
Go to solution
Paul Hutchings
Super Advisor

Spanning Tree Query

Let's say I have two VLANs each using a dedicated IP subnet laid out as per the attached image.

I have a piece of kit in Site C whose job is to monitor that kit in Site A or Site B is up, and to act as a "tie-breaker" vote when either of Site A or Site B is unavailable (think quorum in a cluster).

I'm using a single subnet so Site C won't reach Site A or Site B through L3 routing.

Am I right in thinking that if I have STP/RSTP/MSTP enabled on all three switches that:

1) Traffic between Site A and Site B will always use the 10gbps link if it's up.

2) Traffic between Site C and Site A and B will use the direct 1gbps connection to each site (single hop).

3) If the 10gbps link is down, traffic from Site B to Site A, or Site B to Site A, will go via Site C

4) If either of the 1gbps links are down traffic from Site C to Site A or Site B will take 2 hops over the remaining 1gbps link + the 10gbps link

Or am I dead wrong?
13 REPLIES
Olaf Borowski
Respected Contributor
Solution

Re: Spanning Tree Query

Paul, you are correct. Just make sure that switch in site C is not the root. Either A is root and B is backup or B is root and A is backup. You can "tune" the switches via the priority. If you make C the root, the 10G link will be blocked. If A is your root bridge and B is the backup, switch C's link to B will be blocked. That means, you will communicated with a node behind B via A (so C->A->B)
Hope this helps,

Olaf
Richard Brodie_1
Honored Contributor

Re: Spanning Tree Query

You can't have 1) and 2) with spanning tree. It's always going to block one of the links.

Pieter 't Hart
Honored Contributor

Re: Spanning Tree Query

Like olaf and richard said,
2) with a single vlan/subnet wont go as you describe.
STP is not "shortest path", it will select one port in the loop to be "blocked" for all trafic.
This blocked port will only open when another link fails.


1) with A being STP root, STP will block c-B
and traffc from C to B will go C-A-B
2) with B being STP root, STP will block C-A
and traffc from C to A will go C-B-A

3) when C is STP root then the 10G link will not be used, but only the direct links C-A and C-B.



4) when using MST and different vlan's you can create one MST instance (vlan-x/root=B) that has C-A blocked and another MST instance (vlan-y/root=A) that has C-B blocked.
Paul Hutchings
Super Advisor

Re: Spanning Tree Query

Thanks all.

My mistake on the wording.

I don't mind how C goes to A or to B when all the links are up.

So long as if a link between A and B is down (but one or both of A and B are up), C will use the routes that are still up to reach one or both sites.
Paul Hutchings
Super Advisor

Re: Spanning Tree Query

OK so all three switches linked.

A and B are linked by 10gbps fibre.
A and C are linked by 1gbps copper (testing)
B and C are linked by 1gbps copper (testing)

MSTP is enabled, I've used:

spanning-tree priority 0 on A
spanning-tree priority 8 on B

So I have the attached forwarding/blocking status when I do "show spanning-tree".

It's a very hasty sketch but does it look as you would expect?

Thanks very much.
Richard Brodie_1
Honored Contributor

Re: Spanning Tree Query

The diagram is a little misleading, because traffic from B will be discarded at C.

Otherwise, yes, fine.
Pieter 't Hart
Honored Contributor

Re: Spanning Tree Query

Yes it is as expected.

As the port on switch C that connects to B is blocking, no (user) data will flow on the C-B link.
data wil go C-A-B or B-A-C.

If either link A-C or A-B goes down, then C-B will be opened until the failing link is fixed.
Jeff Carrell
Honored Contributor

Re: Spanning Tree Query

Paul said: "spanning-tree priority 8 on B"

fyi, this is the default setting when spanning tree is enabled.

So if another switch comes online with a lower MAC addr, it could take over the root status (backup, etc) of switch B.

I would suggest you set B to something a little lower just to make sure this would never occur.

hth...Jeff
Paul Hutchings
Super Advisor

Re: Spanning Tree Query

Thanks Jeff. Things seem to work nicely. I can pull power, pull links, and barring a second or so and (at most) a lost ping things are back and routing over the remaining links, just a little slower.

Amazing how a third switch/triangle makes you sleep much easier :)
Paul Hutchings
Super Advisor

Re: Spanning Tree Query

So taking this a potential step further...

These switches are in a triangular layout for a dedicated physically isolated iSCSI LAN.

Of course, it would be nice to be able to access the switches from the main LAN.

I could put the management interface on the iSCSI VLAN and access it via a firewall/router.

But, if I have a single management port on each switch that is on VLAN1 (our primary LAN doesn't use specific VLAN's yet), what are the implications of connecting each switch to the main network?

I'm in two minds whether it's worth the hassle vs. being able to manage the switches on the odd occasion that I may want to.
Jeff Carrell
Honored Contributor

Re: Spanning Tree Query

Being able to manage that iSCSI network would be a good thing imho...

I would instead of connecting each of those 3 switches to the main net:

1) simply connect a single connection, and then block BPDU's on each side of that link, so the STP stays isolated.

2) create a separate VLAN on those 3 strictly for mgmt from the "production" network. The mgmt vlan could be "tagged" across the 3 switches interlinks, then the single port out be "untagged" to match the other end of the prod net.


If you connect each of those 3 or even 2 of the switches, you then deal with STP...that can be a hassle.

So, with a single link, if that switch of the 3 dies, you would know there is an "issue" since you are managing that special network, and that means you should go investigate what happened, even though the iSCSI net is still operating due to its resilient design you now have.

hope this makes sense :-)

Cheers...Jeff
Paul Hutchings
Super Advisor

Re: Spanning Tree Query

Creating a management VLAN tagged across those three switches makes sense, the BPDU thing I'm a little unclear on though?

Right now the MSTP config on the iSCSI switches is as simple as "it's on" and Switch A is root, Switch B is backup.

For managing the iSCSI network, my inclination right now is to hook one of the ports on the iSCSI VLAN on one of the switches to an L3 interface on our main firewall - that way the iSCSI kit has connectivity to our LAN for stuff like DNS/NTP, and we have connectivity to it.

Day to day I'm envisaging we'd use an admin VM that would have dual NICs (prod and iSCSI).

Right now that seems to make more sense and be simpler than introducing "ip routing" and ACLs on the ProCurve kit for very limited access.
Jeff Carrell
Honored Contributor

Re: Spanning Tree Query

If you were connecting the iSCSI network to the production in switch-to-switch configuration, you can enable some STP protection, so both networks would be isolated from each others STP config. Look at these features in the Advanced Security Guide set of manuals:

These features prevent your switch from malicious attacks or configuration errors:
â ¢ BPDU Filtering and BPDU Protection: Protects the network from denial-of-service attacks that use spoofing BPDUs by dropping incoming BPDU frames and/or blocking traffic through a port.
â ¢ STP Root Guard: Protects the STP root bridge from malicious attacks or configuration mistakes.


If instead you connect thru the f/w, that isolates at L3 and STP won't traverse, so you are safe there.

hth...Jeff