Layer2 switch questions. Shop talk, looking for good advice

Posted on 2009-02-13
Last Modified: 2012-05-06
2008 AD native
250 users
One domain One site

We have a mismash of switches all chained together to accomodate 250 users and 25 servers

We have an hp pro curve users on old 10/100 switches and we are integrating several layer2 power connect switches. They run spanning tree and I was wondering of how cabale these switches are.

If I VLAN out, I would need a router to router traffic. Is this correct? Example switch1 has a Vlan of 172.x.x.x would switch 4 know about this vlan? I am told this will not work, but wanted to be sure. Heck if the switches can talk to each other, why cant they let other switches know.

Question2: If I run 2 uplink cables between switches, without using LAG aggreagation, will the switches pass traffic on both uplinks? This is the way we have it now, but I suspect one link is being used, and spanning tree is blocking the other line via spanning tree. The concept I guess is like a server, you can only have one ethernet in each subnet (unless you nic team). I would hope it sees both routes, and use them. But it was told to me this would cause a routing loop, and spanning tree would block the extra line to prevent this.  

We have initially planned to link each 10/100 user switch to the procurve AND have them link to each user switch. But as it is told to me, this will fail cause loops and cause ports to be blocked.

The solution would be a layer3 switch. The difference in price is $450 for L2 and $1500 for L3. I want to be sure before I spend the $$$$
Question by:pkwillis
    LVL 10

    Accepted Solution

    pkwillis -

    not a lot of experience with ProCurves but the underlying layer 2 and 3 concepts you are going to need to use are the same.

    VLANs and trunking is pretty straightforward.  VLANs are used to segregate larger networks into smaller, more manageable networks.  More directly, they help by reducing the size of broadcast domains, reducing collisions on the wire.  A broadcast domain, also known as a collision domain is a logical area on a network wherein all devices are able to identify and send traffic directly to a peer (layer 2) without the need for transferring across a network boundary (layer 3 or routing).  Its a little more in depth that this but it will serve for the purpose.  The entire goal of your vlan is to reduce the size of your broadcast domain, usually to increase performance, stabilize communications or to logically bound/segregate traffic for management/security reasons.

    Trunking allows you to stack multiple switches with vlan traffic passing between each, however, it does not allow individual vlans to communicate amongst each other - for this you will need a router to connect each.

    Here's how it goes.  On your switches you will configure each of the ports to belong to a vlan.  As traffic is initiated on any of these ports, each frame is tagged with a vlan tag.  These tags identify traffic's originating/assigned vlan as it traverses the switch.  The devices that are connected to the ports configured to the same vlan will be tagged as residing on the same vlan and thus able to talk to each other.  Any devices connected to ports configured on differing vlans will be tagged as being on differing vlans and not be able to talk to each other.

    Trunks carry vlan tagged traffic between two switches.  Same scenario as above but the traffic originates on one switch and needs to carry to a second to complete its transmission.  Trunking allows for this to happen.

    Your second question is directed more toward packet storming caused by bridging loops.  Bridging loops occur when one or more switches are interconnected in a way that allows broadcast traffic to originate, multiply and continue into infinitum, ultimately bringing the network down.  Yes, if you connect two switches to each other with two or more cables and they are not 1.) virtually combined through some type of port aggregation or 2.) Spanning Tree Protocol (STP) is not utilized/enforced, you will create a bridging loop.

    Port aggregation allows for the link to be configured in a way where multiple ports on either side appear as one or as a hot-standby set.  STP is used to dynamically manage potential loop sources, placing those sources into a standby, inactive/listening or shutdown state.  If you want to use both of the lines for your uplink/trunk, you will need to configure them as aggregates with the appropriate technology (Cisco uses ether-channel).

    My suggestion on your two proposed solutions.  First, definitely identify and interconnect your switches through a core switch.  Second, don't take up time trying to interconnect your access switches to each other.  One, it defeats the purpose of building a core switch and two, doing so will create a bridge loop that either will bring your network down or, STP will shunt, leaving you with only one active path anyway - the second would be a waste.  Incidentally, STP will elect a root bridge logically, be sure to "fix" the election so that your core always gets this role, otherwise, you may end up with it acting as little more than a bottle-neck that looks really well designed.

    Second, if you implement multiple vlans and want them to be able to talk to each other at all, you can either implement a layer 3 switch or a router (assuming it will support router-on-a-stick with your procurves)

    Hope I covered it all for you.

    LVL 9

    Assisted Solution

    Besides what Atlas has written I would suggest to you before you start adding switches be it HP, Cisco or D-LINK or whatever is to make a security policy/network requirements for your network. It dosnt have to be a grand plan it could be just a few simple things like whether or not you want to make sure noone can attack a switch to the network without you knowing about it or noone can setup a DHCP server on the network without your knowledge.

    Cisco has some really nice features to combat these problems on their catalyst series I am not sure that HP procurve has similar features.

    Also I think the best approach would be to use a Layer 3 switch as core switch to router between you vlans and use layer2 switches as access switches and then let a router/firewall connect to your layer3 switch to provide internet access.

    If interessted you can read about the features here and you should probably look at the 2969 series as layer 2 and 3560 series as layer3.


    Featured Post

    Why You Should Analyze Threat Actor TTPs

    After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

    Join & Write a Comment

    Suggested Solutions

    I see many questions here on Experts Exchange regarding switch port configurations and trunks. This article is meant for beginners in the subject to help to get basic knowledge about Virtual Local Area Network (VLAN (…
    This tutorial will go through the steps required to write a script that will back up the configuration settings of a HP-ProCurve switch. You will need to get the following things to follow this tutorial: Telnet Scripting Tool e.g. TST10.exe …
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now