Solved

Connecting L2 Switches to Distribution L3 Switches

Posted on 2016-08-22
12
59 Views
Last Modified: 2016-08-24
I am trying to understand how you connect Access Switches (L2) to Distribution Switches (L3) and create redundancy.
As shown in the screenshot below , each Access Switch has 2 Trunks , one Trunk  to a separate L3 Switch.
Well, if I am understanding, L2 will have VLANs configured and VLANs will be Trunked to L3 Switches.
The DIstribution(L3) Switches can be connected to each other with 2 Links(though on the picture it shows one link) and for the 2 Links I am not sure if they  can be configured as L2 or L3 Etherchannel bundel?  Also probably the L3 switches can be configured with HSRP  and one Virtual IP address.

Assuming my statement above is correct.

- how do you make all VLANs on L2 switches talk to each other ? are you going to configure SVIs on each L3 Switch ?  then on L2 you configure Default Gateway for each VLAN to be the SVI ip address created on L3 Switches.?

OR
you will configure VLANs on L2 switches  to have as the default gateway the unique  HSRP Virtual IP. ?


- in this scenario , assuming L3 (Distribution switches) are connected to each other through L3 Etherchannel, will it be necessary to have  STP running on Access Switches /Distribution Switches?

Thank you
swicth
0
Comment
Question by:jskfan
  • 6
  • 5
12 Comments
 
LVL 5

Expert Comment

by:foochar
ID: 41765238
First off based on the provided diagram you're going to want STP, as otherwise you're going to end up with a switching loop.

To provide the maximum fault tolerance you're going to want to use HSRP so that in the even that one of the distribution switches fails the other one can take over in a way that is transparent to the clients.  Each distribution switch will need an SVI for each VLAN, and then the HSRP virtual IP will need to be setup as well for each VLAN.  I normally prefer to use the first address for the subnet (x.y.z.1 for a /24) as the HSRP virtual IP, and then use .2 and .3 for the individual SVIs.
0
 

Author Comment

by:jskfan
ID: 41765282
I do not see how the Loop will go around, since the Distribution Switches are Layer 3
0
 

Author Comment

by:jskfan
ID: 41765630
Since there is only one Link to Distribution Switch from each Access Switch then I do not see how the Loop can occur, assuming that Distribution Switches are linked by L3 Etherchannel
0
 
LVL 26

Expert Comment

by:Predrag Jovic
ID: 41765741
Foochar is right if you are not using VSS between switches sure you need STP between Access and Distribution switches.
Here is your loop:
STP.JPGL3 starts above green line.
If you are using VSS with MEC than no loop can occur, although I read that STP even with MEC can be configured for the case of etherchannel misconfiguration.
- how do you make all VLANs on L2 switches talk to each other ?
Topology is on the picture below
are you going to configure SVIs on each L3 Switch ?
Yes.  
then on L2 you configure Default Gateway for each VLAN to be the SVI ip address created on L3 Switches.?
Yes.
you will configure VLANs on L2 switches  to have as the default gateway the unique  HSRP Virtual IP. ?
Not OR, you should configure both, again - if you are not using VSS.
Actually your topology will look similar to this when STP do its job if one switch is root bridge for all vlans:
 STPYou can manipulate with Root Bridge for VLANs per switch to load balance traffic to acheive better link utilization. Example:
Switch that is marked as primary root bridge can be primary root bridge for VLANs 10, 20, 30  and secondary root bridge for VLANs 40, 50, 60 - also switch that is marked as secondary root bridge can be primary root bridge for VLANs 40, 50, 60 and secondary root bridge for VLANs 10, 20, 30. And sure HSRP should reflect that - active hsrp interface should be on the root bridge for that VLAN.
0
 

Author Comment

by:jskfan
ID: 41765902
So Cisco STP Toolkit will be implemented wherever it should go on the diagram ?

PortFast
UplinkFast
BackboneFast:
Loop guard
Root guard
BPDU guard
Unidirectional Link Detection (UDLD)
0
 
LVL 26

Expert Comment

by:Predrag Jovic
ID: 41766336
UplinkFast and BackboneFast have similar built-in mechanism already implemented in RSTP, and if I properly remember you already using RSTP, so ignore those two.
You know where to place portfast and BPDU guard - on ports to end hosts.
Loopguard and UDLD are similar so typically you should use one of them, if you prefer, on links between switches. If BPDUs are not received on port, port transits to err-disabled state (for UDLD this is only in aggressive mode).
Root guard can be configured on all access ports, but there is no need if you configure access ports with portfast an BPDU guard ports will be disabled if BPDU is received). Other placement of the Root guard would be on designated ports, if better BPDU comes link will become root-inconsitent until switch that advertises better BPDU is removed (so this should be done after network is converged if you want to protect your topology with Root guard).
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 

Author Comment

by:jskfan
ID: 41767307
Predrag Jovic

The same Guards you apply at the distribution Switches you will apply them at the Core Switches, or there is no need ?
0
 
LVL 26

Expert Comment

by:Predrag Jovic
ID: 41767493
Properly configured links in the core (between distribution and core switches) must not be blocked by STP.  Easiest way to reach this is to convert links to core to L3 links.  It is harder to do it with L2 links, but it can be done.
So, you should just properly configure links and not to use any STP enhancements.

Also, properly configured routing between core and distribution switches should load balance traffic between core switches.
Basically you should have something like this:
Topology for all locationsAlso I added some IP address ranges example - each location should have it's own IP address range (so you can easily summarize whole location into one IP address range.
0
 

Author Comment

by:jskfan
ID: 41769205
I found this diagram below on Cisco website :
http://www.cisco.com/c/dam/en_us/solutions/industries/docs/gov/turniton_stpt.pdf

stp
however;

Root Guard: I do not think it is necessary if you hard code the Root Switch and the secondary Root Switch with lower priorities. (In our case both Distribution Switches)

LoopGuard: I am not sure if it goes on Forwarding ports between Distribution Switches as well as on Forwarding (Root Ports) and Blocking ports on Access switches ?
0
 
LVL 26

Accepted Solution

by:
Predrag Jovic earned 500 total points
ID: 41769229
Root Guard: I do not think it is necessary if you hard code the Root Switch and the secondary Root Switch with lower priorities. (In our case both Distribution Switches)
It is not necessary to configure rootguard. But have in mind that attacker can have priority 0 and lower MAC address than your root bridge, so in that case attacker device will become root bridge. But again, that can happen only if attacker can access ports that are not configured with portfast with BPDU guard (since those ports will be err-disabled when BPDU is received)
LoopGuard: I am not sure if it goes on Forwarding ports between Distribution Switches as well as on Forwarding (Root Ports) and Blocking ports on Access switches ?
That is topology that have L2 link between distribution switches. In that case it Loopguard should be configured on any port between switches including on link between switches.
0
 

Author Closing Comment

by:jskfan
ID: 41769334
Thank you very much Predrag Jovic.
I try it to take notes of this thread
0
 
LVL 26

Expert Comment

by:Predrag Jovic
ID: 41769466
You are welcome.
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
PORT NUMBER FOR FIOS ROUTER 5 40
Management Interface of ESXi Host 13 63
EIGRP Multicast vs Unicast 7 44
SMB Routers with GB WAN 12 37
AWS has developed and created its highly available global infrastructure allowing users to deploy and manage their estates all across the world through the use of the following geographical components   RegionsAvailability ZonesEdge Locations  Wh…
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now