Re: [Skunkworks] [EANOG] STP convergence & MST
Well all my VTP stories end in tears. Most STP stories tend to end there too. Sigh...oh! well if it works it works right?:-) Sent from my iPad On 27 Feb 2012, at 12:46, jim ndegwa <ndegwajim@yahoo.com> wrote:
my experience with vtp on a large govt deployment was excellent (lots of access switches and two 6509 Core). Proper documentation does help of course. Challenge is that we techies dislike write-ups after project completion
From: Mark Tinka <mtinka@globaltransit.net> To: eanog@lists.my.co.ke Cc: John Gitau <jgitau@gmail.com>; jim ndegwa <ndegwajim@yahoo.com>; SkunkworksMailing List <skunkworks@lists.my.co.ke> Sent: Monday, February 27, 2012 11:34 AM Subject: Re: [EANOG] [Skunkworks] STP convergence & MST
On Monday, February 27, 2012 03:51:15 PM John Gitau wrote:
-Disable vtp. Prune manually. 60 is not a large number. Just for comparison for one segment of our network we have well over 7000 Vlans and yes stp/vtp are disabled. We planned it that way.
Sage advice.
VTP is evil.
-Even if you choose to go L3 end to end. I wouldn't advocate for a total stp shutdown as has been advised unless you are very sure no one can attach a random switch or other bpdu generating device. You can start planning the transition though.
If STP is mainly used core-facing, I'd suggest disabling it there, for those who are running an IP/MPLS Access and Aggregation network.
Of course, continuining to have STP and/or BPDU filtering on customer-facing ports is highly advised.
We block Edge ports that receive BPDU's, and we've been happy. Pain of one customer is better than pain of many :-).
Mark.
Hi Mburu, Looks like you have plenty to go with, but I may add a thing or two which you may already know. - STP is not necessarily evil if the network is well designed and managed. I concur with Gitau on the 'balancing' act on HSRP, but if your 6513 supervisor engines have VSS then forget the HSRP. - 60 vlans are not many, and you will most likely never revisit when you complete the project. For the hardware you are running you will not feel 1micro second at the user end. use the STP commands like bpduguard, root guard, portfast at the appropriate locations, but true VTP can end up in tears, and not from users but network admins themselves. - Aki advices to segment the network. Please do this in the beginning rather than later, using L3 or L2/L3 devices. The 6513 can assist do this for you based on the modules you have [is there a datacentre LAN involved?] - Am not sure what business, the said corporate is in but how you design and implement will determine how easily you will implement other solutions, general security features/policies/solutions and QOS like DHCP Snooping ARP inspections to comply to some international standards like PCI-DSS. - For good input into your process, requirements/architectures would help if you will not be breaching any confidentiality. else feel free to contact us off the list. Cheers, Stan Ngure On Mon, Feb 27, 2012 at 1:50 PM, John Gitau <jgitau@gmail.com> wrote:
Well all my VTP stories end in tears. Most STP stories tend to end there too. Sigh...oh! well if it works it works right?:-)
Sent from my iPad
On 27 Feb 2012, at 12:46, jim ndegwa <ndegwajim@yahoo.com> wrote:
my experience with vtp on a large govt deployment was excellent (lots of access switches and two 6509 Core). Proper documentation does help of course. Challenge is that we techies dislike write-ups after project completion
------------------------------ *From:* Mark Tinka <mtinka@globaltransit.net> *To:* eanog@lists.my.co.ke *Cc:* John Gitau <jgitau@gmail.com>; jim ndegwa <ndegwajim@yahoo.com>; SkunkworksMailing List <skunkworks@lists.my.co.ke> *Sent:* Monday, February 27, 2012 11:34 AM
*Subject:* Re: [EANOG] [Skunkworks] STP convergence & MST
On Monday, February 27, 2012 03:51:15 PM John Gitau wrote:
-Disable vtp. Prune manually. 60 is not a large number. Just for comparison for one segment of our network we have well over 7000 Vlans and yes stp/vtp are disabled. We planned it that way.
Sage advice.
VTP is evil.
-Even if you choose to go L3 end to end. I wouldn't advocate for a total stp shutdown as has been advised unless you are very sure no one can attach a random switch or other bpdu generating device. You can start planning the transition though.
If STP is mainly used core-facing, I'd suggest disabling it there, for those who are running an IP/MPLS Access and Aggregation network.
Of course, continuining to have STP and/or BPDU filtering on customer-facing ports is highly advised.
We block Edge ports that receive BPDU's, and we've been happy. Pain of one customer is better than pain of many :-).
Mark.
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
-- Kind Regards, _______________________________________________________ Stan Ngure
participants (2)
-
John Gitau -
Stan Ngure