Home page logo
/

nanog logo nanog mailing list archives

vlan translation and stp
From: Srg <srgqwerty () gmail com>
Date: Thu, 14 Jan 2010 23:14:45 +0100

Hello:

We are going to have the following (simplified scenario):

- vlans 101,102 are going to have servers.
- vlan 101 uses 10.101.101.0/24 addressing and vlan 102 uses
10.102.102.0/24 addressing.
- vlans 101 and 102 doesn't have level 3.
- vlans 201,202 are going to have the level3 interfaces corresponding to
vlans 101 and 102 respectively, so vlan201 will have the "interface vlan
201" defined as 10.101.101.1/24 and vlan202 will have the "interface
vlan 202" defined as 10.102.102.1/24

At this point, if we do not any more things, servers from vlan101 or
vlan102 will not be able to reach their default gateway because the
default gateway is in another vlan.

OK, Then we get two devices (IPS1 & IPS2), each of them having two
interfaces.
IPS1,interface 1 is connected to switch1 port 1/1.
IPS1,interface 2 is connected to switch2 port 2/1.
IPS2,interface 1 is connected to switch1 port 1/2.
IPS2,interface 2 is connected to switch2 port 2/2.

switch1,port 1/1 is a trunk with allowed vlans 101,102.
switch1,port 1/2 is a trunk with allowed vlans 101,102.
switch2,port 2/1 is a trunk with allowed vlans 201,202.
switch2,port 2/2 is a trunk with allowed vlans 201,202.

IPS1 will have the following config:
Traffic entering interface 1 must be forwarded to interface 2 with the
following vlan translations:
original_vlan 101 is translated_to_vlan 201
original_vlan 102 is translated_to_vlan 202
Traffic entering interface 2 must be forwarded to interface 1 with the
following vlan translations:
original_vlan 201 is translated_to_vlan 101
original_vlan 202 is translated_to_vlan 102

Exactly the same config to IPS2.

My question is if this is a valid configuration from the spanning-tree
point of view, I ask this because we translate de vlan tags and we are
thinking that this can affect the correct operation of stp.
In other words... with this config will we have a loop or stp will
operate OK and put one port (1/1,1/2,2/1 or 2/2) as blocking?

Keep in mind that doing an etherchannel between 1/1 and 2/1 and another
etherchannel between 2/1 and 2/2 is not an option in this case (remember
the explanation is a "simplified scenario" :-) the real one is a lot
bigger and is nor possible for us to make the etherchannels).

Thanks a lot and best regards



  By Date           By Thread  

Current thread:
  • vlan translation and stp Srg (Jan 14)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault