Layer 2 Loop-Free Design

Hello Community,

I'm trying to wrap my head around layer 2 loop free design, where the distribution switches have a Layer 3 link between them. I found lot of writings where it's says, if you use this design, you can not have vlans span your access switch blocks. I'd like to understand why that is, because I have tried to lab this scenario up where the below is true

Distribution 1 connects to Distribution 2 via L3 link (11.11.11.0/24 network)
Both Distribution switches have VLAN 10 and 20
Distribution 1 has spanning tree vlan 10,  20 priority 0
Distribution 2 has spanning tree vlan 10,20 prioity 4096
Distribution 1 is HSRP Active

Access Switch 1 and Acccess Switch 2
both have VLAN 10, 20
Both have a trunk link to Distribution 1 and Distribution 2
Both have a south bound interface to a hosts in vlan 10 and 20

Connectivity is not an issue, so this is the main reason why I don't understand the comment that you "must" use local vlans if the link betwen distirbution is L3. I'm not trying to argue the design, I just want to understand the "why".

CC

Comments

  • Hi cestelle,

    this is a good question indeed.

    i would say this:

    D1 is the root bridge for vlan 10,20.

    By doing this all of your traffic will flow from access switches towards the distribution switch D1 before to reach the respective destinations, right?

    Now i don't see this as a particular issue if you have two switches connected but try to add a couple of switches to both D1 and D2.

    The final result is that, since D2 has no direct link to the root bridge it will elect as root port one of the port towards any of its access switch.

    Which port ? Well, it depends...STP calculations will occur.

    What this will imply?

    Of course a suboptimal path for the traffic, since all the traffic going to D2, will be directed to one of the access switch rather than to the root bridge!

    I would strongly discourage this design because simply the network cannot scale well.

    Additionally distribution traffic will traverses access switches which are devices not designed for this purpose, they represent only the door of your network and they should not be in charge of handle distribution traffic. They may have not enough resources to manage it.

     

    The only scenario where i could see this appliable in order to make possible span multiple vlans across L2 devices is to encapsulate L2 traffic into a pseudowire. However this is still not desirable choice for distribution switches. I would rather see this solution to connect remote bridged vlans across a provider network.

    Does it makes sense?

  • Indeed the traffic will transit through the access.

    Also if you daisy chain multiple access switches between the distribution switches and one of the links between those access switches will fail traffic will get blackholed for 50% chance. Because both distribution down links will forward the traffic, but there is a disconnect in the layer 2 path. 

     

     

  • Very helpful response. I understand now. I guess my new question is, if you want to span vlans in local site, you need to have L2 link between dist switches. 


    What happens if you now are out of capacity on your Dist switches, and need to add another dist switch? Is that okay, or should you only have 2 dist switches, and if you need more, then don't put the same vlans on those new switches. Make it completely new switch block with new vlans?

     

    thank you also Marten

  • It is quite normal that your L2 distribution network increases as the access layer increases so, as a general rule, it's not problem to extend L2 distribution layer by adding other dist. switches. The reason why normally a pair of dist switches are chosen is mainly for redundancy purposes. Nowadays in almost every network single point of failure is basically avoided, so redundant switches and VSS-vpc tecnologies are widely used to address this need. But of course if you want to add only another switch you can do it. However keep in mind that a too big L2 network has its own set of problems too when start to scale seriously. So you could setup for example two distinct distribution blocks and use L3 to interconnect the two domains between them. Anyway all these choices should be meditated deeply in function of your scenario.

  • This is my 2 cents, I'd say it depends on budget mostly. If you have 2 distribution switches serving, let's just say like 46 access switches
    in the building and you still need more capacity. Then to keep the
    design simple I'd probaby end up havesting the initial distribution
    switches back into stock & replacing them with a stackable
    distribution switch like a the 3650 or 3850's. That way you can keep
    your network scaling as well as simplify the layer 2 switch path (i.e.
    load share the VLANs between the two distribution switches, but keep one
    distribution switch primary for half the vlans and backup for the other
    vlans & vice versa). Alternatively I'd just use two high density
    switches such as two 6509s, where I could just add more line cards if I
    need more access switches & keep a high bandwidth backplane.

    The point is that if you start adding more than 2 lots of distribution switches for that particular building, it starts to be a more unclear on the layer 2 path being chosen. Let's say you expanded the network to start using 5 distribution switches, and then tried to load share the VLANs between 5 distro switches, and then incorporate redundancy between those 5 switches so that 1/5 of the VLANs failed over to switch1, and then 1/5 failed over to switch 2 etc. It just becomes unclear. More on this: how do you do predictive maintenance on one of the 5 distro switches now? It becomes more unclear how/what services will be affected since it's more unclear where the layer 2 path spans through.

    I found the document: http://www.cisco.com/application/pdf/en/us/guest/netsol/ns431/c649/ccmigration_09186a008093b876.pdf

    It talks about these points in terms of having 3 links of redundancy making the failover/maintenance being unclear instead though.

  • thanks for the reply. It makes sense. In my mind, I was trying to consider wireless with all this. If you have wireless access points all over your building, I would think you would need to use 1 vlan for all of them, that way as people walk around, they don't lose their connection

Sign In or Register to comment.