OSPF using Layer3 Switch to connect antoher Layer3 switch in the same segment

whistleblower
Building a reputation

OSPF using Layer3 Switch to connect antoher Layer3 switch in the same segment

Hi guys,

 

since you can't use routed (no switchport) interfaces with the MS-switches, but only SVI's, I`d be interested on the attached setup and like to get your opinion for that!

OSPF-Design.JPG

 

What do you think of using the MS switch in addition to the Layer3 function at the same time to connect the 2nd MS-switch physically and in the same VLAN? I`d like to achive an ECMP routing which should be possible with that - correct?!

7 Replies 7
KarstenI
Kind of a big deal
Kind of a big deal

I would try to add a second link from the firewall to the right switch. But apart from that, it should work. At least if the firewall is capable of doing ECMP. That device has to support it, the switches both send similar LSAs.

Here is some more info on the OSPF implementation on the MS:

https://documentation.meraki.com/MS/Layer_3_Switching/MS_OSPF_Overview

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
whistleblower
Building a reputation

hi @KarstenI … not sure if you‘d lead a course about cisco ftd which i joined last year online?! 🙂

 

maybe you can also give me an advice about the disabling of stp on the ports which will connect on both ms switches so only a routed connection will exist and allow a separation of layer2 vlan domains?

KarstenI
Kind of a big deal
Kind of a big deal


@whistleblower wrote:

hi @KarstenI … not sure if you‘d lead a course about cisco ftd which i joined last year online?! 🙂

If it was a Cisco SSNGFW or SSFIPS delivered by one of the major German CLPs, then yes, could be that I was your instructor ... 😉

 

maybe you can also give me an advice about the disabling of stp on the ports which will connect on both ms switches so only a routed connection will exist and allow a separation of layer2 vlan domains?


There will be no separation. With "only" running RSTP and no "per VLAN", the main trunk has to transport the whole traffic or you will run into STP-problems.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
whistleblower
Building a reputation


@KarstenI wrote:

 

There will be no separation. With "only" running RSTP and no "per VLAN", the main trunk has to transport the whole traffic or you will run into STP-problems.

regarding to this I´ve to add another sketch I`m concerned here with the respective yellow markings! The goal which I´d like to achive is a separation of the VLAN-Database on Site A and Site B so they would allow the same VLAN-IDs used on each of the sites but don`t affect each other!

 

OSPF-Design-ext.JPG

KarstenI
Kind of a big deal
Kind of a big deal

With the yellow Interfaces as Access in a dedicated Transfer-VLAN and routing over the Link, I would disable STP there to break the STP topology.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
whistleblower
Building a reputation

OK, when disabling RSTP on the Ports would it make sense to use BPDU-Guard and/or Port-Security to get a rough Layer2 Security to avoid potential issues?

KarstenI
Kind of a big deal
Kind of a big deal

These could be added as additional security layers. But IMO BPDU-Guard will not kick in while RSTP is disabled. And if the connecting switch-ports are properly locked up, I would not go for port-security. Makes it more complex and increases troubleshooting time when something needs to be changed.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels