Comware

 View Only
last person joined: 23 hours ago 

Expand all | Collapse all

Connect customers over layer 2

This thread has been viewed 44 times
  • 1.  Connect customers over layer 2

    Posted Mar 08, 2022 09:11 AM
    Hi!
    We have a datacenter with it's own little STP sphere and we want to keep it that way. How can and should we protect it from customer human errors, if we bring them in over dark fiber, each customer on their own VLAN? We don't want their STP to mess up ours, and we don't want to mess up theirs either :) 
    Our receiving switch is a 5920AF 24XG.


  • 2.  RE: Connect customers over layer 2

    EMPLOYEE
    Posted Mar 08, 2022 09:30 AM
    Hello hookproto,

    There are few approaches. If you can connect using layer 3 ports.
    If you have to use L2 connections you may exclude the ports which you do not need to mess from STP and use the BPDU guard feature.
    Hope this helps!

    PS: There are different BPDU guards and filters you may use also and it depends on the STP protocol version you use and your clients are using but the one I mentioned earlier is very common.
    ------------------------------
    -Alex-
    ------------------------------



  • 3.  RE: Connect customers over layer 2

    Posted Mar 08, 2022 10:54 AM
    Currently running RSTP. Will bpdu-protection protect against loops, root-takeover and all other strange things that might happen at remote customer? What about the actual switch they connect to our end? As I understands it ,bpdu-protection will shutdown that port.





  • 4.  RE: Connect customers over layer 2

    EMPLOYEE
    Posted Mar 08, 2022 02:45 PM
    Hello hookproto,

    You may also check the following option in 5920 as the port could be shut down by the guard.

    Command:
    bpdu-drop any

    Use bpdu-drop any to enable BPDU drop on a port.
    Use undo bpdu-drop any to disable BPDU drop on a port.

    Syntax
    bpdu-drop any
    undo bpdu-drop any

    Default
    BPDU drop is disabled on a port.

    Views
    Layer 2 Ethernet interface view

    Predefined user roles
    network-admin

    Examples
    # Enable BPDU drop on port Ten-GigabitEthernet 1/0/1.
    <Sysname> system-view
    [Sysname] interface ten-gigabitethernet 1/0/1
    [Sysname-Ten-GigabitEthernet1/0/1] bpdu-drop any

    Hope this helps!

    ------------------------------
    -Alex-
    ------------------------------



  • 5.  RE: Connect customers over layer 2

    Posted Mar 09, 2022 05:32 AM
    Thanks Alex, I really appreciate your help

    So if I understand this BPDU drop correctly; as long as I just connect their network with well over 100 switches to our network with around 20 switches, with just one cable (or even a BAGG), we will be totally isolated in terms of STP?


    Would it be better to put our STP in it's own MSTP domain?



  • 6.  RE: Connect customers over layer 2

    EMPLOYEE
    Posted Mar 09, 2022 06:07 AM
    Hello hookproto,

    It is always complicated when merging two L2 domains. There are a lot of variables. Test should be done as these are big networks which you mentioned. There are the aformentioned priniciples as edge ports and guards or drops or ACLs which should be considered on both sides.
    But without testing and all the details I would say that L3 connection is better for such connetions. L2 connection between the domains is kept when there is specific need for it. There are technologies for using L2 overlay and L3 underlay like VPNs, VXLANs.
    But in any case before connecting using L2 for such networks tests should be performed even with the options and the guards and filters available.
    You may even use L2 port and L3 port on the different sides of the link.
    In regards to MSTP it is still STP protocol and the same should be set up for it.

    Hope this helps!

    ------------------------------
    -Alex-
    ------------------------------