S
I have an interesting problem. I have a client with an MX480 switch. Their firewalls and servers are plugged into the same switch. They want to implement an IDS that only is in line with the servers. They had the same setup under Cisco and it worked fine.
Two VLAN’s are created, vlan 101 and 102. The L3 interface resides on vlan 101. The outside of both IPS units plug into vlan 101, and the inside interfaces on the IPS plug into vlan 102. The servers sit in vlan 102 and have a default gateway of the L3 interface on vlan 101. With one IPS unit connected, everything works, but I’m having spanning tree problems when I plug in the second IPS.
I’ve tried MSTP, both creating a single instance with both 101 and 102 in it. And created separate instances with vlan 101 in the first one and vlan 102 in the second. One end of each link goes into FWD mode, and the other end goes to BLK. So no traffic can pass.
I also tried VSTP. I turned it on for both VLANs. All ports go into FWD mode and cause a loop.
After reading some documentation, it appears that BPDU’s may be hashed with the VLAN ID. If this is the case, this will not work will it?
What are my alternatives?
Would this scenario work:
Create VLAN 101 on the switch with an L3 interface
Create a virtual switch with VLAN 101 that the servers reside on (so the BPDU’s are hashed with the same VLAN)
Put the servers on VLAN 101 in the virtual switch
Connect the IPS’s between ports on the main vlan 101, and ports on the virtual switch instance
What’s the best way to configure MSTP? Should I have separate instances for each VLAN? Does it make sense to have one instance for odd VLAN’s and one for even VLAN’s for L2 load distribution to switches that are dual connected up to the MX480?