Hello r/networking,
I'm trying to figure out the best way to make this scenario work.
Our design is as follow: we are running L2 equipment in our datacenter (Mix of Juniper and Arista switches, in transition toward Arista now). Among other things, our equipment connects our vmware infrastructure, that is shared across customers.
To allow our customers to join this vmware infrastructure from their office, some of them have direct connections coming to our datacenter (some are L3 with MPLS or other flaw, some are L2 , which we are trying to avoid and remove but some are still there).
Historically (before I arrive), the way to protect ourselves from the spanning-tree at customer side was to disable spanning-tree on those interfaces. I don't feel comfortable with this so I would like to find a better way.
What I have done so fare during the transition, is configure bpduguard on the interfaces that are known L3 devices (so typically routers). This works fine except for some equipment (on which we have no access at all).
For those equipments, if I enable bpduguard, the connection is directly shut down. So I have to let it enabled on them.
Problem is that some customers have equipment with a lower priority than our equipement, so they become the root bridge. This is exactly what I want to avoid. I tried to put bpdu guard root, but this has the same effect as bpduguard, in the sense that the port is discarded immediately.
What are my best options here ? I tought about lowering the priority to 4096 on our equipment, but again it doesn't feel like the ideal solution (if their equipment is set to 4096 as well, and their mac address is lower, they will win the battle).
I guess I could also move their vlan to a separate mstp instance, and just let them be the root on their vlans if they want, but it doesn't sound cleaner neither.
Thanks for reading :-)
No comments:
Post a Comment