Fading Coder

One Final Commit for the Last Sprint

Home > Tech > Content

Configuring Dual-Aggregation Dual-Core Network with MSTP and VRRP

Tech May 9 3

Network Topology Overview

Requirements

An enterprise campus is physically divided into multiple buildings including the Administrative Building, Comprehensive Building, and Laboratory Building. The network follows an access-aggregation-core三层架构. To enhance network reliability, a dual-aggregation and dual-core design with dual-homed links provides high availability through link-level and device-level load balancing with redundancy.

Network planning requirements include:

  1. Access-to-aggregation layer utilizes MSTP (Multiple Spanning Tree Protocol) combined with VRRP (Virtual Router Redundancy Protocol) for reliability. While achieving redundant backup, load balancing is also implemented. Multiple spanning tree instances are created in MSTP to enable VLAN load balancing, where different VLAN traffic follows different paths. Multiple VRRP backup group are created, with different master and backup routers specified in each group to achieve virtual router load balancing.

  2. OSPF dynamic routing protocol runs between aggregation and core layers. The designated root bridge and backup root bridge for default MST instance 0 are modified (Core-1 functions as root bridge, Core-2 as backup root bridge) primarily to prevent instance 0 from blocking the eth-trunk link between the two core switches.

  3. Both core switches establish two default static routes toward the egress firewall, with one serving as a floating static route for automatic failover when the directly connected link to the firewall fails. Both cores import external default routes in their OSPF processes.

  4. On the egress firewall, equal-cost static routes point to the trust zone for traffic load balancing. An NSM management zone is created. Security policies allow traffic from NSM to other zones, permit trust-to-untrust traffic, and allow specific protocols from trust to DMZ. NAT policies use easy-ip for outbound internet access. External users access internal servers through NAT-server with external port 8080.

Note: This configuration is validated on the eNSP simulator environment. Due to local performance limitations, firewall redundancy configurations are not implemented. In production environments, firewall redundancy should leverage dual-device hot standby and server load balancing technologies. This article focuses on access-aggregation-core reliability implementation.

In actual deployments, MSTP+VRRP technology involves complex configurations. If all network elements are from the same vendor (Huawei), it is recommended to use stack, CSS cluster, or SVF technology to virtualize access, aggregation, and core layers as single devices, with e-trunk links providing load balancing. The eNSP simulator does not support these features.

Configuration Strategy

Part 1: Access Layer Switch Configuration

The administrative building access switch requires MSTP configuration where the MST region name and instance-to-VLAN mappings match those on the administrative building aggregation switch. On GE0/0/1 of all administrative building access switches, the instance 3 cost value is increased to ensure that VLAN10 and VLAN20 traffic in instances 1 and 2 flows through GE0/0/1 to the aggregation switch. On GE0/0/2 of all administrative building access switches, the instance 1 and instance 2 cost values are increased to ensure that VLAN30 traffic in instance 3 flows through GE0/0/2 to the aggregation layer. Finally, configure GE interfaces to transparently pass VLANs, configure eth interface VLAN membership and disable STP or set as MSTP edge ports so they do not participate in spanning tree calculations. Configure device management IP addresses and gateways to ensure remote management capability.

The comprehensive building access switch requires MSTP configuration where the MST region name and instance-to-VLAN mappings match those on the comprehensive building aggregation switch (different from the administrative building MST region). On GE0/0/1 of all comprehensive building access switches, the instance 11 cost value is increased to ensure that VLAN40 traffic in instance 10 flows through GE0/0/1 to the aggregation switch. On GE0/0/2 of all comprehensive building access switches, the instance 10 cost value is increased to ensure that VLAN50 traffic in instance 11 flows through GE0/0/2 to the aggregation switch. Finally, configure GE interfaces to transparently pass VLANs, configure eth interface VLAN membership and disable STP or set as MSTP edge ports. Configure device management IP addresses and gateways for remote management.

Through different MSTP instance configurations, the two uplink ports on each access switch occupy different roles across instances: ROOT role (forwarding state) in some instances and ALTE role (discarding state) in others. When an uplink link or aggregation switch fails, traffic automatically switches to the ALTE port, which transitions to DESI port and enters forwarding state. This achieves VLAN load balancing and redundancy from the MSTP perspective.

Part 2: Aggregation Layer Switch Configuration

The administrative building aggregation switches share identical MST region names and instance mappings with downstream access switches. Based on access switch instance forwarding configurations, AGG-1 is designated as root bridge for instances 1 and 2 and backup root bridge for instance 3. AGG-2 is designated as root bridge for instance 3 and backup root bridge for instances 1 and 2. Configure layer 3 interface IP addresses for VLANIF interfaces on both aggregation switches. Enable VRRP protocol and configure virtual gateway addresses for VLANIF interfaces. Corresponding to MSTP configuration, AGG-1 and AGG-2 each have 3 VRRP backup groups. AGG-1 serves as master virtual router for vrid1 (VLANIF10) and vrid2 (VLANIF20), while simultaneously serving as backup virtual router for vrid3 (VLANIF30). AGG-2 serves as master virtual router for vrid3 (VLANIF30), while simultaneously serving as backup virtual router for vrid1 (VLANIF10) and vrid2 (VLANIF20). AGG-1 and AGG-2 configure OSPF protocol, advertise routes, and set DR priority to 0 to lose DR and BDR election eligibility.

The comprehensive building aggregation switches share identical MST region names and instance mappings with downstream access switches. Based on access switch instance forwarding configurations, AGG-3 is designated as root bridge for instance 10 and backup root bridge for instance 11. AGG-4 is designated as root bridge for instance 11 and backup root bridge for instance 10. Configure layer 3 interface IP addresses for VLANIF interfaces on both aggregation switches. Enable VRRP protocol and configure virtual gateway addresses. Corresponding to MSTP configuration, AGG-3 and AGG-4 each have 2 VRRP backup groups. AGG-3 serves as master virtual router for vrid4 (VLANIF40) and backup virtual router for vrid5 (VLANIF50). AGG-4 serves as master virtual router for vrid5 (VLANIF50) and backup virtual router for vrid4 (VLANIF40). AGG-3 and AGG-4 configure OSPF protocol, advertise routes, and set DR priority to 0.

Part 3: Core Layer Switch Configuration

Two core switches located in the main computer room primarily carry traffic from aggregation switches. OSPF routing protocol runs between the two cores and all aggregation switches for automatic route selection. Both cores configure floating default static routes toward the border firewall and import external default routes in their OSPF processes for advertisement. CORE-1 has DR priority set to 10, CORE-2 has DR priority set to 8, ensuring CORE-1 becomes DR and CORE-2 becomes BDR. CORE-1 is configured as root bridge in default MSTI0, and CORE-2 is configured as backup root bridge in MSTI0 to prevent MSTP from blocking the eth-trunk link between CORE-1 and CORE-2.

Part 4: Firewall Configuration

The firewall positioned at the enterprise egress connects to the internet through G0/0/0. The internal network resides in the trust security zone. Enterprise servers are located in the DMZ zone. A new management NSM zone is created. Security policies permit traffic from trust and NSM to untrust zones. NAT policy enables easy-ip conversion for internal network segments accessing the internet. Trust-to-DMZ policies allow specific protocols. Two static routes point to internal networks, with one default static route pointing to the internet gateway (3.3.3.3). External users access internal servers through NAT-server on external port 8080.

Configuration Implementation

Access Switches

ACC-1 (Access Switch 1)

#
vlan batch 10 20 30
#
stp region-configuration
 region-name campus-a
 instance 1 vlan 10
 instance 2 vlan 20
 instance 3 vlan 30
 active region-configuration
#
interface Vlanif1
 ip address 10.10.10.115 255.255.255.0
#
interface Ethernet0/0/1
 port link-type access
 port default vlan 10
 stp disable
#
interface Ethernet0/0/2
 port link-type access
 port default vlan 20
 stp disable
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 2 to 4094
 stp instance 3 cost 30000
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 2 to 4094
 stp instance 1 cost 30000
 stp instance 2 cost 20000
#
ip route-static 0.0.0.0 0.0.0.0 10.10.10.3
ip route-static 0.0.0.0 0.0.0.0 10.10.10.4 preference 80

ACC-2 (Access Switch 2)

#
vlan batch 10 20 30
#
stp region-configuration
 region-name campus-a
 instance 1 vlan 10
 instance 2 vlan 20
 instance 3 vlan 30
 active region-configuration
#
interface Vlanif1
 ip address 10.10.10.125 255.255.255.0
#
interface Ethernet0/0/1
 port link-type access
 port default vlan 20
 stp disable
#
interface Ethernet0/0/2
 port link-type access
 port default vlan 30
 stp disable
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 2 to 4094
 stp instance 3 cost 30000
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 2 to 4094
 stp instance 1 cost 30000
 stp instance 2 cost 30000
#
ip route-static 0.0.0.0 0.0.0.0 10.10.10.3
ip route-static 0.0.0.0 0.0.0.0 10.10.10.4 preference 80

ACC-3 (Access Switch 3)

#
vlan batch 10 40 50
#
stp region-configuration
 region-name campus-b
 instance 10 vlan 40
 instance 11 vlan 50
 active region-configuration
#
ip route-static 0.0.0.0 0.0.0.0 10.10.11.3
ip route-static 0.0.0.0 0.0.0.0 10.10.11.4 preference 80

ACC-4 (Access Switch 4)

#
vlan batch 20 40 50
#
stp region-configuration
 region-name campus-b
 instance 10 vlan 40
 instance 11 vlan 50
 active region-configuration
#
ip route-static 0.0.0.0 0.0.0.0 10.10.11.3
ip route-static 0.0.0.0 0.0.0.0 10.10.11.4 preference 80

Aggregation Switches

AGG-1 (Aggregation Switch 1)

#
vlan batch 10 20 30 100
#
stp region-configuration
 region-name campus-a
 instance 1 vlan 10
 instance 2 vlan 20
 instance 3 vlan 30
 active region-configuration
#
stp instance 1 root primary
stp instance 2 root primary
stp instance 3 root secondary
#
interface Vlanif100
 ip address 10.10.100.1255.255.255.0
#
interface Vlanif10
 ip address 192.168.10.252 255.255.255.0
 vrrp vrid 1 virtual-ip 192.168.10.254
 vrrp vrid 1 priority 150
#
interface Vlanif20
 ip address 192.168.20.252 255.255.255.0
 vrrp vrid 2 virtual-ip 192.168.20.254
 vrrp vrid 2 priority 150
#
interface Vlanif30
 ip address 192.168.30.252 255.255.255.0
 vrrp vrid 3 virtual-ip 192.168.30.254
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 2 to 4094
#
ospf 1 router-id 10.10.100.12
 area 0.0.0.1
  network 192.168.10.0 0.0.0.255
  network 192.168.20.0 0.0.0.255
  network 192.168.30.0 0.0.0.255
  network 10.10.100.0 0.0.0.255
  peer 10.10.100.11
  peer 10.10.100.22

AGG-2 (Aggregation Switch 2)

#
vlan batch 10 20 30 100
#
stp region-configuration
 region-name campus-a
 instance 1 vlan 10
 instance 2 vlan 20
 instance 3 vlan 30
 active region-configuration
#
stp instance 1 root secondary
stp instance 2 root secondary
stp instance 3 root primary
#
interface Vlanif100
 ip address 10.10.100.2255.255.255.0
#
interface Vlanif10
 ip address 192.168.10.253 255.255.255.0
 vrrp vrid 1 virtual-ip 192.168.10.254
#
interface Vlanif20
 ip address 192.168.20.253 255.255.255.0
 vrrp vrid 2 virtual-ip 192.168.20.254
#
interface Vlanif30
 ip address 192.168.30.253 255.255.255.0
 vrrp vrid 3 virtual-ip 192.168.30.254
 vrrp vrid 3 priority 150
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 2 to 4094
#
ospf 1 router-id 10.10.100.22
 area 0.0.0.1
  network 192.168.10.0 0.0.0.255
  network 192.168.20.0 0.0.0.255
  network 192.168.30.0 0.0.0.255
  network 10.10.100.0 0.0.0.255
  peer 10.10.100.11
  peer 10.10.100.22

AGG-3 (Aggregation Switch 3)

#
vlan batch 40 50 101
#
stp region-configuration
 region-name campus-b
 instance 10 vlan 40
 instance 11 vlan 50
 active region-configuration
#
stp instance 10 root primary
stp instance 11 root secondary
#
interface Vlanif101
 ip address 10.10.101.1255.255.255.0
#
interface Vlanif40
 ip address 192.168.40.252 255.255.255.0
 vrrp vrid 4 virtual-ip 192.168.40.254
 vrrp vrid 4 priority 150
#
interface Vlanif50
 ip address 192.168.50.252 255.255.255.0
 vrrp vrid 5 virtual-ip 192.168.50.254
#
ospf 1 router-id 10.10.101.11
 area 0.0.0.2
  network 192.168.40.0 0.0.0.255
  network 192.168.50.0 0.0.0.255
  network 10.10.101.0 0.0.0.255

AGG-4 (Aggregation Switch 4)

#
vlan batch 40 50 101
#
stp region-configuration
 region-name campus-b
 instance 10 vlan 40
 instance 11 vlan 50
 active region-configuration
#
stp instance 10 root secondary
stp instance 11 root primary
#
interface Vlanif101
 ip address 10.10.101.2255.255.255.0
#
interface Vlanif40
 ip address 192.168.40.253 255.255.255.0
 vrrp vrid 4 virtual-ip 192.168.40.254
#
interface Vlanif50
 ip address 192.168.50.253 255.255.255.0
 vrrp vrid 5 virtual-ip 192.168.50.254
 vrrp vrid 5 priority 150
#
ospf 1 router-id 10.10.101.22
 area 0.0.0.2
  network 192.168.40.0 0.0.0.255
  network 192.168.50.0 0.0.0.255
  network 10.10.101.0 0.0.0.255

Core Switches

CORE-1 (Core Switch 1)

#
vlan batch 100 to 101 200
#
stp region-configuration
 region-name core-region
 active region-configuration
#
stp instance 0 root primary
#
interface Vlanif200
 ip address 10.10.200.1 255.255.255.0
#
interface Eth-Trunk1
 port link-type trunk
 port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/1
 eth-trunk 1
#
interface GigabitEthernet0/0/2
 eth-trunk 1
#
ip route-static 0.0.0.0 0.0.0.0 10.10.200.254
ip route-static 0.0.0.0 0.0.0.0 10.10.200.254 preference 80
#
ospf 1 router-id 10.10.200.11
 default-route-advertise
 area 0.0.0.0
  network 10.10.200.0 0.0.0.255
  network 10.10.100.0 0.0.0.255
  network 10.10.101.0 0.0.0.255
  ospf-network-type p2p

CORE-2 (Core Switch 2)

#
vlan batch 100 to 101 200
#
stp region-configuration
 region-name core-region
 active region-configuration
#
stp instance 0 root secondary
#
interface Vlanif200
 ip address 10.10.200.2 255.255.255.0
#
interface Eth-Trunk1
 port link-type trunk
 port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/1
 eth-trunk 1
#
interface GigabitEthernet0/0/2
 eth-trunk 1
#
ip route-static 0.0.0.0 0.0.0.0 10.10.200.254
ip route-static 0.0.0.0 0.0.0.0 10.10.200.254 preference 80
#
ospf 1 router-id 10.10.200.22
 default-route-advertise
 area 0.0.0.0
  network 10.10.200.0 0.0.0.255
  network 10.10.100.0 0.0.0.255
  network 10.10.101.0 0.0.0.255
  ospf-network-type p2p

Firewall Configuration

#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/0
#
firewall zone dmz
 set priority 50
 add interface GigabitEthernet0/0/1
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet0/0/2
#
firewall zone name nsm
 set priority 90
 add interface GigabitEthernet0/0/3
#
ip route-static 0.0.0.0 0.0.0.0 3.3.3.3
ip route-static 192.168.0.0 255.255.0.0 10.10.200.1
ip route-static 192.168.0.0 255.255.0.0 10.10.200.2
#
policy interzone trust untrust outbound
 policy 0
  action permit
#
policy interzone nsm untrust outbound
 policy 0
  action permit
#
policy interzone trust dmz outbound
 policy 0
  action permit
  policy service service-set http
  policy service service-set https
  policy service service-set ftp
#
nat-policy interzone trust untrust outbound
 rule name nat-outbound
  action source-nat easy-ip
#
nat-server protocol tcp global 202.96.128.86 8080 inside 192.168.100.100 80
Tags: MSTP
Back to List

Prev: Automated Meme Battles: Scraping, Searching, and Sending Stickers with Python

Next: Vue.js Event Modifiers for DOM Interaction Control

Related Articles

Understanding Strong and Weak References in Java

Strong References Strong reference are the most prevalent type of object referencing in Java. When an object has a strong reference pointing to it, the garbage collector will not reclaim its memory. F...

Comprehensive Guide to SSTI Explained with Payload Bypass Techniques

Introduction Server-Side Template Injection (SSTI) is a vulnerability in web applications where user input is improper handled within the template engine and executed on the server. This exploit can r...

Implement Image Upload Functionality for Django Integrated TinyMCE Editor

Django’s Admin panel is highly user-friendly, and pairing it with TinyMCE, an effective rich text editor, simplifies content management significantly. Combining the two is particular useful for bloggi...

Leave a Comment

Anonymous

◎Feel free to join the discussion and share your thoughts.

Copyright © fadingcoder.top