Spanning Tree in a particual NW architecture
Today I went back to working on the architecture of the infrastructure I want to build in my homelab, and I was discussing the configuration in the Homelab Discord to understand whether I was doing something wrong, since it’s not a super standard setup.
Someone told me that I should run STP directly on the firewalls as well, so everything would be in order and I wouldn’t risk loops.
However, since I wasn’t planning to aggregate links from the firewalls to the switches, and I wasn’t planning to bridge ports, I told him that in theory I shouldn’t have any loop issues.
He replied that yes, that’s correct, but at the same time he dismissed the reason why I arranged the interfaces in a “butterfly” layout, adding:
"it's generally there for protecting yourself against link failures purely at L2
I'd prefer not having my STP reconverge on top of a firewall failover
Losing an entire firewall from a switch failure is not ideal either, but at least it's cleaner
Also if you're doing interface checks and you lose a switch that's going to be interesting"
The part where he talks about “losing a firewall from a switch failure” refers to an older message where he said that, in his opinion, it’s less complicated to have
FW1 <-> SW1 and FW2 <-> SW2
without the butterfly links.
But to me that’s kind of nonsense and a secondary concern: I don’t think I should have any issues not doing bridging in the architecture I had in mind.
Maybe there’s something I’m missing, but I don’t know, I think that without bridges I avoid loops, and in theory I don’t lose redundancy since I already have LAGs with Spanning Tree between the switches (so with one of the two firewall links I can still reach everything).
38 Replies
gptthonk
for reference this would be my next network architecture and we have :
- two old 3100&3200 checkpoints with sophos XG in it
- two crs112-8p-4s-in
- one old HP switch that also supports PoE
i need to do static link aggregation coz CSR 1XX do not support MLAG
https://help.mikrotik.com/docs/spaces/ROS/pages/67633179/Multi-chassis+Link+Aggregation+Group
what do you think about it?
holy yap
give me a sec
no worries, i tried to put all the info and context needed so everyone has full context
what the balls is this network diagram
lastly if you're wondering why sophos, its because of its free license for all the IPS, IDS and next gen stuff for free
:ssrwtf:
oh is that lines from individual ports on the individual devices?
yeah
it's physical
logical diagram pls :plsnu:
ethernet and SFP with fiber
that's not gonna hcange anything here
i know but i also need to keep track of where to put stuff since i'm configuring everything before racking it up
ok so wait
which phyiscal devices are you looking at
when it comes to overall design, it helps a lot more to work with logical diagrams first
get the logical design first, then you work out the physical wiring
how many switches is this? 3? 2?
in total 3
one HP in the bottom
2 mikrotik in the middle
does the aggregation/access layert have two switches side to side?
ok
2 checkpoints in the upper part
yes
two mikrotik crs112-8p-4s-in
i really don't care about the exact model lol
what do your zones look like?
which interfaces of your firewall are on which zone?
and what are you actually trying to do with your homelab?
i wanted to first thing of the reduntant links and access to management, i still need to then manage zones and the other vlans
ok okokokokokokokkok
let me start with this
what end devices are you working with? think servers and computers
various purposes:
malware analisys
services (private and public)
public are in a separate vlan than private
i also distinguish sandbox private/public services from production private/public services
i will also have devices in a LAN with no internet acess at all and for sure a NO LAN with no access to anything
ok let's take this one step at a time
i will have servers, (virtual, containerized and few phisical in specific lans)
how many end devices are you planning on having, and what will they do? will you have a computer hosting your dns server? active directory server? http server? will they be doing the same thing?
will they be on the same computer? or same server?
in total is difficult since with time, once the network is finished i'm gonna put there some services, some of them that need to stay H24
we have monitoring, CVE, patching, configuration management, media streaming, storage for files
with CVE i mean tools like open CVE
no i understand
in general for you id just say start small
like you can definitely buy all the hardware at first, especially if you get a bulk discount
but just get one device working at a time
i already have this stuff
with regards to STP up to/not including the firewall, generally speaking you won't
ok good
before if was configure differently
oh also
generally you just want to prioritize STP to have roots closer to your uplink
but other than that it really doesn't matter much
i need to also configure a site 2 site from my FW to my edge node on a VPS so i can have 17TB/s of network scrubbing
...have you considered nvme
what?
nvme for what sorry?
with scrubbing i mean network scrubbing from people from the internet scanning or attacking things i expose to the internet
so instead of exposing them directly i use a edge node that will clean traffic
and also be in first line instead of putting my ISPs IP
btw sorry for all the info dump 🥲
no it's fine
but im more confused then when you started
it's not in the diagram, i was thinking about reconsidering its config later
whats the confusion about?
is it about the link aggregation triangle?
no
ok
i feel like i need to hop in a vc about this lmao
if you can i can too
in the meantime another friend suggested to keep it simpler on the FW and actually lose a FW x Switch instead of having to wait for stp recalibration
yea id say keep it simple silly to start with
just use one firewall and one switch first
nothing will really break, just the recovery from a fault would be different
FW would switch each other uselessly but it's sort of simpler