Let's take a look at the network topology below.

It shows two datacenters (DC 1 & 2) as well as two offices A & B (example).

Each office uses mainly two VLANs (PCs & printers), as well as a few more for special services like time accounting devices or cameras. The firewalling is done at the DC.

Routing is done at 2 levels

• from office VLAN to DC transit VLAN (at the respective office)
• from DC transit to firewall/servers (at the DC)

Also there are quite some VLANs used for firewalling special servers.

Which brings me closer and closer to the question:

We see that most VLANs are indeed only needed on the DC switches since they have complete physical redundancy independent of the "ring" across the offices.

There is no real need having all the VLANs at the offices, except for some exceptions noted above.

For those which are not needed near the edge it may be (?) advantageous not to define them at all. This would create two (M)STP regions: one for the DC switches, one for the rest of the world, maybe even one for each office because they would need their redundant connections of their "private" VLANs protected too?

What would be the correct way to do this?

(If you don't plan to distribute VLANs across different redundant links, would you need MSTP at all? If yes, would it hurt to simply use MSTI0 for all VLANs inside the region then?)

Answering your questions:

• Where are your routed / switched boundaries on the diagram (maybe use a different color for routed links?)

I found drawing can be difficult without overloading the diagram.

In essence, routing is between sites (the diagram shows four sites: offices A&B, DCs 1&2).

However, some VLANs need to be firewalled AND present at the edge, meaning you would have to egress them from the DC up to the edge. (like the examples with the camera VLAN that I gave)

• Where are your spanning-tree roots

I feel that's part of the question. Obviously, the CIST root is at the Prod-DC. Depending on the presence of regions the CIST regional roots probably would be the distribution switches at the respective site.

• What is your routing protocol? Where are the area boundaries (if link-state)

Static routing only.

• Informational, but still useful: what kind of distances for each of those links? If you uniquely numbered the links, it would help those who are answering.

Distance can be up to 20km for the links DC/office or office/office respectively. On the local site they will be no more than 50m.

(This is Enterasys gear.)

• Is it really necessary to have a "transit" vlan connecting all your sites? It would seem that you could break it up into layer 3 segments.

In principle yes. But that would be a major undertaking. I'd like to get the best out of the current situation and at least do the L2 stuff properly.

But remember the exceptions I pointed out, like needing a separate (e.g. camera) (V)LAN at the edge that is protected by the DC-firewall.

• Do the data centers need VLANs between them, or is it possible to use L3 links?

That's a philosophical question that we may tackle in chat 😉

• link aggregation for the links between the data centers?

If you have switches A, B, C and D and connect A to C and B to D, I believe link aggregation is not possible. You would then have to connect e.g. A to C via two links, and if either A or C fails, you have a problem.

• Generally speaking, it is better to limit vlans to a single location. Having them spread across locations greatly increases the chance of an "event" causing network-wide problems

Yeah that's a part of my question too. As I understand it, even separating STP into regions will still have network-wide impact in case of recomputations.