2960X STP Instances

jduty · ‎11-09-2022

I work at a retirement community and we are working with re-designing our wireless network infrastructure in a way that will segment each resident network on their own. This essentially results in several hundred VLANs that are being tagged on an AP level.

Topology:

AP -> Trunk port to switch -> Switch (The trunk port is required since the AP will be tagging different wireless networks via a DPSK solution).

The issue is we need to have all VLANs (about 900 in all) created on every switch in order for wireless roaming to work successfully. That being said, Rapid PVST+ only supports 128 STP Instances. I have several questions regarding this.

Are the instances dynamic? In other words, does the switch look at active traffic on the VLAN and create a STP instance on the fly and then removes after no traffic has been used for a period of time?

How does the switch choose which VLANs are given a STP instance? (It appears to be random when doing a test on two different switches that have the same VLANs created since they ending up picking different VLANs to create instances for?)

I am sure I will have some follow up questions, but that for any help you guys can provide in advance!

Reza Sharifi · ‎11-09-2022

The issue is we need to have all VLANs (about 900 in all) created on every switch in order for wireless roaming to work successfully.

Usually, the goal of segmentation is not to extend VLANs across multiple switches. If you are planning to have 900 vlans and extend every vlan to every switch, it is just easier to have one VLAN everywhere. By deploying one vlan, the management becomes so much easier, the roaming works just fine without disconnecting because you are going from vlan to another when users move around, and finally, it will be so much easier to troubleshoot when something goes wrong.

HTH

jduty · ‎11-09-2022

Yep.. I get that type of segmentation, but unfortunately, that would not work with the scenario we are trying to use it for. Each VLAN needs to perform like all our other VLANs, simply segmented to only allow them to reach the internet and talk with devices only on the same VLAN, accomplished via ACLs on our cores.

That being said, do you know how Rapid PVST+ works in regards to the 128 VLAN limit?

David Ruess · ‎11-09-2022

Hello,

As far as the RSTP and the VLAN limit its not dynamic. I believe it wont let you create any more VLANs on the switch (error message). If you need 900 VLANs you could try MST (Multiple STP). You can create all your VLANs and put them into an MST region. THis allows basically "1 instance of spanning-tree" while housing all the VLANs in the instance.

https://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-protocol/24248-147.html

Hope that helps

-David

jduty · ‎11-10-2022

Certainly does help.... oddly enough though, the switches do allow the creation of the VLANs on the switch, despite it being over the STP instance limit. Do you know if there is no instance of STP for a VLAN that is trying to be used, will the switch just drop traffic, or there would be simply no loop detection for that specific VLAN?

I was reading some about MST. Seems like that would be the way to go if we need STP for all the VLANs (which is a good idea anyway).

David Ruess · ‎11-10-2022

I am not able to test in a lab at the moment but looks like you would get this error:

If you exceed the number of VLANs then you'll get an error like this:
SPANTREE_VLAN_SW-2-MAX_INSTANCE: Platform limit of 64 STP instances exceeded. No instance created for VLANxxx

Or something similar.

You should be able to create a bulk lit of VLANs. Make 128 of them and the create the 129th one and see what it gets you.

-David

jduty · ‎11-10-2022

I did test it and didn't receive the error of stating that the number of STP instances have been exceeded, however, I know that it is since the STP instance counter (shown after running sh spanning-tree summary) is at 128 (the limit for rapid-pvst+) and there are definitely more VLANs that are physically present on the switch.

The other thing I was thinking through is I could simply shut down spanning tree for these new vlans since there are no physical loops in our network. (In other words, we don't have redundant connections between any switches, minus at our cores, but they are running vPC, so they don't really rely on STP.)

David Ruess · ‎11-10-2022

Check the port states of the STP instances that are not running STP (over the 128 allowed) Are ports in forwarding or blocking state? Even though it allowed you to create it it may not have allowed actual traffic to pass.

I'm sure no one would recommend shutting sown spanning tree even if you have no physical loops. It just takes one accidental plug in to take down your network from an inexperienced engineer or even a user at their desk. I would still say the safest best is running MST so you can meet your needs and have that safeguard.

jduty · ‎11-10-2022

Since there is no STP instance running for the VLANs not included in the 128, they would display as blocked or forwarding state. I think I am thinking of that correctly. Is there a specific command to view that info you are thinking of other than the spanning-tree ones? Of all the VLANs that are included in the 128, none are listed as being blocked. They are all forwarding.

I'm not overly keen on shutting down STP, but the benefit in this scenario is if a loop is introduced, only those vlans (primarily resident wifi) would have the loop. STP would still be in play for the other VLANs. (Although, come to think of it, the loops could actually bring the switch down due to over usage of resources, so that probably isn't the best idea...)