01-13-2012 08:39 PM - edited 03-07-2019 04:20 AM
The network in my building consists of several 2950s connected back to 3550s using redundant fiber links and MST. Recently one tenant decided they wanted to run their own switch and use the existing building network for VoIP only which is on a dedicated VLAN. I was thinking about creating an access port on the 2950 and setting it to the VoIP VLAN as I do not want to give them a trunk port. The client can take this link and connect to their switch. So far does not seem to be an issue. Now what happens if the client configures spanning-tree on their switch? I have no control over their device and cannot manage it. Is there a way I can protect my edge switch and access port to allow them to run their own spanning tree without it interfearing with my existing MST instances? I was thinking BPDU guard but if they turn on stp and my switch sees a bpdu then the port is disabled and they lose VoIP access. At the same time I dont want them to be able to create a loop on their switch and have it affect mine. But since the is only a single cable from my device to theirs I don't think that would be possible...or could it? Would bpdu filtering or root guard come into play here?
Solved! Go to Solution.
01-14-2012 08:27 PM
If that happens, it will kill the entire VoIP switch and not yours. To protect anything happening to your switch, you can deploy storm control on the interface connected to that switch
HTH
01-15-2012 03:39 PM
an access port should be fine between your existing network and the new switch. Bpdu guard will not work as you said because the port would be disabled. You'll definitely want root guard to protect your spanning tree from theirs.
Sent from Cisco Technical Support iPad App
01-13-2012 09:43 PM
As long as you give them a single link (no redundancy) you should be fine. In this case, there would no physical loop.
HTH
01-14-2012 06:39 AM
I didn't think there would be, but just making sure. So if the client messes up their switch on the VoIP ports would it just take theirs down or mine as well? Let's say they aren't running spanning tree and they connect two ports, could that kill my entire VoIP vlan or just their switch? Also what about preventing their switch from taking STP root?
01-14-2012 08:27 PM
If that happens, it will kill the entire VoIP switch and not yours. To protect anything happening to your switch, you can deploy storm control on the interface connected to that switch
HTH
01-15-2012 03:39 PM
an access port should be fine between your existing network and the new switch. Bpdu guard will not work as you said because the port would be disabled. You'll definitely want root guard to protect your spanning tree from theirs.
Sent from Cisco Technical Support iPad App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide