Re: Spanning-tree Convergence Issue

gregokada · ‎05-17-2009

I have dual 6509's with SUP2MSFC2's running version 12.2(18)SXF14 IPServices WAN IOS, in my core. Today someone plugged a DLINK switch and caused problems with spanning-tree. How can I prevent this from happeneing again when someone plugs in a DLINK switch? any suggestions?

iyde · ‎05-17-2009

You will have to look into commands like 'spanning-tree guard root' and 'spanning-tree bpdu-filter' in order to secure your Cat6500.

Also, make sure that you have set 'spanning-tree vlan xxx root primary' one one Cat6500 and 'spanning-tree vlan xxx root secondary' on the other. Then you are in control of where your Spanning Tree root is supposed to be and you are minimizing the chances (risk) of having another switch taking over the Spanning Tree.

HTH

Giuseppe Larosa · ‎05-18-2009

Hello,

the right tools should be

spanning-tree guard root

spanning-tree bpduguard enable

the second command puts the port in errordisable if an STP BPDU is heard on the port

I don't recommend spanning-tree bpdu-filter in an enterprise environment it doesn't provide protection from someone connecting together two ports with a cable.

It is a good tool for L2 SPs to avoid to take part in customers STPs.

edit:

I agree on the need of setting root primary and secondary for all vlans

Hope to help

Giuseppe

carl_townshend · ‎05-19-2009

should these commands only be used on normal access points and not uplink ports ?

Giuseppe Larosa · ‎05-19-2009

Hello Carl,

your understanding is correct.

STP bdpuguard is the ideal companion of portfast.

For uplinks we use spanning-tree loop guard + storm-control broad 1%

Hope to help

Giuseppe

carl_townshend · ‎05-20-2009

do we still need to use loopguard when using rstp ?

Giuseppe Larosa · ‎05-20-2009

Hello Carl,

yes loop guard is effective with RSTP, UDLD is too slow in reaction in comparison to RSTP fast convergence time.

We use loop guard with RSTP

Hope to help

Giuseppe