Showing results for 
Search instead for 
Did you mean: 

Spanning-tree instance isolation



In a classic (old school) 3-Tier network architecture (access, distribution, core), how would avoid a client's vLAN creating a loop to impact others client vLAN ?
Clients have their network connected to access switch (interface in access mode with spanning-tree bpdufilter and bpduguard enabled). But if customer have half of its infrastructure on one access and the other half on another access, he can create a loop which will bring the full spanning-tree instance down on the distribution switch.
Access Switch are Catalyst 2960-X and Ditribution Switch are Nexus 9508. The spanning-tree configuration is mstp with 2 instances (instance 1 with vLAN 100-999 *used vLAN* and instance 0 with others).

Thanks for your comment.
If you want/need more information (maybe scheme), just let me know ?




9 Replies 9

spanning-tree bpdufilter <<- this make SW disable STP in port, i.e. no send any BPDU, this is very harmful in your case if you connect to client network SW. this command use only to connect to Host not to other SW.
why you use this command?


Sorry, i meant disabled...



sorry dont get your reply ?

spanning-tree bpdufilter is disabled (not enabled ;-))

WoW I get your Q now, 
you use MST and use two instance, if one vlan in instance 1 is LOOP then all VLAN in instance 1 will be BLK. 
can I see the topology ?



Could you elaborate a bit more with a diagram. You shouldn't have to make any changes as the purpose of Spanning tree is to prevent loops. You can tune it with cost/metric as well as other settings. But from your statement it sounds like you think a customers network connected to several access layer devices could cause a loop. It could if you disable SPT or its features, but works out of the box.



The two mst instances will be prioritised as such you have a load balancing stp topology and be able to utilised dual aggregated links.

Core switch1 stp root 
spanning-tree mst 1 priority 0 <—- root for mst 1
spanning-tree mst 2 priority 4096

int x/x
description link to core2 port1
spaning-tree mst 1 port-priority 0
spanning-tree mst 2 port-priority 100

int x/y
description link to core 2 port2
spanning-tree mst 1 port-priority 100
spanning-tree mst 2 port-priority

Core switch2 stp root 
spanning-tree mst 1 priority 4096
spanning-tree mst 2 priority 0.<—- root for mst 2

int x/x
Description link to core 1 port 1
spaning-tree mst 1 port-priority 0
spanning-tree mst 2 port-priority 100

int x/y
description link to core 1 port 2
spanning-tree mst 1 port-priority 100
spanning-tree mst 2 port-priority 0

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards

Hi Guys,

Sorry for my late answer.

Just attached a basic diagram of the layer 2 topology.

Each access switchs have a Port-Channel connected to a "vPC Port-Channel" on the Distribution Switch. From 2 access switch, we provide connectivity to customer with an access vLAN. The issue, is that when CustomerA, who has half of its infrastructure connected to s51-01/s52-01 and the other half connected to s21-01/s22-01 is doing nasty things (like a layer 2 loop), the Distribution Switchs see mac-address flapping. At some point, Distribution Switchs stop learning new mac to protect themselves.

The thing is that, while I understanding the behaviour of the Distribution Switch, I was expecting the mstp protocol to have isolated instance meaning that if vLAN of an instance is flapping, only this instance might be "shutdown". What I can see is that both instances are stopping when mac-address flapping happen.

I use as reference the STP feature is apply in each port according to SW connect to it and Rool of SW.
 spt (1).JPG

check this link and then If you have Q you are free to ask. 

Review Cisco Networking for a $25 gift card