cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8184
Views
14
Helpful
4
Replies

STP config on Port-channel Best Practice

nir.fisher
Level 1
Level 1

Hi

I have 2 cisco 6500 in a VSS configuration , All of my Lan access switches are Stack switches and every Stack is connected to the VSS

in a Port-channel so basically this is a loop free environment with no blocked ports .

As a best practice I left STP in the Background (mstp)  .  My question is this ,  which enhanced cisco features to STP should I configure on the

Aggregator (6500-VSS) and on the Access switches ?

Because of my topology I dont see the need in configuring most features like Uplink Fast and Backbone Fast but I have configured

Loop Guard in addition to UDLD on the 6500 Aggregation Switches (on the port-channels).

On the access ports I have configured

portfast , bpduguard and guard root (seems a little pointless to configure the two...)

1.should I Leave UDLD on and get rid of LoopGuard and configure Guard root instead ? since LoopGuard cannot be configured with Guard Root.

2.should I configure GuardRoot on access ports if I already have BpduGuard on them ?

3.Is there anything I need to configure on the physicall interface or is everything configured on the port-channel since STP reguards port- channel as a single interface ?

I am looking for validated best practices

I will be happy to provide more information if needed

THANKS

4 Replies 4

Peter Paluch
Cisco Employee
Cisco Employee

Hello Nir,

As a best practice I left STP in the Background (mstp)

Very good!

My question is this ,  which enhanced cisco features to STP should I configure on the Aggregator (6500-VSS) and on the Access switches ?

Well, both UplinkFast and BackboneFast are Cisco's proprietary extensions to legacy STP (and PVST/PVST+) only. RSTP and MSTP internally incorporate mechanisms identical to UplinkFast and BackboneFast. There is therefore no point in trying to activate the UplinkFast/BackboneFast if you are running MSTP. The commands would be ignored anyway.

Using the Loop Guard and UDLD (in Aggressive mode if running on copper ports) is generally a good idea and I agree with deploying them.

On the access ports I have configured portfast , bpduguard and guard root (seems a little pointless to configure the two...)

Having the edge ports configured as PortFast is a must in RSTP/MSTP to allow for fast transition to Forwarding state and to prevent them from being influenced by topological changes inside your switched network (the Proposal/Agreement mechanism that blocks all non-edge Designated ports as a part of the process). I assume here that your "access ports" as you call them are connected to end devices and not to other switches. The PortFast should correctly be used only on access ports to end devices, and never on access ports to another switches.

Using BPDU Guard along with PortFast is a best practice. However, having both Root Guard and BPDU Guard on the same port seems to me pointless as well - I would personally not use the Root Guard here.

1.should I Leave UDLD on and get rid of LoopGuard and configure Guard  root instead ? since LoopGuard cannot be configured with Guard Root.

No, Loop Guard and Root Guard are totally different mechanisms, and in fact, they are mutually exclusive. A port can be either protected by Root or Loop Guard but not by both.

In addition, it is recommended to run both UDLD and Loop Guard simultaneously. They are complementary - UDLD prevents against Layer1 physical errors resulting in unidirectional links, Loop Guard prevents against possible problems in STP implementation and BPDU delivery.

2.should I configure GuardRoot on access ports if I already have BpduGuard on them ?

No, that would be useless. The Root Guard by itself moves a port into Discarding (Root Inconsistent) state if it receives a superior BPDU that would otherwise make the port the new root port. However, if at the same time, the BPDU Guard was configured on this port, an arrival of a BPDU, be it inferior or superior, would trip the BPDU Guard protection and cause the port to be immediately err-disabled. So the BPDU Guard reacts more sensitively than the Root Guard, and it is not necessary to have Root Guard on a port once you are protecting it with BPDU Guard.

3.Is there anything I need to configure on the physicall interface or is  everything configured on the port-channel since STP reguards port-  channel as a single interface ?

All STP-related protections (BPDU Guard, Root Guard, Loop Guard, BPDU Filter) are to be configured on the Port-channel interfaces and not on the physical ports. The notable exclusion is the UDLD - the UDLD is always configured on physical ports only.

Best regards,

Peter

I thank you for your proffesional and detailed answer .

I have 2 questions

1. should I configure root guard on the port-channels of the 6500 leading to the access switches ?

2.I have copied this from cisco website and it states that root guard cannot be enabled on loop guard enabled ports

I was hoping you could clarify your previous answer

Interoperability of Loop Guard with Other STP Features

Root Guard

The root guard is mutually exclusive with the loop guard. The root guard is used on designated ports, and it does not allow the port to become non-designated. The loop guard works on non-designated ports and does not allow the port to become designated through the expiration of max_age. The root guard cannot be enabled on the same port as the loop guard. When the loop guard is configured on the port, it disables the root guard configured on the same port.

thanks

Hello Nir,

You are welcome!

1. should I configure root guard on the port-channels of the 6500 leading to the access switches ?

Basically, yes, configuring the root guard on the 6500 towards the access switches should not cause any issues in a stable network where the 6500 is the root for all STP instances, and should prevent you from unpleasant effects if someone tries to make the access switches the STP root, or if the 6500 VSL link is broken and they start backing up their connectivity via the access switches. I believe that configuring the root guard as you suggest is a sensible precaution.

2.I have copied this from cisco website and it states that root guard cannot be enabled on loop guard enabled ports

Yes, that is correct. I believe I have stated exactly the same in my previous post when I wrote:

No, Loop Guard and Root Guard are totally different mechanisms, and in  fact, they are mutually exclusive. A port can be either protected by  Root or Loop Guard but not by both.

Best regards,

Peter

thank you

you have been very helpfull

Review Cisco Networking for a $25 gift card