Buy or Renew
Buy or Renew
NEW: Try the Beta AI Summary feature on posts in the Routing and SD-WAN forum. Click to go to the forum.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
110963
Views
34
Helpful
36
Replies

STP guard setup - best practices

Go to solution
LFA-CMK
Community Member

‎11-01-2018 10:34 PM

Curious what the consensus is on STP guard settings for ports on Meraki switches. We've turned on BPDU guard for all access ports. However, I was wondering under what circumstances Root or Loop guard would be used. We have a few 3rd party switches uplinked to some of our Meraki switches (trunk ports). Would Root or Loop guard be worthwhile to activate?

The same question goes for fiber uplinks - from Meraki switches to a core. Is there a best practice on what STP guard settings should be? Or is "disabled" the norm?

Thanks for your input. Happy to provide more topology details if need be.

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
redsector
Level 8
Level 8

‎11-02-2018 07:19 AM

- We use bpdu-guard for client ports to prevent spanning-tree problems f.e. when users connect switches to the ports.

- We use loop-guard on switches with multiple uplink-ports to prevent loops in case of spanning-tree or aggregation problems.

- We don´t use the root-guard option because our core-switch is the rootguard with the best bridge ID priority value. So it´s not neccessary.

https://documentation.meraki.com/MS/Port_and_VLAN_Configuration/RSTP_on_the_MS_Switch

https://documentation.meraki.com/MS/Port_and_VLAN_Configuration/Switch_Ports

https://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-protocol/10596-84.html

https://documentation.meraki.com/MS/Other_Topics/Switch_Settings

View solution in original post

36 Replies 36

Go to solution
redsector
Level 8
Level 8

‎11-02-2018 07:19 AM

- We use bpdu-guard for client ports to prevent spanning-tree problems f.e. when users connect switches to the ports.

- We use loop-guard on switches with multiple uplink-ports to prevent loops in case of spanning-tree or aggregation problems.

- We don´t use the root-guard option because our core-switch is the rootguard with the best bridge ID priority value. So it´s not neccessary.

https://documentation.meraki.com/MS/Port_and_VLAN_Configuration/RSTP_on_the_MS_Switch

https://documentation.meraki.com/MS/Port_and_VLAN_Configuration/Switch_Ports

https://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-protocol/10596-84.html

https://documentation.meraki.com/MS/Other_Topics/Switch_Settings

Go to solution
LFA-CMK
Community Member
In response to redsector

‎11-02-2018 08:56 AM

Thanks for this redsector. A follow-up question, and to quote the Cisco STP article link you sent...

"The biggest issue with STP is that some hardware failures can cause it to fail"

With that said, is there any benefit (or drawback / issue) to enabling Loop guard on a single uplink port? I'm not certain on what type of hardware failure on a Meraki switch that would cause an overall STP failure. However, if Loop guard has inherent protections against something weird, it sounds like a good idea.

Thanks again for your input.

0 Helpful

Go to solution
jdsilva
Level 11
Level 11
In response to LFA-CMK

‎11-02-2018 10:39 AM

LoopGuard is to protect against uni-directional links. So yes, even if there's only one uplink it can be useful.

However, my personal preference is to use UDLD over LoopGuard.

http://blog.brokennetwork.ca | @jdsilva

Go to solution
Gajanan1159309
Community Member
In response to jdsilva

‎12-20-2020 08:33 PM

Can we use loop guard and UDPD on same ports which is same port channel.

0 Helpful

Go to solution
BRUCE NEWTON
Level 11
Level 11
In response to Gajanan1159309

‎12-20-2020 09:07 PM

So long as the configurations of the two ports are the same you should be able to aggregate them. You can certainly use Loop Guard and UDLD together, and the Meraki documentation recommends it.

image.png

0 Helpful

Go to solution
Philip D'Ath
Meraki Community All-Star
Meraki Community All-Star

‎11-02-2018 12:11 PM

I don't ever use root guard. I have had it bite me in the past when various failures happened, and it made those failures more severe.

Go to solution
Philip D'Ath
Meraki Community All-Star
Meraki Community All-Star
In response to Philip D'Ath

‎11-02-2018 12:14 PM

I'm not really a fan of loop guard unless there are redundant paths. Othewise if you have a single link and it triggers it'll take out the downstream network.

Go to solution
adriano
Visitor

‎03-25-2019 09:22 AM

Follow normal recommendations for STP.

On out case, we are using MS devices as L2 only at the access layer.. Our core L3 devices are 4500 cisco.

we use the follwing settings that work perfect.
*Root guard: Configure at core on all ports to access switches and on access switches to APs
*BPDU guard: Configure in all access ports
*Loop guard: Configure in uplinks to core
*UDLD enforce on uplinks to core

Go to solution
JOverby
Community Member
In response to adriano

‎09-16-2019 12:00 PM

On AP's do you mean Access Ports or Access Points?

0 Helpful

Go to solution
LFA-CMK
Community Member
In response to JOverby

‎09-16-2019 12:54 PM

I would think AP's meaning Wireless Access Points.

As a follow up, we now activate BPDU guard (with enforcement) on all access ports and any truck ports connected to a switch not under our control (a reality in a campus + residential environment). Has worked as advertised and saved our keisters on at least a dozen occasions since.

Go to solution
JOverby
Community Member
In response to LFA-CMK

‎09-16-2019 12:58 PM

Thank you LFA. I just don't understand why you need Root Guard for Wireless APs... Looking for clarification. Didn't see any immediate help from Googling - Root Guard Wireless Access points
0 Helpful

Go to solution
hockeydude
Community Member
In response to LFA-CMK

‎10-02-2019 03:01 PM

We also use BPDU guard on access ports. Our keister also saved after one of our less than intelligent admins decided to bring a switch from home and attempt to plug into our network.
0 Helpful

Go to solution
adriano
Visitor
In response to LFA-CMK

‎04-15-2020 08:06 AM

AP = Access Points indeed. Wireless Access Points

0 Helpful

Go to solution
redsector
Level 8
Level 8
In response to JOverby

‎09-16-2019 11:35 PM

JOverby
Conversationalist
yesterday
Re: STP guard setup - best practices

On AP's do you mean Access Ports or Access Points?

---------------------

Accesspoints.

0 Helpful
Customers Also Viewed These Support Documents