Solved: Re: STP guard setup - best practices - Page 2

LFA-CMK · ‎11-01-2018

Curious what the consensus is on STP guard settings for ports on Meraki switches. We've turned on BPDU guard for all access ports. However, I was wondering under what circumstances Root or Loop guard would be used. We have a few 3rd party switches uplinked to some of our Meraki switches (trunk ports). Would Root or Loop guard be worthwhile to activate?

The same question goes for fiber uplinks - from Meraki switches to a core. Is there a best practice on what STP guard settings should be? Or is "disabled" the norm?

Thanks for your input. Happy to provide more topology details if need be.

collijon · ‎09-19-2019

Thanks for bringing this question forward! We have published new documentation on STP guard configuration that incorporates STP guard recommendations. Check it out and let us know what you think!

JOverby · ‎09-19-2019

Very helpful. Still curious why one of the comments in this thread mentioned good practice to configure Access point ports for Root Bridge.

JOverby · ‎09-19-2019

Sorry, I meant root guard.

collijon · ‎09-19-2019

Autonomous Access Points (APs) can send out BPDUs and participate in STP. There is the potential that the AP BPDU may have a better BID than the current Root Bridge. In that case, applying Root Guard to the port connecting to the AP would protect your network from electing the AP as the new Root Bridge.

LFA-CMK · ‎09-19-2019

CJones - Thank you for posting this. It is very helpful.

Brons2 · ‎10-03-2019

Redsector had a great answer.

However that said, I don't use any of these settings because the Meraki already has RSTP on by default. I definitely don't configure them on Meraki-Meraki links because the expectation is to use RSTP. In my mind you should only use these spanning tree options if the port is connected to a switch that doesn't support RSTP.

As for root guard - I set the priority on my core switches, a stack of MS425s, to 0, and that stopped the inter-vendor squabbling over who thinks it's root.

hockeydude · ‎10-07-2019

i try to avoid using 0. as long as bridge priority is less than default, shouldn't run into issues.

Bossnine · ‎11-06-2019

I have my root priority set to the core switch in the network but a few locations are still somehow wanting to use a core switch in another network.

Would that be something to be concerned with?

joey.debra · ‎11-09-2019

I always do the following:
- BPDU guard on all client ports and access point ports if they are Meraki (Meraki AP's don't send BPDU's).
- Root guard on all downlinks from CORE to access layer
- I would have wanted to put loopguard on uplinks of access layer switches but Meraki won't let me because we use the management inline with the network.

Also and this is important. If you have a MX warmspare with the four uplinks from the switch network towards those MX's that you DON'T enable bpdu guard on those ports leading to the MX and never ever use drop untagged traffic on the MX because that causes a loop.

luceroc · ‎02-04-2020

@joey.debraI see you mentioned MX upstream in HA mode. I have a MS225 switch stack of 4 switches with 4 uplinks going up from the the stack to the MX84s. All 4 trunks have loopguard enabled. Is this what you were suggesting with your comment about 4 uplinks to a warm spare MX? Or anybody else on the thread. Is this what you would recommend for a HA setup? I guess I could have burned more ports to the other two switches but seemed a little like overkill. **Forgot to mention that both trunks on SW1 are forwarding and both trunks on SW2 are blocking.

joey.debra · ‎02-05-2020

Yes your picture is completely correct in terms of HA setup and STP behavior.

In a stack only have four uplinks where two will be blocked because the BPDU's leave 1/0/1 and 1/0/2 with a lower Port-ID than 2/0/1 and 2/0/2 and the MX just forwards the STP messages since it does not participate in it.

deguc004 · ‎02-21-2020

May you please elaborate on the exact STP port related settings for the uplinks. I have the exact setup but with 2x MS120 (without a stack). I have tried almost any STP configuration on my 5 uplinks (including the one between the switches) but Im still getting a loop when I add the 2nd link from the firewalls.

luceroc · ‎02-22-2020

Now granted this is my lab at the moment but all of my switch trunks from my diagram are set like this. My MX is set to a trunk on native vlan 99, but I will eventually prune back the vlans back to only my vlans for the site.

joey.debra · ‎02-23-2020

@deguc004, even without stacked switches it should work.

Since packets are bounced through the MX'es you should NOT enable any features like rootguard, loopguard or bpduguard on the links towards the MX'es.

The direct link between your switches can have root guard enabled in case of non-stack.

Make sure you don't have a link between your MX'es and you allow the same VLANs across the 4 links including the correct native. DO NOT USE drop untagged!. You can use a different VLAN native config between the switches.

Ensure one of your MS120's is root bridge for the L2 network.

You should see two links blocked on the switch that is not root bridge.

deguc004 · ‎02-24-2020

Thanks! Drop untagged did the trick, nothing works well without it.