Solved: Re: STP guard setup - best practices - Page 3

LFA-CMK · ‎11-01-2018

Curious what the consensus is on STP guard settings for ports on Meraki switches. We've turned on BPDU guard for all access ports. However, I was wondering under what circumstances Root or Loop guard would be used. We have a few 3rd party switches uplinked to some of our Meraki switches (trunk ports). Would Root or Loop guard be worthwhile to activate?

The same question goes for fiber uplinks - from Meraki switches to a core. Is there a best practice on what STP guard settings should be? Or is "disabled" the norm?

Thanks for your input. Happy to provide more topology details if need be.

Gajanan1159309 · ‎12-20-2020

Hello GldenJoe.. You mentioned that, "I would have wanted to put loop guard on uplinks of access layer switches but Meraki won't let me because we use the management inline with the network". You mean we can not configure loop guard on Meraki switches.

joey.debra · ‎12-20-2020

The feature is there, but it seems if you are not using a physically separate mgmt network to reach the cloud you won't be able to set your access switch uplinks to loopguard. It will yell at you if you try to 🙂

I have yet to justify costs for extra SFP's and fiber connections to each access layer switch for a separate oob network...

Johan4 · ‎12-24-2020

Hello,

I have a question on the configuration of STP on my network.

We have one MX84 and one switch MS220. The switch is connected with a redundant optical fiber to the MX84 (Loop guard and UDLD is configured on the 2 uplink ports of the switch since support port aggregation is not supported by MX84).

When I check the topology, I see the topology is wrong and a message indicate "A switch was detected that improperly forwards LLDP packets. This can cause your network topology to be incomplete or incorrect."

What should I do / configure to have the right topology?

Thanks

adriano · ‎12-24-2020

enable RTSP on both uplinks to make sure one of the uplinks is in blocking state.

Johan4 · ‎12-25-2020

RSTP is active on both uplink ports.

STP guard is active in "Loop guard" on both uplink ports.

Port isolation is disabled and Unidirectional link detection (UDLD) is enforce.

adriano · ‎12-28-2020

Hey @Johan3

Basic things first. Remember the MX is not a switch and does not speak STP and does not support UDLD either. So what you are dealing with is one switch only which is your root bridge too.

Both ends of a link need to support UDLD for this feature to initiate. Since the MX does not support it, enabling UDLD in your topology is useless
Loop guard does not apply to your topology either. I'd not apply it.

For your topology enabling RSTP without any STP guard options (root, loop, bpdu-obviously) is enough. doing to should give you one of your fibre links in forwarding and the other in blocking.

A note on UDLD, as mentioned in your case is useless since the MX does not support it, in valid cases when UDLD is enabled, Meraki recommends to do it in "Alert Only" mode

https://documentation.meraki.com/Architectures_and_Best_Practices/Cisco_Meraki_Best_Practice_Design/Best_Practice_Design_-_MS_Switching/General_MS_Best_Practices

Finally, regarding the "correct" topology. I am afraid that what you have is correct because of your two uplinks to the same box (MX). if you disable one of the uplinks you should see a more comprehensible topology. with both enabled you should be able to see a check box "Show redundant links" which makes the topology a tiny bit more comprehensible.

CHAadmin · ‎03-13-2024

Sorry to reopen this thread, but I want to see if I understand how UDLD and STP guard should be set up on my topology. Here's the high level image from the dashboard. Very simple hub-spoke. Single uplinks from IDFs (either a stack of two or just a single switch) run back to MS425. Do I enforce UDLD and loop guard both ends, or just the uplink port for the IDF?