11-06-2017 05:05 AM - edited 03-08-2019 12:38 PM
Hi all,
in our network we have a lot of switches (at the moment about 150 online). We are running rapid-pvst but there is no router itself on the network. Only a 4500X that is routing between VLANs (we have 76 VLANs). From time to time we have someone here and there who is creating a network loop but instead of STP turning just the directly affected link down lots of uplink interface on mostly edge switches go into err-disabled state. I also experienced this weekend that at least some port-channels single interfaces that are part thereof are set to err-disabled while the remaining are not leaving the port-channel itself up and running. My question is: How can I restrict the impact of such a loop to not affect almost the whole network. Any help is greatly appreciated.
Thanks
Daniel
11-06-2017 05:34 AM
Its not stps fault its the user whos causing it they shouldn't be causing loops here and there that's a sign of bad planning in configuration , nothing should be added or removed from the network without checking the consequences first , we all make mistakes but if its constantly happening you have another issue to deal with , even if you use err-disable recovery to come back from the loop it could bring it back online and the issue could be still there and take it back down anyway
You have a large stp domain 150 witches you should try and break it down segment it , or else lock down the network with port-security so people cant be causing outages like that , make sure portfast is in place where it should be and the likes of bpduguard is on ,the more protection in place the less the convergence will be but the larger your network is the worse the layer 2 convergence will be 2 when the outage occurs
take the automated control back from stp by manually setting link costs etc so you know even when the outage occurs which links will become active when the primary paths fail , basically take control back off stp it can be manipulated to an extent even though its automatic that your really controlling it
STP turning just the directly affected link down lots of uplink interface on mostly edge switches go into err-disabled state
Are these dual linked access switches as it shouldn't be shutting down the only active link , stp is to prevent a loop not break the access layer ?
11-06-2017 07:00 AM - edited 11-06-2017 07:03 AM
Hi
First you must be aligned to a network model in this case you could use the two layered model or collapsed model. Where the 4500X will have the role of Core and Distribution (primary and secondary)
To study your infrastructure, I dont recommend cascade the switches, you can have direct uplinks from the access switches to the 4500X or create stacks and then connect one link to the 4500 primary and other link to the secondary.
All the access switches must be configured with the following commands under the interface used to connect end users (access mode only).
spanning-tree portfast
spanning-tree bpduguard enable
On the 4500X (primary and secondary) I suggest set up the STP primary root and secondary respectively.
Primary
spanning-tree mode rapid-pvst
spanning-tree VLAN A,B,C,D,..Z (your VLANs) priority <lowest for primary root / then higher for secondary>
example:
primary
spanning-tree vlan 10,11,15 priority 4096
secondary
spanning-tree vlan 10,11,15 priority 8192
Then under the interfaces facing the access switches, you can set up: spanning-tree guard root, it will protect the root devices, note: it must be configured on the designated ports (facing the access switches only)
Also remember to use the same Spanning-tree rapid-pvst on all the switches on your infrastructure.
Hope it is useful
:-)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide