Showing results for 
Search instead for 
Did you mean: 
Join Customer Connection to register!

Two MST instances, enabling Root guard

I have 2 3550 12G switches that I use as core fiber switches.  Switch 1 is the primary for 1/2 the VLANs and Switch 2 is the primary for the others using MST with 2 instances (I am not including the default 0 instance).  I am using HSRP to provide redundancy.  So far so good.  Recently a tenant in my building would like to use their own switch for data but still needs access to a VLAN on mine for voice.  Again not a problem as I can configure a trunk port and give them what they need.  My concern is that if they try to configure STP on their switch can they take down mine.  Are there some preventions that I can put into place to help, such as root guard, that work with MST?  What happens if they too set up MST can they kill mine?

Switch 1 is the root for 1/2 the vlans and Switch 2 is the backup root.  The scenario is flipped for the other 1/2.


Did youn already check the following link:

I think it is quite on the topic. My personal approach is to make it as less fancy as possible.

Simple solutions are easier to troubleshoot.



The reason for MST is that we have HP switches on our network along with Cisco.  MST we found works best for interoperability between them (HP has a good document on this as well).  The two core switches also handle all routing so if one dies the other takes over.  Each wiring closet has two fiber links, one back to Switch 1 and the other to Switch 2 again for redundancy.  I will not have any control over the client's switch so configuring an MST instance there can't happen.  I guess I am just wondering if there is a simple way to protect my equipment from theirs and still allow them access to my VoIP VLAN.  I don't necessarily have to give them a trunk port if there are other methods that are safer and can allow their phones to access the same subnet.  My closet switches are 2950-48s with 2 fiber uplinks each.

From what I had been reading Root Guard may help (but I am not 100% sure).  Basically the client should be able to set up their own STP if they want and set the root bridge to whatever.  I think that I can set root guard on the access ports that I designate to them this way they cannot compromise my access switch and can run their network however they choose.  Am I correct in saying this?

Yet another link about how MST interacts with the outside world:

It seems to me as if you dont need to take extreme measures. The fact that the MST acts as one bridge to the outside world implies it will always prevent loops. Using root-guard looks like an interesting tweak but I would dive very deep into it before deciding whether to go for it or not.

Root guard allows the device to participate in STP as long as the device does not try to become the root. If root guard blocks the port, subsequent recovery is automatic. Recovery occurs as soon as the offending device ceases to send superior BPDUs. This implies that your services are interrupted when root guard is activated.

Link to root guard feature overview: