Spanning-Tree BPDUguard, priority, storm-control settings.

Unanswered Question

I have searched the posts and noticed that there hasn't been a good answer to the question of how to set these values. My research has lead me to the following possibilities: Coments?


INTERFACE:

interface GigabitEthernet1/0/3

switchport access vlan 951

switchport mode access

spanning-tree portfast

storm-control broadcast level 65.00

storm-control multicast level 65.00

storm-control action trap

spanning-tree bpduguard enable


GLOBAL:

sand1(config)#spanning-tree loopguard default


GLOBAL ON THE ROOT (CORE) SWITCH:

sand1(config)#spanning-tree vlan 1-1005,1025-4049 root primary diameter 3


ON A CISCO SWITCH WITH AN INTERFACE TO ANOTHER vendor's LAYER TWO SWITCH:

sand1(config)#spanning-tree vlan 1-1005,1025-4049 priority 61440 ***** This will assure that the network controls the root, not this sw.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Francois Tallet Mon, 12/10/2007 - 16:11
User Badges:
  • Gold, 750 points or more

A good idea is also to have a secondary root. Without one, should your root die, the new root is somehow elected randomly anywhere in the network, depending on the mac address of the remaining bridges. With a secondary root (a bridge with a bridge ID worse than the root but better than the other switches), you can maintain a proper hierarchy in your network and minimize the changes in topology in case of root failure.

Regards,

Francois

Agreed. In my case I have a colapsed backbone. A 6513 is the center of my vlans. My vlans are really just a slice of switch space on the 6513 with some small switches connected to one of those vlans.


I never thought vlans were all that useful after L3 switching matured. There are some issues where the use of vlans could cause bleeding across them when the mac-address-table overloads, due to an attack on a port on the switch, and the switch becomes a hub. That reminds me. There could also be an issue with trunking when that happens and the atacker takes advantage of DTP to also see all the rest of the vlans in the layer two domain.


Since there is no - sand1(config-if)#no switchport mode dynamic - command, I am going to assume that unless you select a switchport mode, that it is not enabled. Available commands are:


sand1(config-if)#switchport mode dynamic ?

auto Set trunking mode dynamic negotiation parameter to AUTO

desirable Set trunking mode dynamic negotiation parameter to DESIRABLE

muca Mon, 12/10/2007 - 16:25
User Badges:

Hi Bruce,

spanning-tree vlan 1-1005,1025-4049 root primary diameter 3 should be use with caution once it changes the spanning-tree default timers.


This value is the maximum number of bridges between any two points of attachment of end stations. The IEEE recommendation is to consider a maximum diameter of seven bridges for the default STP timers. So if you change it to 3 I am considering your network is small


http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a0080094954.shtml

I have also added some recovery protection for the UDLD, bpduguard, and storm control, as well as link flap and some others that may crop up.


sand1(config)#errdisable recovery cause all

errdisable recovery interval 30


This adds the following statements to the config.


errdisable recovery cause udld

errdisable recovery cause bpduguard

errdisable recovery cause security-violation

errdisable recovery cause channel-misconfig

errdisable recovery cause pagp-flap

errdisable recovery cause dtp-flap

errdisable recovery cause link-flap

errdisable recovery cause sfp-config-mismatch

errdisable recovery cause gbic-invalid

errdisable recovery cause l2ptguard

errdisable recovery cause psecure-violation

errdisable recovery cause dhcp-rate-limit

errdisable recovery cause unicast-flood

errdisable recovery cause vmps

errdisable recovery cause storm-control

errdisable recovery cause arp-inspection

errdisable recovery cause loopback


csawest.dc Wed, 11/17/2010 - 21:58
User Badges:

Dear Bruce.porter,


I need these all errdisable recovery cause ( which is you mention all) in my cisco 3550 , 3560 3400 and 2950 switches.


Which IOS support of all errdisable recovery with storm-control in my above mention switches.


I need it URGENT.


Thanks in ADV,

Actions

This Discussion