cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1898
Views
0
Helpful
6
Replies

Spanning-Tree BPDUguard, priority, storm-control settings.

bruce.porter
Level 1
Level 1

I have searched the posts and noticed that there hasn't been a good answer to the question of how to set these values. My research has lead me to the following possibilities: Coments?

INTERFACE:

interface GigabitEthernet1/0/3

switchport access vlan 951

switchport mode access

spanning-tree portfast

storm-control broadcast level 65.00

storm-control multicast level 65.00

storm-control action trap

spanning-tree bpduguard enable

GLOBAL:

sand1(config)#spanning-tree loopguard default

GLOBAL ON THE ROOT (CORE) SWITCH:

sand1(config)#spanning-tree vlan 1-1005,1025-4049 root primary diameter 3

ON A CISCO SWITCH WITH AN INTERFACE TO ANOTHER vendor's LAYER TWO SWITCH:

sand1(config)#spanning-tree vlan 1-1005,1025-4049 priority 61440 ***** This will assure that the network controls the root, not this sw.

6 Replies 6

Francois Tallet
Level 7
Level 7

A good idea is also to have a secondary root. Without one, should your root die, the new root is somehow elected randomly anywhere in the network, depending on the mac address of the remaining bridges. With a secondary root (a bridge with a bridge ID worse than the root but better than the other switches), you can maintain a proper hierarchy in your network and minimize the changes in topology in case of root failure.

Regards,

Francois

Agreed. In my case I have a colapsed backbone. A 6513 is the center of my vlans. My vlans are really just a slice of switch space on the 6513 with some small switches connected to one of those vlans.

I never thought vlans were all that useful after L3 switching matured. There are some issues where the use of vlans could cause bleeding across them when the mac-address-table overloads, due to an attack on a port on the switch, and the switch becomes a hub. That reminds me. There could also be an issue with trunking when that happens and the atacker takes advantage of DTP to also see all the rest of the vlans in the layer two domain.

Since there is no - sand1(config-if)#no switchport mode dynamic - command, I am going to assume that unless you select a switchport mode, that it is not enabled. Available commands are:

sand1(config-if)#switchport mode dynamic ?

auto Set trunking mode dynamic negotiation parameter to AUTO

desirable Set trunking mode dynamic negotiation parameter to DESIRABLE

muca
Level 3
Level 3

Hi Bruce,

spanning-tree vlan 1-1005,1025-4049 root primary diameter 3 should be use with caution once it changes the spanning-tree default timers.

This value is the maximum number of bridges between any two points of attachment of end stations. The IEEE recommendation is to consider a maximum diameter of seven bridges for the default STP timers. So if you change it to 3 I am considering your network is small

http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a0080094954.shtml

Checked the link. Agreed. Thanks for the help. I will also add - sand1(config)#udld enable. I am not quite sure why but it must have been created to solve some real issue.

I have also added some recovery protection for the UDLD, bpduguard, and storm control, as well as link flap and some others that may crop up.

sand1(config)#errdisable recovery cause all

errdisable recovery interval 30

This adds the following statements to the config.

errdisable recovery cause udld

errdisable recovery cause bpduguard

errdisable recovery cause security-violation

errdisable recovery cause channel-misconfig

errdisable recovery cause pagp-flap

errdisable recovery cause dtp-flap

errdisable recovery cause link-flap

errdisable recovery cause sfp-config-mismatch

errdisable recovery cause gbic-invalid

errdisable recovery cause l2ptguard

errdisable recovery cause psecure-violation

errdisable recovery cause dhcp-rate-limit

errdisable recovery cause unicast-flood

errdisable recovery cause vmps

errdisable recovery cause storm-control

errdisable recovery cause arp-inspection

errdisable recovery cause loopback

Dear Bruce.porter,

I need these all errdisable recovery cause ( which is you mention all) in my cisco 3550 , 3560 3400 and 2950 switches.

Which IOS support of all errdisable recovery with storm-control in my above mention switches.

I need it URGENT.

Thanks in ADV,

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco