12-10-2007 03:21 PM - edited 03-05-2019 07:55 PM
I have searched the posts and noticed that there hasn't been a good answer to the question of how to set these values. My research has lead me to the following possibilities: Coments?
INTERFACE:
interface GigabitEthernet1/0/3
switchport access vlan 951
switchport mode access
spanning-tree portfast
storm-control broadcast level 65.00
storm-control multicast level 65.00
storm-control action trap
spanning-tree bpduguard enable
GLOBAL:
sand1(config)#spanning-tree loopguard default
GLOBAL ON THE ROOT (CORE) SWITCH:
sand1(config)#spanning-tree vlan 1-1005,1025-4049 root primary diameter 3
ON A CISCO SWITCH WITH AN INTERFACE TO ANOTHER vendor's LAYER TWO SWITCH:
sand1(config)#spanning-tree vlan 1-1005,1025-4049 priority 61440 ***** This will assure that the network controls the root, not this sw.
12-10-2007 04:11 PM
A good idea is also to have a secondary root. Without one, should your root die, the new root is somehow elected randomly anywhere in the network, depending on the mac address of the remaining bridges. With a secondary root (a bridge with a bridge ID worse than the root but better than the other switches), you can maintain a proper hierarchy in your network and minimize the changes in topology in case of root failure.
Regards,
Francois
12-10-2007 04:27 PM
Agreed. In my case I have a colapsed backbone. A 6513 is the center of my vlans. My vlans are really just a slice of switch space on the 6513 with some small switches connected to one of those vlans.
I never thought vlans were all that useful after L3 switching matured. There are some issues where the use of vlans could cause bleeding across them when the mac-address-table overloads, due to an attack on a port on the switch, and the switch becomes a hub. That reminds me. There could also be an issue with trunking when that happens and the atacker takes advantage of DTP to also see all the rest of the vlans in the layer two domain.
Since there is no - sand1(config-if)#no switchport mode dynamic - command, I am going to assume that unless you select a switchport mode, that it is not enabled. Available commands are:
sand1(config-if)#switchport mode dynamic ?
auto Set trunking mode dynamic negotiation parameter to AUTO
desirable Set trunking mode dynamic negotiation parameter to DESIRABLE
12-10-2007 04:25 PM
Hi Bruce,
spanning-tree vlan 1-1005,1025-4049 root primary diameter 3 should be use with caution once it changes the spanning-tree default timers.
This value is the maximum number of bridges between any two points of attachment of end stations. The IEEE recommendation is to consider a maximum diameter of seven bridges for the default STP timers. So if you change it to 3 I am considering your network is small
http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a0080094954.shtml
12-11-2007 10:27 AM
Checked the link. Agreed. Thanks for the help. I will also add - sand1(config)#udld enable. I am not quite sure why but it must have been created to solve some real issue.
12-11-2007 10:45 AM
I have also added some recovery protection for the UDLD, bpduguard, and storm control, as well as link flap and some others that may crop up.
sand1(config)#errdisable recovery cause all
errdisable recovery interval 30
This adds the following statements to the config.
errdisable recovery cause udld
errdisable recovery cause bpduguard
errdisable recovery cause security-violation
errdisable recovery cause channel-misconfig
errdisable recovery cause pagp-flap
errdisable recovery cause dtp-flap
errdisable recovery cause link-flap
errdisable recovery cause sfp-config-mismatch
errdisable recovery cause gbic-invalid
errdisable recovery cause l2ptguard
errdisable recovery cause psecure-violation
errdisable recovery cause dhcp-rate-limit
errdisable recovery cause unicast-flood
errdisable recovery cause vmps
errdisable recovery cause storm-control
errdisable recovery cause arp-inspection
errdisable recovery cause loopback
11-17-2010 09:58 PM
Dear Bruce.porter,
I need these all errdisable recovery cause ( which is you mention all) in my cisco 3550 , 3560 3400 and 2950 switches.
Which IOS support of all errdisable recovery with storm-control in my above mention switches.
I need it URGENT.
Thanks in ADV,
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: