STP/PVST+ Redesign issues and queries

Unanswered Question
Jan 15th, 2009


I'm currently working at a client site were I have been asked to stabilize a network following a major failure of a portion of it in June of last year. The network is designed as follows:

Two campuses are supported by a network designed with two Gig interlinked (cross campus) core switches (Cisco 6000's one at each site). Each of these two in turn support diverse Gig uplinks to four distribution switches (again Cisco 6000's, two at each site, there are links between pairs of distribution switches at each campus). OSPF is configured in three main area groups across all devices.

Each pair of site distribution switches supports dual uplinks to stacked (up to six maximum, on average four per stack) 3750's at the access layer. The initial task was to replace the supervisor engines on the two failed distribution switch units (one at each campus).

There is a single VTP domain, with approximately 200 vlans in it. All trunk links carried all of the vlans as no “switchport trunk allow” statements were applied. Redundant vlan's were removed and relevant “switchport trunk allow” statements to each of the trunk uplinks from distribution to access layer as well as within the core were applied.

Both distribution switches are now back on line. The task now is to analyse and optimize the configuration of firstly Spanning Tree (pvst) as it has been shown that the network failure was mainly due to many pvst instances being supported at the access layer. Secondly HSRP. My questions are in relation to spanning tree.

1. STP has elected six root bridges across various access switch stacks and one distribution switch. Is it advisable to leave this configuration as it is, or should I attempt to select the two core switches as primary and secondary root bridges for the VLAN's, is it ok for access switches to be configured as root bridges. What is the best approach to go about this work ??

2. What is the purpose of STP in a layer three environment like this, surely OSPF takes care of redundant links and loops etc ??

3. How can STP cause two supervisor engines to fail at the distribution layer ??

4. Basic Question: why is a native VLAN necessary

5. What is VLAN leakage.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Giuseppe Larosa Thu, 01/15/2009 - 09:53

Hello Neville,

you exposed very well the current network scenario.

Before answering your questions I would note the following:

there is no need to have a single VTP domain:

if all links between distribution switches and core switches are L3 routed links actually you can deploy two VTP domain one in each site.

1) You need to tune STP configuration so that for all vlans one of the distribution switch has to be the primary root bridge and the second the secondary root bridge.

You can use

spanning-tree root primary vlan

spanning-tree root secondary vlan

Having an access layer switch to be a root bridge for a Vlan is usually to be avoided


STP should be confined at the access layer you can use L3 routed links between distribution and core

(no switchport + ip address in the interface)

STP topology has to be determined as explained in point 1)

3) STP should avoid the creation of bridging loops if a bridging loop is formed the network can become unusable.

Usually the distribution switches go to 100% and you may even be unable to telnet to them.

When this happens to break the loop some cables or fibers have to be unplugged to recover.

If the switches are still accessible you need to switch down the link between the distribution switches and then you may need to disable uplinks on one distribution switch.

STP loop guard, UDLD, stp bpduguard on user ports can help.

4) a native vlan is used in 802.1Q trunks, frames belonging to native vlan are sent untagged: you may choice not to use at all the native vlan, but the two devices need to agree on native vlan ID on each trunk link or problems can happen at the IP level (if used).

5) Vlan leakage

I think this refers when vlans are joined:

if you use two VTP domains and in both you use vlan 20 this is legitimate.

But then if you implement a L3 link using an SVI and the physical link is a L2 trunk you can join the two vlans 20.

Then a lot of problems can arise:

for example if you use HSRP two VIP addresses are advertised and if using the same HSRP group the distribution can become crazy with cpu up to 100%

We observed all these problems on Cat6500 in our customer network that includes several campus networks.

It is important if a choice to use two VTP domains is made to ensure that no L2 path between the two sites exist.

As an additional safety measure you can decide to assign vlans in a unique manner.

Hope to help



This Discussion