forcing spanning-tree root

Unanswered Question
Mar 25th, 2009

Is it a good idea to hardcode or force spanning-tree root in a campus environment?

I have a campus made up of four buildins supported by a 4506 core and 21 2950/2960 switches. These switches are either directly connected to the 4506 or are in daisy chained in groups of two or three back to the 4506. I have 14 VLANS supporting different areas of the campus for voice and data.

I am starting to receive error messages similar to the following...

Mar 20 14:27:01.272 CST: %C4K_EBM-4-HOSTFLAPPING: Host 00:00:BC:1E:C5:C5 in vlan 1 is flapping between port Gi4/5 and port Gi3/2

Mar 20 14:36:02.584 CST: %C4K_EBM-4-HOSTFLAPPING: Host 00:00:BC:1D:7A:09 in vlan 1 is flapping between port Gi3/1 and port Gi3/2

Mar 20 14:38:07.116 CST: %C4K_EBM-4-HOSTFLAPPING: Host 00:00:BC:2A:05:0C in vlan 1 is flapping between port Gi3/2 and port Gi4/5

Mar 20 14:38:34.488 CST: %C4K_EBM-4-HOSTFLAPPING: Host 00:00:BC:1D:7A:09 in vlan 1 is flapping between port Gi3/2 and port Gi3/1

Mar 25 08:16:18.169 CST: %C4K_EBM-4-

HOSTFLAPPING: Host 00:09:6B:A5:B9:F0 in vlan 1 is flapping between port Gi3/2 and port Gi2/22

The odd thing is that none of these switches are connected together. The interfaces reported are in some cases even in differnet buildings. At first I though this was only affecting VLAN1 but it appears to be affecting the whole campus.

In talking with TAC, they are thinking this may be a spanning-tree issue and I am only seeing the symptoms. In looking further, the root is not my 4506 core. It is one of the 2960s out on the campus. They want to wait until I have another extended outage to check CPU utilization and the like to verify this theory but I do not understand the relation between that and the error message.

Would it not be a good idea to go ahead and configure the 4506 to be the root? The switch that is currently the root does have two possible paths back to the core just due to the required redundancy in that specific area of the campus.

I will get a visio diagram modified to post.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Giuseppe Larosa Wed, 03/25/2009 - 07:14

Hello Brent,

>> Is it a good idea to hardcode or force spanning-tree root in a campus environment?

Yes, it is actually recommended to configure both the primary root and a secondary root (they can be different on a per vlan basis if using PVST or Rapid-PVST or per instance basis with MST)

We do in our campus networks for example:

spanning-tree vlan 1,7,9,11,13,15-17,20-24,26-27,34,40,42-45,52,55 priority 0

spanning-tree vlan 58,69,80,90,101,103,615 priority 0

spanning-tree vlan 5-6,8,10,12,14,18-19,25,30,41,50-51,53,56-57,59 priority 1

spanning-tree vlan 100,102,104,150-151,611 priority 1

the other node has a mirror configuration (1 for 0)

The root bridge and his backup should be devices in the center of the topology with good performances and high speed links.

I would suggest to schedule a maintanance window and to make root and backup root distribution switches

about the error message:

if they were from ports in the same building it could be a multi-NIC server if coming from different buidings it is sign of some L2 issue.

Hope to help


bberry Wed, 03/25/2009 - 11:50

Thanks that is what I was thinking. The 4506 is the core but I only have the one. Is there a big difference in this over set spantree root {vlan-id} or both accomplish the same results?

In regards to the error message, I have one port on the P2C switch that is reporting 37 devices from three different VLANs even though the port itself is in none of them. I have asked the folks at the facility to tell me what is connected here.

glen.grant Wed, 03/25/2009 - 11:56

I wouldn't think that would be an issue as you have a single 4506 core with single links back to it so it has no built in loops it has to worry about. It is a good idea to set them anyway just to be safe . My guess is someone has physically looped 2 ports together somewhere in vlan 1 . Start going thru the complaining switches and look for stuff like multiple macs on one port , use cdp to see if the switch sees itself , check logs in each switch. If the switch has more than one path then spanning tree should be blocked somewhere on those switches for each vlan on the switch.

bberry Wed, 03/25/2009 - 12:01

That is part of what I am doing today. That is when I discovered the 37 devices on port 13 in one of the complaining switches. I am just wondering how this is happening if the two switches are in diffeent buildings. We have been having a problem with them using Linksys APs from walmart in their offices for wireless and wondering if this is a side affect.

Giuseppe Larosa Wed, 03/25/2009 - 12:47

Hello Brent,

yes an AP can have this effect of making the switch learn multiple MAC addresses on a single port.

if they are multiple mac addresses appear to move if the wireless clients move to another AP.

What Glen says is a possible explanation someone could have connected two ports of the same switch.

I've given a look at your topology and yes the C4506 has to be the primary root.

Hope to help


bberry Wed, 03/25/2009 - 12:58

Here is the odd thing though. The clients associated are desktops that do not have wireless cards. One of the file servers in the computer room has even shown up on the list.


This Discussion