04-01-2009 05:03 AM - edited 03-06-2019 04:56 AM
Hi,
I'm seeing mutiple root bridges for each vlan across our network. We have multiple switch stacks which connect to our two core switches. We are also runing vtp across the LAN so each switch has 25 vlans in it vlan database.
On the trunk ports which connect from the core switches to the switch stacks we only allow the required vlan for the switch stack. Because we restrict the vlans on the trunk ports does this mean each switch stack will need a root bridge for the vlans which are not allowed across the trunk ports which connect to the cores. Also would it be best practice to disable VTP?
Thanks
04-01-2009 05:11 AM
Hello Darren,
if you see a switch stack claiming to be the root bridge for a vlan that is not permitted on its trunk uplinks, this is normal I saw it on some of our campus networks.
Only doubt: have you configured the list of permitted vlans on the distribution side only or also on the switch stack side?
25 vlans shouldn't be a scalability issue.
STP shouldn't be running if no port exists in STP forwarding state (as it should happen if a vlan is not used in the stack and not permitted on uplinks on both sides of the links)
Hope to help
Giuseppe
04-01-2009 05:25 AM
We have only configured the the list of permitted vlans from the dsitribution side. Should we also configure the list of allowed vlans from switch stack side?
Also what is your recommendation as regards VTP. My personal view is we shouldn't use it as it has the potential to cause more problems than its worth.
04-01-2009 05:30 AM
"Also would it be best practice to disable VTP?"
Absolutely!
It is not worth all the hassle, confusion and potential for outages that it offers. Get rid of it.
04-01-2009 07:09 AM
Yes. The vlan should be in the list of allowed on both side, otherwise the STP domain is split in multiple pieces, that is why you see multiple STP root switches: the access switch doesn't see the distribution switch (vlan is not allowed on its trunk ports), so its each access thinks: hey, then i am the root.
04-01-2009 07:58 AM
Hello Darren,
>> We have only configured the the list of permitted vlans from the dsitribution side. Should we also configure the list of allowed vlans from switch stack side?
yes if you don't want to see those rogue STP route bridges for unused vlans this was my thought about your scenario.
VTP:
at least use MD5 authentication.
the real trouble is that VTP is rather primitive and opens to possible denial of service.
Hope to help
Giuseppe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide