cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
359
Views
5
Helpful
5
Replies

Spanning Tree - Mutliple Root Bridges per VLAN

darrenriley5
Level 1
Level 1

Hi,

I'm seeing mutiple root bridges for each vlan across our network. We have multiple switch stacks which connect to our two core switches. We are also runing vtp across the LAN so each switch has 25 vlans in it vlan database.

On the trunk ports which connect from the core switches to the switch stacks we only allow the required vlan for the switch stack. Because we restrict the vlans on the trunk ports does this mean each switch stack will need a root bridge for the vlans which are not allowed across the trunk ports which connect to the cores. Also would it be best practice to disable VTP?

Thanks

5 Replies 5

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Darren,

if you see a switch stack claiming to be the root bridge for a vlan that is not permitted on its trunk uplinks, this is normal I saw it on some of our campus networks.

Only doubt: have you configured the list of permitted vlans on the distribution side only or also on the switch stack side?

25 vlans shouldn't be a scalability issue.

STP shouldn't be running if no port exists in STP forwarding state (as it should happen if a vlan is not used in the stack and not permitted on uplinks on both sides of the links)

Hope to help

Giuseppe

We have only configured the the list of permitted vlans from the dsitribution side. Should we also configure the list of allowed vlans from switch stack side?

Also what is your recommendation as regards VTP. My personal view is we shouldn't use it as it has the potential to cause more problems than its worth.

"Also would it be best practice to disable VTP?"

Absolutely!

It is not worth all the hassle, confusion and potential for outages that it offers. Get rid of it.

Yes. The vlan should be in the list of allowed on both side, otherwise the STP domain is split in multiple pieces, that is why you see multiple STP root switches: the access switch doesn't see the distribution switch (vlan is not allowed on its trunk ports), so its each access thinks: hey, then i am the root.

Hello Darren,

>> We have only configured the the list of permitted vlans from the dsitribution side. Should we also configure the list of allowed vlans from switch stack side?

yes if you don't want to see those rogue STP route bridges for unused vlans this was my thought about your scenario.

VTP:

at least use MD5 authentication.

the real trouble is that VTP is rather primitive and opens to possible denial of service.

Hope to help

Giuseppe

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: