Spanning-tree Convergence Issue

Unanswered Question
May 17th, 2009
User Badges:

I have dual 6509's with SUP2MSFC2's running version 12.2(18)SXF14 IPServices WAN IOS, in my core. Today someone plugged a DLINK switch and caused problems with spanning-tree. How can I prevent this from happeneing again when someone plugs in a DLINK switch? any suggestions?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
iyde Sun, 05/17/2009 - 21:36
User Badges:
  • Silver, 250 points or more

You will have to look into commands like 'spanning-tree guard root' and 'spanning-tree bpdu-filter' in order to secure your Cat6500.

Also, make sure that you have set 'spanning-tree vlan xxx root primary' one one Cat6500 and 'spanning-tree vlan xxx root secondary' on the other. Then you are in control of where your Spanning Tree root is supposed to be and you are minimizing the chances (risk) of having another switch taking over the Spanning Tree.

HTH

Giuseppe Larosa Mon, 05/18/2009 - 04:05
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello,

the right tools should be

spanning-tree guard root

spanning-tree bpduguard enable


the second command puts the port in errordisable if an STP BPDU is heard on the port


I don't recommend spanning-tree bpdu-filter in an enterprise environment it doesn't provide protection from someone connecting together two ports with a cable.

It is a good tool for L2 SPs to avoid to take part in customers STPs.


edit:

I agree on the need of setting root primary and secondary for all vlans


Hope to help

Giuseppe


carl_townshend Tue, 05/19/2009 - 02:35
User Badges:

should these commands only be used on normal access points and not uplink ports ?

Giuseppe Larosa Tue, 05/19/2009 - 07:16
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Carl,

your understanding is correct.

STP bdpuguard is the ideal companion of portfast.


For uplinks we use spanning-tree loop guard + storm-control broad 1%


Hope to help

Giuseppe


Giuseppe Larosa Wed, 05/20/2009 - 03:49
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Carl,

yes loop guard is effective with RSTP, UDLD is too slow in reaction in comparison to RSTP fast convergence time.


We use loop guard with RSTP


Hope to help

Giuseppe


Actions

This Discussion