STP in Redundant Network Design

Unanswered Question
Aug 1st, 2009


I have a network with Cisco 3560 as the L2 edge switch, each switch have two uplink to the Core. Uplink 1 to Core switch 1 and uplink 2 to core switch 2. Core switch have connected together on 2x1Gig etherchannel. Since the edge switches having two uplink and core are interconected, i beleive there is a possible chance for a loop. I am running stp PVST mode, each port are configured with port-fast enabled and bpdu-guard enabled and spanning-tree loopguard default on the global config. How i can impliment this design with a loop free method.

I will be using core 1 as the hsrp active, so would like to keep the uplink2 on edge switch always in blocking mode. what should i do? how can i acheive this?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Sat, 08/01/2009 - 12:47


I assume the 2 Gig etherchannel is a L2 trunk ? If so then yes you have a L2 loop in your setup. This is not an uncommon setup as STP will block one of the links.

Assuming your'e uplinks are 1Gbps to each core switch then your etherchannel interconnection between the 2 core switches will not block.

So one of the uplinks will block. If you want core switch 1 to be active for all vlans then simply make core switch 1 STP root for all vlans.

A more common approach is to utilise both uplinks by having the odd vlans forwarded on one link and blocked on the other and the opposite for even vlans.

So core switch 1 will be STP root for all odd vlans and STP secondary for all even vlans.

Core switch 2 will be STP root for all even vlans and STP secondary for all odd vlans.

Obviously you also make core switch 1 hsrp active for all odd vlans and core switch 2 hsrp active for all even vlans.


Jacob Samuel Sun, 08/02/2009 - 03:02

Hi Jon,

Thanks for the reply.

Yes, the ethrechannel is L2 Trunk only.

I think the common approach will not be suitable to me since the L3 Vlans will be created on the FWSM Module, and the FWSM will be running in Single Context (Active/Standby). I red in some cisco docs that the manuel STP port priority configureation on the FWSM installed switch may create some issue at the time of Failover. So instead of port priority configuration on the Core switch, if i make the Core Switch1 as the Primary Root for whole Vlans and Core Switch2 as the Secondary Root, will it make any issue related to FWSM? hope No right?

appreciate your valuable input please.



davy.timmermans Sun, 08/02/2009 - 04:39

Hi Jacob,

STP root is L2 technology. Hence the L3 in your configuration can influence the administrator to prefer a core switch root above another.

If it means that the FWSM module is active in core switch 1 and all routing to another vlan/internet is done by this Firewall, then it's a good choice to make core 1 STP root for all vlans. If you would use STP LB in this scenario, all traffic which has core 2 as STP root needs to cross the etherchannel towards core 1.

I would suggest also to use RSTP

Jacob Samuel Sun, 08/02/2009 - 21:54

Hi Davy & Jon,

Thanks for the update.

Regarding RPVST- do we need to make any necessary changes on the configuration other than changing the spanning-tree mode to rapid-pvst? on the ports i have already enabled portfast and bpduguard and globally the spanning-tree loopguard also. As of now it is running as PVST only, do i need to consider anything more to make the PVST to rstp?



davy.timmermans Sun, 08/02/2009 - 23:48

Changing the mode to rstp should be enough.

You can safely disable pvst features as uplinkfast, backbonefast (if configured) as they are incorporated in RSTP.

Unless you have 3500XL/2900XL series, it should be supported

Jon Marshall Sun, 08/02/2009 - 06:49


I agree with Davy on this. If your L3 vlan interfaces are on the FWSM and you have an active/standby setup then make the FWSM primary switch the active one for the vlans ie. set it to STP root.

I have used this setup in production data centre environments and it works fine.


Jacob Samuel Tue, 08/18/2009 - 01:15

Hi Jon/Davy,

If I include all the L2 vlans for FWSM in the spanning-tree root on switch01, as like in the below command will it make any issue?

spanning-tree vlan 1,10,50,100,101,102,103,199 root primary

vlan 10- inside of fwsm

vlan 50- DMZ of fwsm

vlan 101- outside of fwsm connecting back to MSFC

vlan 102- failover vlan for fwsm

vlan 103- state-fo-vlan for fwsm

vlan 100- not the member of fwsm

Do you think any issue in this?

appreciate your valuable input

Thanks and regards



This Discussion