Stupid networking question #358

Answered Question
Oct 23rd, 2009

Pardon me if these two questions simply illustrate my ignorance:

I have two clusters of 3524XL switches; one on the 3rd floor of my building, one on the 5th.

Each cluster is, in turn, connected via gigabit SX to a 3750E in our central network room on the 4th floor.

The 5th floor cluster has 5 switches, all connected to each other via gigabit SX GBICs and 2m fiber patch cords.

The 3rd floor cluster has 3 switches, all connected to each other via gigabit SX GBICs and 2m fiber patch cords.

The configuration of the GBIC ports on all switches is identical:

dot1Q trunking mode, no portfast, no flow control, 802.1p priority:0

The 1st GBIC port on switch 1 is connected to the 2nd GBIC on the switch 2

The 1st GBIC port on switch 2 is connected to the 2nd GBIC on the switch 3

Etc, etc...

The single difference between the two clusters is that I have a 3750E connected to the last switch in the 3rd floor cluster.

Its SFP settings are the same as the GBICs in regard to speed, no portfast and no flow control.

When I look at the topology of the two clusters in CNA, the links between all of the 5th floor switches show as being in FWD state.

In the 3rd floor cluster, however, the link between switch 2 and switch 3, and the link between switch 3 and the 3750 show as being in the blocked state.

The questions:

1) Should I be concerned?

2) What are the possible causes and possible solutions?

I have this problem too.
0 votes
Correct Answer by Reza Sharifi about 7 years 1 month ago

Hi Grant,

For security reasons, you should definitely stay away from using VLAN 1 for user traffic. VLAN 1 is used for control protocols like: PAGP, CDP, VTP, etc…

Here is a link to a white paper that describes the security risks.

http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml#wp39009

Also, make the most powerful and centralized switch your STP root, so in your case the 3750 is a better choice.

HTH

Reza

Correct Answer by Jerry Ye about 7 years 1 month ago

My question is where is the L2 boundary? If the 3750E has SVI (interface VLAN) for your 3524XL's, I think your problem is you didn't specify the 3750E to be the spanning tree root.

In the spanning tree root election process, it will choose the lowest MAC address as it's root. In your case, it is possible that the spanning tree negotiated to use one of the 3524XL as the root switch (since they are older, and the MAC can be lower).

The potential problem is if the 3524XL is the root, it will takes too much CPU on these switch, since they are old (EOL) and has a slower CPU.

Regards,

jerry

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Jerry Ye Fri, 10/23/2009 - 18:27

My question is where is the L2 boundary? If the 3750E has SVI (interface VLAN) for your 3524XL's, I think your problem is you didn't specify the 3750E to be the spanning tree root.

In the spanning tree root election process, it will choose the lowest MAC address as it's root. In your case, it is possible that the spanning tree negotiated to use one of the 3524XL as the root switch (since they are older, and the MAC can be lower).

The potential problem is if the 3524XL is the root, it will takes too much CPU on these switch, since they are old (EOL) and has a slower CPU.

Regards,

jerry

GRANT GATHAGAN Fri, 10/23/2009 - 21:12

Thanks for the response, jeye.

Please, again, pardon my ignorance, if the following doesn't answer the layer 2 boundary question.

The 3750 does have a SVI for the 3524's, as the native vlan on all the switches is vlan 1 (not my choice, but I didn't do the configuration).

All switches are on the same IP subnet, so other than voice vlan routing, there is no layer 3 routing being done between any of the switches.

Any routing to other subnets is handled by the SUP1 engine on a 6506 in our main network area on the 4th floor.

The entire network consists of the switches I've already listed, that 6506 on the 4th floor, and another 3750E on the 4th floor.

The 3rd and 5th floor switch clusters connect via gigabit fiber to the 3750E on the 4th floor. This, in turn, attaches to the 6506

with a trunked pair of gigabit connections.

The 6506 handles the routing to the outside world.

You are correct that I did not specify the 3750 on the 3rd floor as the spanning-tree root.

This is a switch I've put in my office for testing so it only added recently.

From what I've read on STP and your comments on CPU utilization, it seems like I ought to specify the 3750 on the 4th floor as my STP root for vlan 1, since it is also a newer faster switch and is centrally located.

Am I correct in this?

Correct Answer
Reza Sharifi Sat, 10/24/2009 - 10:53

Hi Grant,

For security reasons, you should definitely stay away from using VLAN 1 for user traffic. VLAN 1 is used for control protocols like: PAGP, CDP, VTP, etc…

Here is a link to a white paper that describes the security risks.

http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml#wp39009

Also, make the most powerful and centralized switch your STP root, so in your case the 3750 is a better choice.

HTH

Reza

GRANT GATHAGAN Sun, 10/25/2009 - 14:06

Reza,

Thanks for the reply.

I am all too aware of the issue.

As I mentioned in that same post, however, I did not configure the switches, I inherited them from the installer in that state.

By the time I was involved, unfortunately, the system was already up-and-running and I was not allowed to make the changes.

Eventually I will be replacing the 6506 with an EMI-imaged 3750E and several SMI 3750E's.

At that time, I will be making the modifications and moving the main data subnet off of VLAN1.

Thanks also for your confirmation regarding my thoughts on the STP root.

GRANT GATHAGAN Sun, 10/25/2009 - 14:23

I'm afraid I was too hasty in stating the the change in STP root fixed the issue.

Those same switches still show their connections being in the blocked state.

Any other possible solutions?

Jerry Ye Sun, 10/25/2009 - 19:36

Can you attach a diagram and do show spanning-tree vlan 1 to find out who is the spanning tree root at this point?

Regards,

jerry

GRANT GATHAGAN Mon, 12/07/2009 - 14:36

For those who care, I finally got around to looking at this a little closer.

The solution?

STP was disabled on VLAN 1 of one of the switches.

At least it was a simple fix....

Actions

This Discussion