STP fine tuning

Unanswered Question
Jan 5th, 2010

Hello,

I have a Data center where my SVIs are located on a pair of ASAs 5580 which are connected with two 6509s Core Switches

I need to force layer 2 traffic to take a specific path through the 'spanning tree vlan x priority y' command but since there are no SVIs on the Core Switches, I'm not sure if an stp instance will be created for my vlans, Can somebody advise how can I do it

Regards

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Tue, 01/05/2010 - 00:52

k.abillama wrote:

Hello,

I have a Data center where my SVIs are located on a pair of ASAs 5580 which are connected with two 6509s Core Switches

I need to force layer 2 traffic to take a specific path through the 'spanning tree vlan x priority y' command but since there are no SVIs on the Core Switches, I'm not sure if an stp instance will be created for my vlans, Can somebody advise how can I do it

Regards

Not sure i follow what you mean. You don't need SVIs to have an STP instance. As soon as you create the vlan at L2 then you have an STP instance, doesn't matter where the L3 interface for that vlan is ?

Could you clarify what you mean ?

Jon

k.abillama Tue, 01/05/2010 - 01:14

Hi,

I'm not pro in Switching! I'm a security enginner

Thx for the info,I thought that the spanning tree instance will be created once I create the SVIs

Regards

Francois Tallet Tue, 01/05/2010 - 10:31

I guess your firewall is operating in transparent mode. Basically you a have an ingress vlan and an egress vlan. You don't have to worry about STP. Actually, if you needed to configure STP so that your traffic goes through the firewall, that would be an indication of a problem because it would mean that the traffic could skip the firewall as a result of a network reconfiguration (like a link going down). That's something that, as a security engineer, you should not like;-)

That said, it does not mean that you won't have to tune the priority of some bridges in order to get an optimal STP topology. The two vlans that you are stitching with the firewall will have a common root bridge. Put this root bridge close to the L3 interfaces (basically, make the switch hosting the SVI the root bridge), that's what *generally* result in the optimal topology (I don't know enough of your network to guarantee that of course).

Regards,

Francois

Actions

This Discussion