I have 2 3550 12G switches that I use as core fiber switches. Switch 1 is the primary for 1/2 the VLANs and Switch 2 is the primary for the others using MST with 2 instances (I am not including the default 0 instance). I am using HSRP to provide redundancy. So far so good. Recently a tenant in my building would like to use their own switch for data but still needs access to a VLAN on mine for voice. Again not a problem as I can configure a trunk port and give them what they need. My concern is that if they try to configure STP on their switch can they take down mine. Are there some preventions that I can put into place to help, such as root guard, that work with MST? What happens if they too set up MST can they kill mine?
Switch 1 is the root for 1/2 the vlans and Switch 2 is the backup root. The scenario is flipped for the other 1/2.
The reason for MST is that we have HP switches on our network along with Cisco. MST we found works best for interoperability between them (HP has a good document on this as well). The two core switches also handle all routing so if one dies the other takes over. Each wiring closet has two fiber links, one back to Switch 1 and the other to Switch 2 again for redundancy. I will not have any control over the client's switch so configuring an MST instance there can't happen. I guess I am just wondering if there is a simple way to protect my equipment from theirs and still allow them access to my VoIP VLAN. I don't necessarily have to give them a trunk port if there are other methods that are safer and can allow their phones to access the same subnet. My closet switches are 2950-48s with 2 fiber uplinks each.
From what I had been reading Root Guard may help (but I am not 100% sure). Basically the client should be able to set up their own STP if they want and set the root bridge to whatever. I think that I can set root guard on the access ports that I designate to them this way they cannot compromise my access switch and can run their network however they choose. Am I correct in saying this?
It seems to me as if you dont need to take extreme measures. The fact that the MST acts as one bridge to the outside world implies it will always prevent loops. Using root-guard looks like an interesting tweak but I would dive very deep into it before deciding whether to go for it or not.
Root guard allows the device to participate in STP as long as the device does not try to become the root. If root guard blocks the port, subsequent recovery is automatic. Recovery occurs as soon as the offending device ceases to send superior BPDUs. This implies that your services are interrupted when root guard is activated.
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...