Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Two MST instances, enabling Root guard

I have 2 3550 12G switches that I use as core fiber switches.  Switch 1 is the primary for 1/2 the VLANs and Switch 2 is the primary for the others using MST with 2 instances (I am not including the default 0 instance).  I am using HSRP to provide redundancy.  So far so good.  Recently a tenant in my building would like to use their own switch for data but still needs access to a VLAN on mine for voice.  Again not a problem as I can configure a trunk port and give them what they need.  My concern is that if they try to configure STP on their switch can they take down mine.  Are there some preventions that I can put into place to help, such as root guard, that work with MST?  What happens if they too set up MST can they kill mine?

Switch 1 is the root for 1/2 the vlans and Switch 2 is the backup root.  The scenario is flipped for the other 1/2.

Everyone's tags (2)
3 REPLIES

Two MST instances, enabling Root guard

Did youn already check the following link:

http://www.cisco.com/en/US/tech/tk389/tk621/technologies_white_paper09186a0080094cfc.shtml#mst_region_world

I think it is quite on the topic. My personal approach is to make it as less fancy as possible.

Simple solutions are easier to troubleshoot.

regards,

Leo

New Member

Re: Two MST instances, enabling Root guard

The reason for MST is that we have HP switches on our network along with Cisco.  MST we found works best for interoperability between them (HP has a good document on this as well).  The two core switches also handle all routing so if one dies the other takes over.  Each wiring closet has two fiber links, one back to Switch 1 and the other to Switch 2 again for redundancy.  I will not have any control over the client's switch so configuring an MST instance there can't happen.  I guess I am just wondering if there is a simple way to protect my equipment from theirs and still allow them access to my VoIP VLAN.  I don't necessarily have to give them a trunk port if there are other methods that are safer and can allow their phones to access the same subnet.  My closet switches are 2950-48s with 2 fiber uplinks each.

From what I had been reading Root Guard may help (but I am not 100% sure).  Basically the client should be able to set up their own STP if they want and set the root bridge to whatever.  I think that I can set root guard on the access ports that I designate to them this way they cannot compromise my access switch and can run their network however they choose.  Am I correct in saying this?

Two MST instances, enabling Root guard

Yet another link about how MST interacts with the outside world:

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/20ewa/configuration/guide/mst.html#wp1019149

It seems to me as if you dont need to take extreme measures. The fact that the MST acts as one bridge to the outside world implies it will always prevent loops. Using root-guard looks like an interesting tweak but I would dive very deep into it before deciding whether to go for it or not.

Root guard allows the device to participate in STP as long as the device does not try to become the root. If root guard blocks the port, subsequent recovery is automatic. Recovery occurs as soon as the offending device ceases to send superior BPDUs. This implies that your services are interrupted when root guard is activated.

Link to root guard feature overview:

http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a00800ae96b.shtml#diff

regards,

Leo

1522
Views
0
Helpful
3
Replies
CreatePlease login to create content