Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Spanning tree Stability


I have recently placed 2 6500 at the core. I am running PVST. I have made one switch as the root primary and the other one is root secondary. My question is what steps can i take to make sure no spanning tree issues arise if some by mistake introduces a switch to the network??? i know i can use the root guard command per interface, but, i was looking for other best practices.

Also, can someone exlain to me how can i switch modify the spanning tree topology if i have already configured a root bridge with a priority of 1?

I will surely rate this post.


Cisco Employee

Re: Spanning tree Stability

Check the Best Practices document. I believe it will answer most of your questions. See the section on STP specific practices:

The only way another switch can assume root (and thus cause the STP topology to reconverge) if you have configured a priority of 1, is if another switch with a lower MAC address that _also_ has a priority of 1 is connected to the network. To mitigate this type of event, ensure that root-guard is configured on ports that are exposed to this possibility(user ports, conference rooms ,etc).



Re: Spanning tree Stability

Well, you can set the priority to 0;-)

Except rootguard you mentioned, there is no real way of preventing someone else to become root because even if you set your root priority to 0, a bridge with a lower mac address could beat you.

STP still assume some kind of cooperation between the switches. If you are in an environment where you absolutely cannot trust the neighbors, you should try avoiding running STP with them. Rootguard is a good safeguard but it will disrupt connectivity when a violation is detected. Plus rootguard will fail to detect problems if the neighbor is hostile and not sending BPDUs at all (bpdufilter).

If you are operating in a kind of service provider model, you could use l2pt instead (waiting for 802.1ad). In that case, you would just run STP with the bridges you control and trust, and let others tunnel their STPs through you (note that in this case, the untrusted devices can create bridging loops through you, but you can rate limit the bandwidth they are wasting to what they pay for).



CreatePlease to create content