[c-nsp] Spanning Tree help sought

Christopher Gray Christopher.Gray at Newscope-Solutions.co.uk
Thu Nov 15 11:25:46 EST 2012 

Ross,

Thank you for that:


>> I'm new to Spanning Trees and have read up on them, but need 
>> advice and guidance.  I have the manuals and can set STP up -  
>> it is design that is my concern.  My LAN is more complicated 
>> than this, but the following example will help me explain.

> Quick word of advice especially with STP - do many mockups 
> in your lab and understand how to troubleshoot it when it blows
> up. Implementing STP on an existing network can go horribly 
> wrong in a hurry

I will.  I have some old switches lying around and, while they don't support
RSTP, it will help me understand behaviour.

>> I have four switches (A, B, C & D) linked in a loop comprising
>> 1Gbps fibre.  Switch A is connected to a primary WAN router
>> while switch C is connected to the secondary WAN router - the
>> two routers working in a simple HSRP fail-over set.  I want to
>> ensure that this loop will survive the failure of any one link 
>> (e.g. if the link between A & B goes down, B will still be able
>> to connect to the primary router via C & D.

> Like this?
 
> R1--A----B
>    |    |
> R2--C----D

> Or...

> R1--A----B
>     |    |
>    D----C--R2

The second of those.

>> I currently have the STP path costs set to A=4, B=5, C=6 and D=7

> This doesn't make much sense. STP path costs are determined by 
> tallying the port costs (remember two ports per link), this happens
> for each path it sees back to the root, and if the two paths are of the
> same cost then port priority is consulted. In a basic ring it doesn't
> really matter that much, but you said your LAN is more complex 
> than this example.

On reading your response - and used the links you suggested - I note that I
could just leave everything as default and let STP sort itself out.

The core topology is that simple, but we have some core clients off switch B
and they need the best resilience / throughput.  When this was originally
set up - all links were 1Gb with the exception of C/D which was 100Mb.  I've
just upgraded C/D to 1Gb.  We plan to upgrade D/A and B/C to 10Gb - but the
other two distances are too much and will need to stay at 1Gb.  All four
switches have other switches hanging off them on long fibre links - but none
of these satellite switches are connected to more than one switch.  Only the
four core switches have two links between them (e.g. A-B or A-D-C-B).

>> Question 1: Does this make sense?  Should the "root bridge" (using 
>> Wikipedia terminology) always be the one connected to the primary 
>> WAN router? Does STP work well when the WAN uplink fails over
>> to the secondary or doesn't it matter.

> In your example, each switch can be designated as a root bridge by way 
> of priority. On newer IOS switches you can simply run "spanning tree
> vlan 9 priority root primary" or "...priority root secondary". Older units
> you just enter the number on your own. You can configure this to match
> the priorities of your routers.

> In a basic example with the 4 switches, the default behaviour will be to 
> block off the longest path back to root. In the first little diagram, B 
> would block it's link towards D. D however has two equal-length paths
> so will block whichever port is higher numbered. (lower numbered ports
> = lower numeric priority). If D's link to C is on port 1 and D's link to B
> on port 24 or whatever, this will be fine. Otherwise you need some manual
> configuration.

I will need to ponder on this.

> The better idea IMHO is to determine which link should normally see lower
> bandwidth and block that. With the first diagram, if your traffic is
primarily
> LAN stuff between B & D, I'd consider increasing port costs to block
either 
> A-C or C-D depending on how your HSRP is configured and the other
> resources lurking on your switches.

The primary router is on A.  Key, but low bandwidth, users are on B (they
generate cash for the business).  "Power" users (big spread sheets) are on
A. C & D support "normal" users.

>> The switch configurations seem to show that other ports - e.g. those 
>> connected to end-devices (printers / PCs) have an STP state of 
>> "forwarding".
>> 
>> Question 2: Should I set all non-uplink (interswitch) ports as
"disabled"?

> Bad idea. One rogue D-Link and the whole thing blows up. (or maybe just 
> that switch). Spanning Tree is pretty much mandatory anywhere near edge 
> ports where curious hands can play with cables. One problem that arises is
> that default timers in the 30s range can cause some operating systems to
> think DHCP isn't working. You can turn the timers down to address this, 
> or set portfast and enable root guard and BPDU guard.

These switches, and their patch panels) are in locked cabinets.  But people
could plug anything into the wall-ports.

I will certainly set portfast and enable root guard and BPDU guard on all
non-fibre ports.  [Fibre is only used for the inter-switch links.]

>I strongly recommend reading through some of the stuff here:

>http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a008
00951ac.shtml
>http://www.cisco.com/en/US/tech/tk389/tk621/tsd_technology_support_protocol
_home.html

Thank you.
>Cheers
>Ross

More information about the cisco-nsp mailing list