[f-nsp] FESX spanning-tree path cost success?

[Lee Pedder]

2008/9/8 Jonathan Brashear <Jonathan.Brashear at hq.speakeasy.net>:
> Our DC has had intermittent issues over the past year with spanning-tree loops with customers who have multiple uplinks to our switch fabric.  We've explored a few different options with limited to no success(such as bpdu guard, stp-protect, etc.), but currently we're considering setting manual path costs on ports as a way to help avoid the loops & subsequent cpu spikes we've dealt with.

How do you connect your customers? Is it a shared VLAN environment, or
do you have a separate VLAN per customer, to which the customer plugs
in 2 end stations?

I have seen similar issues in this scenario where customers create
loops by plugging both into a switch, but this has been down to STP
being misconfigured, not running, or worse - an end device that
forwards everything but BPDUs. Are you running STP/RSTP on all ports,
and are they sending BPDUs? Functions like stp-protect and
stp-bpdu-guard will only work if the ports are part of the STP
topology in the first place (their STP state should not list as
DISABLED). They are usually coupled with fast port-span or rstp
admin-edge-port.

What are your plans for manually setting path costs, and how would
this prevent loops in your scenario?

For a shared environment where the risk to one VLAN is higher, you may
also consider port security - either lock down to configured
mac-addresses or implement dynamic learning with an appropriate number
of max addresses. On a network without protection, a loop will cause
lots of mac addresses to appear out of the port(s) causing it. With
port security, you can have the switch shut down a port that violates
the security policy without having to include the edge ports in the
STP topology.

Regards,
Lee