Multiple Spanning Tree Design Guidance

Posted on 2008-10-04
Last Modified: 2011-09-20
I manage a large network for a DOD agency. The network is geographically large encompassing nearly 300 Square miles. We have a mixed fiber install of MM and SM fiber, transitioning to all SM. The network started as HP only with a 9315 at the core and 2524, 4000M, and 4100 series switches. We are transitioning to all Cisco. At some point in the future we will have redundant 6509's at the core. We currently have around 200 HP and Cisco switches on our network. The 2524's and 4000M's are being replaced with Cisco 3560's, 3750's, and 4507's. We currently have 13 VLAN's.

When the HP's were deployed, Spanning-Tree was not enabled. This decision was made because it was felt a small network did not need this. As we all know this is when Spanning-Tree is established so ST issues can be addressed. As the new Network Administrator, I am faced with daily outages where soldiers/contractors bring in hubs/switches/routers and place them on the network without understanding the impact this has if they create loops.

I am starting to implement Port Security on all our switches to address this issue. More importantly, I am wanting to implement Multiple Spanning Tree (MST) on the switches that support it (the 2524's and 4000M's do not.) When the fiber infrastructure was installed, no consideration was given to network data redundancy. The fiber designers were obviously telecom engineers who home-runned all the fiber to our main telco building where our 9315 is housed. I do not have redunant paths to this building. As such, I am faced with the question of how to effectively implement MST on a building by building or switch by switch basis. Can I implement MST on a 3560/3750 in a building and create an MST region for just that building/facility?

Question by:CADOIM
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
LVL 50

Expert Comment

by:Don Johnston
ID: 22641761
If nothing else, at least you won't be bored. :-)

While I like 802.1s MST, I'm not a fan of mixed spanning tree protocol environments. If it were me, I would isolate the MST from the CST regions even though it'll make the migration a bit more of a chore.
LVL 12

Expert Comment

ID: 22642557
Port security on that many devices is a monumental task to undertake and will require lots of management overhead... however, for the DoD I would think it to be necessary to put such measures in place - so good job!
Regarding the multiple STP domains, yes, it would be a good idea to split off large networks so the STP traffic doesn't get to the point where it congests the network with updates. And as far as isolation from CST - a good idea as well just as mentioned. It will prevent a considerable number of hurdles that would otherwise have to jump in the future if you didn't isolate the environments.
As with anything, it is best to start early with management, and the sooner you get this taken care of, the less of a headache it will be later and the more control you'll have over management of the network.
Cheers! Let me know if you have any questions!
LVL 32

Accepted Solution

harbor235 earned 300 total points
ID: 22648696

Have you considered PVST+, keep in mind that with MST you have a range of VLANs associated with a single spanning-tree. What that means is that if
reconvergence of spanning tree happens (addding a port to a vlan not configuired for portfast. or adding a non-host port) that it can cause a 50 second
interruption of traffic for all vlans associated with that SPT. Per vlan SPT segments your layer 2 network to individual spanning trees for each vlan thus segmenting your layer2 domains even further.

I would turn do the following to stop unwanted hubs and switches connecting to the network,

1) Disable all unused ports  !!!
2) Do not use vlan 1
3) create a park vlan for disabled ports, say vlan 999. By default ports are assigned to vlan 1, there are security considerations with vlan 1 as well
    Assign all unused ports to vlan 999 and disable the ports, do not trunk vlan 1 or 999 anywhere, security 101.
4) Turn on port security, statically assign mac-addresses to ports, disable upon violation, max number of macs=1 per port
5) set up a VTP with a unique VTP domain and password, that way rogue systems cannot get your VLAN database information
   only layer 2 systems with the correct domain and password will be able to get vlan information
6) Setup a central syslog server to monitor your network events including port up and downs and/or port security messages to
    monitor additions to your network, in order to add a device now someone has to enable a port and assign a vlan otherwise they will
    be in a dead end vlan, vlan 999

this will get you started

harbor235 ;}
DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

LVL 12

Assisted Solution

Pugglewuggle earned 200 total points
ID: 22652792
Good point on the PVST+... Although the rest are widely known security practices that every network should have in place.
As far as the syslog server goes, make sure you sync the clocks on all devices so timestamps are correct (I recommend using an internal NTP server to do this). Also, set the logging levels on the devices to the appropriate settings so you don't bog down your syslog server with messages that don't matter. Also, make sure the syslog server has sufficient bandwidth and processing power (and storage space too!) to handle the incoming messages. Syslogs can take up tens of gigabytes in days from just one heavily used ASA device (so make sure you have enough space and set the levels on the devices to only send the correct messages).

LVL 32

Expert Comment

ID: 22658927

Also, I would disable auto negoitation of trunking so that trunks cannot be dynamically created. In addition, I would only trunk vlans needed, no more. The default behavior is to trunk all active vlans, 1-4094.
Manually assign neccessary vlans to the trunks.

The steps I have outlined initiate security best practices to mitigate rogue switch installations from achieving access to your internetwork. What all the steps do is to ensure that if someone does connect to your network that they will need to go through you to get connected, attaching a device to your network now will get them a dead port.  Also, the steps help to isolate devices from achieving full access by controlling how that information is accessed.

Syslog is a important tool for all networks adminstrators, it is easily configured and does not require much resources at all. Syslog data files are flat text files that are highly compressable. Typically, I keep a syslog open for about a week, rotate to a new file, archive the old and compress it. This allows you to keep a small disk footprint for your network devices. Hopefully you have a management network for device managemnet which would include ssh access, syslog, time synch, etc ......

good luck,

harbor235 ;}
LVL 12

Expert Comment

ID: 22661191
... While this is a DoD environment, there must be a balance of security, connectivity, and manageability. There is a point you can pass that makes it too hard to manage vs. the extra security. Hence the idiom "The most secure network is a disconnected network."
For example, here in Central Texas I've got one government client that has 100 about 100 switches - all in transparent VTP mode. If they want to add one computer somewhere, someone has to log into 10 switches or more and manually enable trunking to the right location. This is the point in which a network becomes unmanageable due to "too much" security. It's a city - who's honestly going to try something that requires that much security to prevent? No one. That's where it crosses the line.

While disabling autonegotiation might be a good solution, you really have to look at each setup individually... what's the physical security going to be like around the equipment? Then you can determine what's best. We can't give you a complete guide without being directly associated with the network, but we can offer a few bits of advice to help you out.
Another thing you might consider in place of autonegotiation disabled is VTP pruning. This cuts out unused VLANs from switches so there's no way sensitive data on unused VLANs is traversing a switch that does not require it.
There are many other ways to go about securing a network such as this.
It's really up to you (or a trusted contractor) to make the right decisions for your environment. My company always tells clients that we need to make sure a solution fits their environment, because if we setup a solution off a template and not designed specifically for a certain purpose it will do nothing but cause problems for that client in the future.
Please consider this and cheers!
LVL 32

Expert Comment

ID: 22661378

"I am faced with daily outages where soldiers/contractors bring in hubs/switches/routers and place them on the network without understanding the impact this has if they create loops"

CADOIM, my take on your post is that you need the additional security to stop the integration of rogue devices on your network in addition to implementing spanning-tree. Your issue is that there are many whom have access to your network and you need a way to control this. Whatever is discussed in this forum, you need to address your needs first with any propsed solution, take whats fits the best

harbor235 ;}

LVL 12

Expert Comment

ID: 22663862
Exactly as I stated. :)
LVL 32

Expert Comment

ID: 22663905

LOL, Jared, you really need to work on solving issues  and not worry so much what everyone else is saying. Let the customer decide what the best solution is.
Multiple potential solutions from multiple perspectives help the customer.

harbor235 ;}
LVL 12

Expert Comment

ID: 22664331
Indeed they do. I don't think I said anything to stop them from doing so. Just offering ideas from my perspective on others' posts to give the asker a different point of view on each.
I believe that every point of view needs to have it's opposite discussed (as long as it is logical) - that's how one can really come up with the best answer - comparing two opposing points of view and then mixing and matching the two to come up with the best solution.
Cheers!  :)
BTW did you good pugglewuggle? lol
LVL 12

Expert Comment

ID: 22664396
Excuse moi, google pugglewuggle?

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Non Distrubtive Core Switch Repacement 8 36
NAT not working on trunk 6 56
Layer 3 switch recommendation 15 56
Edge switch problems cisco 2960 25 51
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question