Solved

Configuring Spanning-Tree Protocol on Cisco Switches

Posted on 2011-02-15
22
1,171 Views
Last Modified: 2012-09-12
I have a total of 9 Cisco Switches on my network.  Below are the types of switches I am using:

Cisco 3550-12G (Used as the Core Switches.  (I am using two for redundancy purposes)
Cisco 3550-24 port (Used as the DMZ Switches) (I am using two for redundancy purposes)
Cisco 3550-48 port (Used for the Subnet/LAN switches)

All switches on this network share a common VLAN for VTP.  The common VLAN is VLAN 20, which is represented in the below network topology.

As you will see from the below network topology, I am using two Cisco 3550-12Gs for redundancy purposes.  Right now all traffic is going out the Primary 3550-12G, but if I would shut that switch off, all traffic goes out the Secondary 3550-12G.  Each subnet switch(3550-48) have two route statements to allow this.

All this is currently working and in production, but what I'm not sure about is if I have to do anything special with Spanning Tree Protocol.  I know by default STP is enabled on Cisco Switches, but with all the redundant links I have, I afraid there may be some loops occuring.  Does anyone have any input on how I should configure STP for my below network.  Thanks.


 Switch-Topology
0
Comment
Question by:denver218
  • 9
  • 6
  • 5
  • +1
22 Comments
 
LVL 7

Expert Comment

by:GridLock137
Comment Utility
I think STP is smart enough to avoid loops being that's what it is designed to do. it stops redundancy to a common switch to avoid loops. the only way that redundant link comes up is if another goes down. with STP redundant link to a common switch, one of those connections will be put into a down state. hope this helps.
0
 
LVL 7

Expert Comment

by:GridLock137
Comment Utility
this looks fine. should be ok, STP will do the rest.
0
 
LVL 4

Author Comment

by:denver218
Comment Utility
Thanks.  If you take a look at the VLAN 40 Subnet (10.4.0.0/16).  You will see that I have 3 switches in this subnet.  Do I need to configure one of the switches in this subnet to be the root bridge since I have multiple switches in it?
0
 
LVL 3

Expert Comment

by:mikegatti
Comment Utility

Spanning tree is pretty simple but the lack of attention on planning can come back to haunt you. In an environment like this and if there are no other reasons you probably want to consider an alternative to standard spanning tree, the convergence time can take up to 50sec for the switches that are directly connected to your root bridge even more for the ones down stream. I would suggest looking into running Rapid Spanning Tree + and enabling Spanning-Tree BackboneFast on all switches and UplinkFast on access layer switches. This should bring your convergence time down considerably.

Also if you are running multiple vlans and would like to load balance some of your traffic across your Layer 2 Network with RPVST+ running you can manipulate the root bridge per vlan at the core. Some people just take all the odd vlans and make one switch of the core root and the even vlans and make the other core switch the root, that might not be practical in many environments due to load distribution amongst the different vlans but nevertheless shows what is possible.

One more suggestion (you might be running this already) is to set all your access ports to mode access and enable spanning-tree portfast and most importantly running it along with spanning-tree root guard, bpduguard bpdufilter and/or some of the other features that would prohibit a device connecting to an access port to attempt to form a trunk and become root (and thus potentially generating loops.


This should be a good start:

- http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a00800951ac.shtml
- http://www.cisco.com/en/US/tech/tk389/tk621/technologies_white_paper09186a0080094cfa.shtml
- http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_example09186a00807b0670.shtml#conf
- http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a00800c2548.shtml
- http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a0080094641.shtml
- http://www.cisco.com/en/US/docs/switches/lan/catalyst4000/7.4/configuration/guide/stp_enha.html

These commands can be very disruptive to a production network so planning is key.
I hope this helps...

0
 
LVL 7

Accepted Solution

by:
GridLock137 earned 250 total points
Comment Utility
before setting a primary root bridge manually run the command show spanning-tree to see which one is already your root bridge, then you will be able to determine if you want to set one of the other switches on vlan40 as a secondary root bridge. run that command on all three switches in vlan 40
0
 
LVL 7

Expert Comment

by:GridLock137
Comment Utility
the setting up of a secondary root bridge is only for redundancy purpose, you cannot have two at the same time. it will fail over to the scondary if the first goes down.
0
 
LVL 7

Expert Comment

by:GridLock137
Comment Utility
mikegatti pretty much hit the nail on the head here. good one Mike i totally forgot about RPVST+, PVRST and all that good stuff. ;o)
0
 
LVL 4

Author Comment

by:denver218
Comment Utility
Yes, running these commands in a production network is a big concern of mine.  I really can't afford down time for this.  I will look over the links you have above and see if I can come up with a plan.

Again, right now I know that STP is enabled, but that's just by default, I have not done any additional configuration to STP.

What is the downfall of keeping it the way I have it?  Just curious.
0
 
LVL 3

Expert Comment

by:mikegatti
Comment Utility
Downfall is Mainly convergence time in the event of a failure and  being able to manage better the distribution of traffic amongst your layer 2 network.

Something to look out for and know that you have loops in your network if you start seeing logs that state that there are mac addresses flapping between ports, mainly your trunks and keep an eye on flapping trunk ports, this is another indication
0
 
LVL 50

Expert Comment

by:Don Johnston
Comment Utility
I would definiately go with rapid spanning-tree (RPVST). Instead of a worst-case, 50 second failover, you would be looking at 2 second failover.

That said (and I'm making some assumptions based on your drawing),  I would do away with the layer 2 design completely.

For example, the only place VLAN 60 exists is on the bottom right switch. Since all of your switches are multilayer, do the routing on that switch and make the uplinks layer 3. Then let a routing protocol handle loop prevention and failover.  The same is true for the VLAN 50 switch at the bottom middle.

As for the three VLAN 40 switches on the left, let the two with the uplinks do the routing.

Make the core a layer 3 core and get rid of VLAN 20.

But like I said, there are some things that aren't clear. Like are there any host devices in VLAN 20? If so, where?
0
 
LVL 4

Author Comment

by:denver218
Comment Utility
VLAN 20 is just the common VLAN that all switches share for VTP.  There are not any hosts in VLAN 20.  The only devices that have a VLAN 20 IP address are the switches.

I do, do the routing on the switches, all 3550-48 have to route statements to the core switches:

ip route 0.0.0.0 0.0.0.0 192.168.12.200 (Primary Core Switch - 3550-12G)
ip route 0.0.0.0 0.0.0.0 192.168.12.201 (Secondary Core Switch - 3550-12G)

Again, this is all in production at the moment.  Will implementing RPVST be disruptive to the network?  In other words should I schedule down time for this.  Thanks.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 50

Expert Comment

by:Don Johnston
Comment Utility
>Will implementing RPVST be disruptive to the network?

Yes. As you enable RPVST on a switch, the network will re-converge. Best done during a maintenance window.

And VTP updates are only sent over VLAN 1. So it sounds like you're using VLAN 20 only for management.

With spanning-tree doing the loop prevention, only one path is functional. Because all of your switches support CEF, if you went with a layer 3 topology, all paths would be in use.

But if spanning-tree is what you want, schedule a maintenance window. Make the primary 3550-12G your root and the Secondary your backup root and enable RPVST on all your switches.
0
 
LVL 4

Author Comment

by:denver218
Comment Utility
My topology now is a Layer 3 topology correct?  I have "ip routing" turned on, on all the switches, and I do I route statements to the next hop.  

If so, do you recommend I keep this a layer 3 topology and use all paths or configure RPVST?

0
 
LVL 50

Assisted Solution

by:Don Johnston
Don Johnston earned 250 total points
Comment Utility
Since VLAN 20 exists on all of your switches, you have a layer 2 topology and spanning-tree is required to prevent loops.

As far as a recommendation, I won't go that far. :-)

With design, there are many ways to accomplish a "good" design. Ask 10 people about a design and you'll get 10 different ideas. And all of them will work. There isn't always a "right" or "wrong" with design.

But philosophy is that if I have two uplinks, I would prefer to have traffic flowing over both of them. With Spanning-Tree, one is going to be blocking. So that's why I like layer 3. If there are two equal cost paths, the router will use both.

So here's one (of many ways) to do this. Using the existing physical connections.

top-1.jpg
0
 
LVL 4

Author Comment

by:denver218
Comment Utility
I hear you there, if you ask 10 people for a network design, you will probably get 10 different designs that will all work fine.  I've been the many times.
Thanks for the example.  Just for  clarification:  I'll use the 10.6.0.0/24 network for this example:  Is below what you mean?

10.6.0.0/24 network
3550-48 - int gi 0/1 - 192.168.1.1 255.255.255.252
              - int gi 0/2 - 192.168.4.1 255.255.255.252

3550-12G Primary - int gi0/1 - 192.168.1.2 255.255.255.252
3550-12G Secondary - int gi0/1 192.168.4.2 255.255.255.252

Would there be any performance differences between the way I currently have it configured and  your example above?  
0
 
LVL 50

Expert Comment

by:Don Johnston
Comment Utility
> Is below what you mean?

Yep.

>Would there be any performance differences between the way I currently have it configured
> and your example above?

Not really.
0
 
LVL 4

Author Comment

by:denver218
Comment Utility
you got me thinking now.  I like your way better:)
0
 
LVL 50

Expert Comment

by:Don Johnston
Comment Utility
Thinking is good... usually. ;-)
0
 
LVL 4

Author Comment

by:denver218
Comment Utility
Ok, last question.  As you can see, on VLAN 40 I have three switches.  Soon I will be adding a 4th switch to this VLAN.  What is  the best way to connect these 4 switches together and connect to the 3550-12Gs?
0
 
LVL 4

Author Comment

by:denver218
Comment Utility
I'm adding a fourth switch to VLAN 40.  Does this look correct as far as the way I have these switches connects?
 Switches
0
 
LVL 50

Expert Comment

by:Don Johnston
Comment Utility
That'll work.

Just make the 0.3 and 0.4 switch layer 2 only. Have 0.1 and 0.2 do all the routing.
0
 
LVL 4

Author Closing Comment

by:denver218
Comment Utility
Thanks
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Hello to you all, I hear of many people congratulate AWS (Amazon Web Services) on how easy it is to spin up and create new EC2 (Elastic Compute Cloud) instances, but then fail and struggle to connect to them using simple tools such as SSH (Secure…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now