Solved

Configuring Spanning-Tree Protocol on Cisco Switches

Posted on 2011-02-15
22
1,181 Views
Last Modified: 2012-09-12
I have a total of 9 Cisco Switches on my network.  Below are the types of switches I am using:

Cisco 3550-12G (Used as the Core Switches.  (I am using two for redundancy purposes)
Cisco 3550-24 port (Used as the DMZ Switches) (I am using two for redundancy purposes)
Cisco 3550-48 port (Used for the Subnet/LAN switches)

All switches on this network share a common VLAN for VTP.  The common VLAN is VLAN 20, which is represented in the below network topology.

As you will see from the below network topology, I am using two Cisco 3550-12Gs for redundancy purposes.  Right now all traffic is going out the Primary 3550-12G, but if I would shut that switch off, all traffic goes out the Secondary 3550-12G.  Each subnet switch(3550-48) have two route statements to allow this.

All this is currently working and in production, but what I'm not sure about is if I have to do anything special with Spanning Tree Protocol.  I know by default STP is enabled on Cisco Switches, but with all the redundant links I have, I afraid there may be some loops occuring.  Does anyone have any input on how I should configure STP for my below network.  Thanks.


 Switch-Topology
0
Comment
Question by:denver218
  • 9
  • 6
  • 5
  • +1
22 Comments
 
LVL 7

Expert Comment

by:GridLock137
ID: 34896532
I think STP is smart enough to avoid loops being that's what it is designed to do. it stops redundancy to a common switch to avoid loops. the only way that redundant link comes up is if another goes down. with STP redundant link to a common switch, one of those connections will be put into a down state. hope this helps.
0
 
LVL 7

Expert Comment

by:GridLock137
ID: 34896535
this looks fine. should be ok, STP will do the rest.
0
 
LVL 4

Author Comment

by:denver218
ID: 34896668
Thanks.  If you take a look at the VLAN 40 Subnet (10.4.0.0/16).  You will see that I have 3 switches in this subnet.  Do I need to configure one of the switches in this subnet to be the root bridge since I have multiple switches in it?
0
How Do You Stack Up Against Your Peers?

With today’s modern enterprise so dependent on digital infrastructures, the impact of major incidents has increased dramatically. Grab the report now to gain insight into how your organization ranks against your peers and learn best-in-class strategies to resolve incidents.

 
LVL 3

Expert Comment

by:mikegatti
ID: 34896778

Spanning tree is pretty simple but the lack of attention on planning can come back to haunt you. In an environment like this and if there are no other reasons you probably want to consider an alternative to standard spanning tree, the convergence time can take up to 50sec for the switches that are directly connected to your root bridge even more for the ones down stream. I would suggest looking into running Rapid Spanning Tree + and enabling Spanning-Tree BackboneFast on all switches and UplinkFast on access layer switches. This should bring your convergence time down considerably.

Also if you are running multiple vlans and would like to load balance some of your traffic across your Layer 2 Network with RPVST+ running you can manipulate the root bridge per vlan at the core. Some people just take all the odd vlans and make one switch of the core root and the even vlans and make the other core switch the root, that might not be practical in many environments due to load distribution amongst the different vlans but nevertheless shows what is possible.

One more suggestion (you might be running this already) is to set all your access ports to mode access and enable spanning-tree portfast and most importantly running it along with spanning-tree root guard, bpduguard bpdufilter and/or some of the other features that would prohibit a device connecting to an access port to attempt to form a trunk and become root (and thus potentially generating loops.


This should be a good start:

- http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a00800951ac.shtml
- http://www.cisco.com/en/US/tech/tk389/tk621/technologies_white_paper09186a0080094cfa.shtml
- http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_example09186a00807b0670.shtml#conf
- http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a00800c2548.shtml
- http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a0080094641.shtml
- http://www.cisco.com/en/US/docs/switches/lan/catalyst4000/7.4/configuration/guide/stp_enha.html

These commands can be very disruptive to a production network so planning is key.
I hope this helps...

0
 
LVL 7

Accepted Solution

by:
GridLock137 earned 250 total points
ID: 34896822
before setting a primary root bridge manually run the command show spanning-tree to see which one is already your root bridge, then you will be able to determine if you want to set one of the other switches on vlan40 as a secondary root bridge. run that command on all three switches in vlan 40
0
 
LVL 7

Expert Comment

by:GridLock137
ID: 34896929
the setting up of a secondary root bridge is only for redundancy purpose, you cannot have two at the same time. it will fail over to the scondary if the first goes down.
0
 
LVL 7

Expert Comment

by:GridLock137
ID: 34897064
mikegatti pretty much hit the nail on the head here. good one Mike i totally forgot about RPVST+, PVRST and all that good stuff. ;o)
0
 
LVL 4

Author Comment

by:denver218
ID: 34897146
Yes, running these commands in a production network is a big concern of mine.  I really can't afford down time for this.  I will look over the links you have above and see if I can come up with a plan.

Again, right now I know that STP is enabled, but that's just by default, I have not done any additional configuration to STP.

What is the downfall of keeping it the way I have it?  Just curious.
0
 
LVL 3

Expert Comment

by:mikegatti
ID: 34897281
Downfall is Mainly convergence time in the event of a failure and  being able to manage better the distribution of traffic amongst your layer 2 network.

Something to look out for and know that you have loops in your network if you start seeing logs that state that there are mac addresses flapping between ports, mainly your trunks and keep an eye on flapping trunk ports, this is another indication
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 34897421
I would definiately go with rapid spanning-tree (RPVST). Instead of a worst-case, 50 second failover, you would be looking at 2 second failover.

That said (and I'm making some assumptions based on your drawing),  I would do away with the layer 2 design completely.

For example, the only place VLAN 60 exists is on the bottom right switch. Since all of your switches are multilayer, do the routing on that switch and make the uplinks layer 3. Then let a routing protocol handle loop prevention and failover.  The same is true for the VLAN 50 switch at the bottom middle.

As for the three VLAN 40 switches on the left, let the two with the uplinks do the routing.

Make the core a layer 3 core and get rid of VLAN 20.

But like I said, there are some things that aren't clear. Like are there any host devices in VLAN 20? If so, where?
0
 
LVL 4

Author Comment

by:denver218
ID: 34897646
VLAN 20 is just the common VLAN that all switches share for VTP.  There are not any hosts in VLAN 20.  The only devices that have a VLAN 20 IP address are the switches.

I do, do the routing on the switches, all 3550-48 have to route statements to the core switches:

ip route 0.0.0.0 0.0.0.0 192.168.12.200 (Primary Core Switch - 3550-12G)
ip route 0.0.0.0 0.0.0.0 192.168.12.201 (Secondary Core Switch - 3550-12G)

Again, this is all in production at the moment.  Will implementing RPVST be disruptive to the network?  In other words should I schedule down time for this.  Thanks.
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 34897768
>Will implementing RPVST be disruptive to the network?

Yes. As you enable RPVST on a switch, the network will re-converge. Best done during a maintenance window.

And VTP updates are only sent over VLAN 1. So it sounds like you're using VLAN 20 only for management.

With spanning-tree doing the loop prevention, only one path is functional. Because all of your switches support CEF, if you went with a layer 3 topology, all paths would be in use.

But if spanning-tree is what you want, schedule a maintenance window. Make the primary 3550-12G your root and the Secondary your backup root and enable RPVST on all your switches.
0
 
LVL 4

Author Comment

by:denver218
ID: 34897887
My topology now is a Layer 3 topology correct?  I have "ip routing" turned on, on all the switches, and I do I route statements to the next hop.  

If so, do you recommend I keep this a layer 3 topology and use all paths or configure RPVST?

0
 
LVL 50

Assisted Solution

by:Don Johnston
Don Johnston earned 250 total points
ID: 34898153
Since VLAN 20 exists on all of your switches, you have a layer 2 topology and spanning-tree is required to prevent loops.

As far as a recommendation, I won't go that far. :-)

With design, there are many ways to accomplish a "good" design. Ask 10 people about a design and you'll get 10 different ideas. And all of them will work. There isn't always a "right" or "wrong" with design.

But philosophy is that if I have two uplinks, I would prefer to have traffic flowing over both of them. With Spanning-Tree, one is going to be blocking. So that's why I like layer 3. If there are two equal cost paths, the router will use both.

So here's one (of many ways) to do this. Using the existing physical connections.

top-1.jpg
0
 
LVL 4

Author Comment

by:denver218
ID: 34899873
I hear you there, if you ask 10 people for a network design, you will probably get 10 different designs that will all work fine.  I've been the many times.
Thanks for the example.  Just for  clarification:  I'll use the 10.6.0.0/24 network for this example:  Is below what you mean?

10.6.0.0/24 network
3550-48 - int gi 0/1 - 192.168.1.1 255.255.255.252
              - int gi 0/2 - 192.168.4.1 255.255.255.252

3550-12G Primary - int gi0/1 - 192.168.1.2 255.255.255.252
3550-12G Secondary - int gi0/1 192.168.4.2 255.255.255.252

Would there be any performance differences between the way I currently have it configured and  your example above?  
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 34899912
> Is below what you mean?

Yep.

>Would there be any performance differences between the way I currently have it configured
> and your example above?

Not really.
0
 
LVL 4

Author Comment

by:denver218
ID: 34899929
you got me thinking now.  I like your way better:)
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 34899934
Thinking is good... usually. ;-)
0
 
LVL 4

Author Comment

by:denver218
ID: 34900338
Ok, last question.  As you can see, on VLAN 40 I have three switches.  Soon I will be adding a 4th switch to this VLAN.  What is  the best way to connect these 4 switches together and connect to the 3550-12Gs?
0
 
LVL 4

Author Comment

by:denver218
ID: 34900766
I'm adding a fourth switch to VLAN 40.  Does this look correct as far as the way I have these switches connects?
 Switches
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 34900846
That'll work.

Just make the 0.3 and 0.4 switch layer 2 only. Have 0.1 and 0.2 do all the routing.
0
 
LVL 4

Author Closing Comment

by:denver218
ID: 34900912
Thanks
0

Featured Post

Don't miss ATEN at NAB Show April 24-27!

Visit ATEN at NAB Show to learn how our "Seamlessly Entertaining" solutions deliver fast, precise video streaming without delays for the broadcasting and media environment. ATEN will showcase its 16x16 Modular Matrix Switch (VM1600) and KVM Over IP Solution (KE6900 series).

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question