Link to home
Start Free TrialLog in
Avatar of denver218
denver218Flag for United States of America

asked on

Configuring Spanning-Tree Protocol on Cisco Switches

I have a total of 9 Cisco Switches on my network.  Below are the types of switches I am using:

Cisco 3550-12G (Used as the Core Switches.  (I am using two for redundancy purposes)
Cisco 3550-24 port (Used as the DMZ Switches) (I am using two for redundancy purposes)
Cisco 3550-48 port (Used for the Subnet/LAN switches)

All switches on this network share a common VLAN for VTP.  The common VLAN is VLAN 20, which is represented in the below network topology.

As you will see from the below network topology, I am using two Cisco 3550-12Gs for redundancy purposes.  Right now all traffic is going out the Primary 3550-12G, but if I would shut that switch off, all traffic goes out the Secondary 3550-12G.  Each subnet switch(3550-48) have two route statements to allow this.

All this is currently working and in production, but what I'm not sure about is if I have to do anything special with Spanning Tree Protocol.  I know by default STP is enabled on Cisco Switches, but with all the redundant links I have, I afraid there may be some loops occuring.  Does anyone have any input on how I should configure STP for my below network.  Thanks.


 User generated image
Avatar of GridLock137
GridLock137
Flag of United States of America image

I think STP is smart enough to avoid loops being that's what it is designed to do. it stops redundancy to a common switch to avoid loops. the only way that redundant link comes up is if another goes down. with STP redundant link to a common switch, one of those connections will be put into a down state. hope this helps.
this looks fine. should be ok, STP will do the rest.
Avatar of denver218

ASKER

Thanks.  If you take a look at the VLAN 40 Subnet (10.4.0.0/16).  You will see that I have 3 switches in this subnet.  Do I need to configure one of the switches in this subnet to be the root bridge since I have multiple switches in it?
Avatar of mikegatti
mikegatti


Spanning tree is pretty simple but the lack of attention on planning can come back to haunt you. In an environment like this and if there are no other reasons you probably want to consider an alternative to standard spanning tree, the convergence time can take up to 50sec for the switches that are directly connected to your root bridge even more for the ones down stream. I would suggest looking into running Rapid Spanning Tree + and enabling Spanning-Tree BackboneFast on all switches and UplinkFast on access layer switches. This should bring your convergence time down considerably.

Also if you are running multiple vlans and would like to load balance some of your traffic across your Layer 2 Network with RPVST+ running you can manipulate the root bridge per vlan at the core. Some people just take all the odd vlans and make one switch of the core root and the even vlans and make the other core switch the root, that might not be practical in many environments due to load distribution amongst the different vlans but nevertheless shows what is possible.

One more suggestion (you might be running this already) is to set all your access ports to mode access and enable spanning-tree portfast and most importantly running it along with spanning-tree root guard, bpduguard bpdufilter and/or some of the other features that would prohibit a device connecting to an access port to attempt to form a trunk and become root (and thus potentially generating loops.


This should be a good start:

- http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a00800951ac.shtml
- http://www.cisco.com/en/US/tech/tk389/tk621/technologies_white_paper09186a0080094cfa.shtml
- http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_example09186a00807b0670.shtml#conf
- http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a00800c2548.shtml
- http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a0080094641.shtml
- http://www.cisco.com/en/US/docs/switches/lan/catalyst4000/7.4/configuration/guide/stp_enha.html

These commands can be very disruptive to a production network so planning is key.
I hope this helps...

ASKER CERTIFIED SOLUTION
Avatar of GridLock137
GridLock137
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
the setting up of a secondary root bridge is only for redundancy purpose, you cannot have two at the same time. it will fail over to the scondary if the first goes down.
mikegatti pretty much hit the nail on the head here. good one Mike i totally forgot about RPVST+, PVRST and all that good stuff. ;o)
Yes, running these commands in a production network is a big concern of mine.  I really can't afford down time for this.  I will look over the links you have above and see if I can come up with a plan.

Again, right now I know that STP is enabled, but that's just by default, I have not done any additional configuration to STP.

What is the downfall of keeping it the way I have it?  Just curious.
Downfall is Mainly convergence time in the event of a failure and  being able to manage better the distribution of traffic amongst your layer 2 network.

Something to look out for and know that you have loops in your network if you start seeing logs that state that there are mac addresses flapping between ports, mainly your trunks and keep an eye on flapping trunk ports, this is another indication
Avatar of Don Johnston
I would definiately go with rapid spanning-tree (RPVST). Instead of a worst-case, 50 second failover, you would be looking at 2 second failover.

That said (and I'm making some assumptions based on your drawing),  I would do away with the layer 2 design completely.

For example, the only place VLAN 60 exists is on the bottom right switch. Since all of your switches are multilayer, do the routing on that switch and make the uplinks layer 3. Then let a routing protocol handle loop prevention and failover.  The same is true for the VLAN 50 switch at the bottom middle.

As for the three VLAN 40 switches on the left, let the two with the uplinks do the routing.

Make the core a layer 3 core and get rid of VLAN 20.

But like I said, there are some things that aren't clear. Like are there any host devices in VLAN 20? If so, where?
VLAN 20 is just the common VLAN that all switches share for VTP.  There are not any hosts in VLAN 20.  The only devices that have a VLAN 20 IP address are the switches.

I do, do the routing on the switches, all 3550-48 have to route statements to the core switches:

ip route 0.0.0.0 0.0.0.0 192.168.12.200 (Primary Core Switch - 3550-12G)
ip route 0.0.0.0 0.0.0.0 192.168.12.201 (Secondary Core Switch - 3550-12G)

Again, this is all in production at the moment.  Will implementing RPVST be disruptive to the network?  In other words should I schedule down time for this.  Thanks.
>Will implementing RPVST be disruptive to the network?

Yes. As you enable RPVST on a switch, the network will re-converge. Best done during a maintenance window.

And VTP updates are only sent over VLAN 1. So it sounds like you're using VLAN 20 only for management.

With spanning-tree doing the loop prevention, only one path is functional. Because all of your switches support CEF, if you went with a layer 3 topology, all paths would be in use.

But if spanning-tree is what you want, schedule a maintenance window. Make the primary 3550-12G your root and the Secondary your backup root and enable RPVST on all your switches.
My topology now is a Layer 3 topology correct?  I have "ip routing" turned on, on all the switches, and I do I route statements to the next hop.  

If so, do you recommend I keep this a layer 3 topology and use all paths or configure RPVST?

SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I hear you there, if you ask 10 people for a network design, you will probably get 10 different designs that will all work fine.  I've been the many times.
Thanks for the example.  Just for  clarification:  I'll use the 10.6.0.0/24 network for this example:  Is below what you mean?

10.6.0.0/24 network
3550-48 - int gi 0/1 - 192.168.1.1 255.255.255.252
              - int gi 0/2 - 192.168.4.1 255.255.255.252

3550-12G Primary - int gi0/1 - 192.168.1.2 255.255.255.252
3550-12G Secondary - int gi0/1 192.168.4.2 255.255.255.252

Would there be any performance differences between the way I currently have it configured and  your example above?  
> Is below what you mean?

Yep.

>Would there be any performance differences between the way I currently have it configured
> and your example above?

Not really.
you got me thinking now.  I like your way better:)
Thinking is good... usually. ;-)
Ok, last question.  As you can see, on VLAN 40 I have three switches.  Soon I will be adding a 4th switch to this VLAN.  What is  the best way to connect these 4 switches together and connect to the 3550-12Gs?
I'm adding a fourth switch to VLAN 40.  Does this look correct as far as the way I have these switches connects?
 User generated image
That'll work.

Just make the 0.3 and 0.4 switch layer 2 only. Have 0.1 and 0.2 do all the routing.
Thanks