Best Practices STP

[Dlweeksjr]

I have a GIG Channel Port connecting two Cisco 2950's and 2 layer 2 ethernet switches that are connected to both 2950's for redundancy. STP insisted on using the port that the dumb switches were connected to as the root port. To counteract this, I made one 2950 the Root switch and the other the backup root port. Doing so moved the root port to the Gig channel. Also, prior to this, the channel was blocked by STP and it did not block the redundant connection to the switch. What is the proper way to ensure the bridge priority stays lowest on the port channel so that subsequent switch replacement in the two other switches does not throw off STP again? How can I make sure of the root port is on the Ethernet Channel?

Don

 

[Dlweeksjr]

Sorry, that makes no since now. I have 2 2950's and 2 dumb switches. The 2950's are connected via a Gig channel. The 2 dumb switches are connected to two other ports on the 2950. Each dumb switch has a connection to each 2950. The rest of the post I hope is clear.

 

[Ru55ell]

Did you find a solution? I don't have that model switch but I believe the terminology is the same. I believe you want to set the Vlan Priority to 0 to establish a Primary Root Bridge. In the other switch (your “backup root port”) set the Vlan Priority to 28672 to establish your Secondary Root Bridge. Now you can go to the “Gig channel” and set the port priority to a higher value than the less desirable port.

 

[Dlweeksjr]

What I really want to do is set the bridge priority on each port. Is VLAN priority Cisco's name for it? I keep getting confused by Cisco names and everyone elses. (Witness: Channel vs aggregate for port trunking).

 

[Ru55ell]

Yes, Set VLAN priority on each port. I set it Globally but it can be set for each port from what I understand. Let us know what you do and how it turns out.

 

[Dlweeksjr]

This is what I did. I am getting sub second failovers between the 4 switches. I set the spanning-tree cost to 1 on the two Gig ports that make up the channel. Spanning tree summary shows a the root is Vlan 1. No blocked ports are shown on switch A but on switch B, the 2 redundant ports of the other 2 dumb switches are blocked.
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch_A
!
enable secret 5 XXXX
enable password XXXX
!
ip subnet-zero
!
!
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
spanning-tree uplinkfast max-update-rate 32000
spanning-tree uplinkfast
spanning-tree vlan 1 priority 12288
spanning-tree mst 1 priority 28672
!
!
interface Port-channel1
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
spanning-tree portfast
!
interface FastEthernet0/6
spanning-tree portfast
!
interface FastEthernet0/7
spanning-tree portfast
!
interface FastEthernet0/8
spanning-tree portfast
!
interface FastEthernet0/9
spanning-tree portfast
!
interface FastEthernet0/10
spanning-tree portfast
!
interface FastEthernet0/11
spanning-tree portfast
!
interface FastEthernet0/12
spanning-tree portfast
!
interface FastEthernet0/13
spanning-tree portfast
!
interface FastEthernet0/14
spanning-tree portfast
!
interface FastEthernet0/15
spanning-tree portfast
!
interface FastEthernet0/16
spanning-tree portfast
!
interface FastEthernet0/17
spanning-tree portfast
!
interface FastEthernet0/18
spanning-tree portfast
!
interface FastEthernet0/19
spanning-tree portfast
!
interface FastEthernet0/20
spanning-tree portfast
!
interface FastEthernet0/21
spanning-tree portfast
!
interface FastEthernet0/22
spanning-tree portfast
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
channel-group 1 mode on
spanning-tree cost 1
!
interface GigabitEthernet0/2
channel-group 1 mode on
spanning-tree cost 1
!
interface Vlan1
ip address 10.100.1.1 255.255.255.0
no ip route-cache
!
ip http server
!
snmp-server community public RO
snmp-server enable traps snmp authentication linkdown linkup coldstart
snmp-server enable traps config
snmp-server enable traps syslog
snmp-server enable traps entity
snmp-server enable traps rtr
snmp-server enable traps c2900
snmp-server enable traps vtp
snmp-server enable traps MAC-Notification
snmp-server enable traps hsrp
snmp-server enable traps cluster
snmp-server enable traps vlan-membership
!
line con 0
line vty 0 4
password spatial
login
line vty 5 15
password spatial
login
!

Switch_A#show spanning-tree summary
Switch is in pvst mode
Root bridge for: VLAN0001
EtherChannel misconfiguration guard is enabled
Extended system ID is enabled
Portfast is disabled by default
PortFast BPDU Guard is disabled by default
Portfast BPDU Filter is disabled by default
Loopguard is disabled by default
UplinkFast is enabled
BackboneFast is disabled
Pathcost method used is short

Name Blocking Listening Learning Forwarding STP Active
---------------------- -------- --------- -------- ---------- ----------
VLAN0001 0 0 0 20 20
---------------------- -------- --------- -------- ---------- ----------
1 vlan 0 0 0 20 20

Station update rate set to 32000 packets/sec.

UplinkFast statistics
-----------------------
Number of transitions via uplinkFast (all VLANs) : 0
Number of proxy multicast addresses transmitted (all VLANs) : 0

 

[pmesjar]

Of course you will have redundant ports blocked, this is how STP works - at any time there will be just one link active from any switch to root bridge. The setup with root bridge is fine - you surely want to have switch with gigabit links to be a root bridge, however this also depends on your switched topology. One way how to not have redundant links blocked is tou use Etherchannel or segment your network to VLANs, since Cisco creates STP per VLAN.

Peter Mesjar
CCNP, A+ certified
pmesjar@centrum.sk

"The only true wisdom is in knowing you know nothing.

 

[Dlweeksjr]

Peter,
I know it blocks redundant links. It is just curious which links are getting blocked. Those links on my A switch (one 2950) are being opened and on the B switch (the other 2950) are being blocked. I like the way it is working now as long as they go from blocking to forwarding in under a 2 seconds we're fine. (Ah, the joys of working near-real-time.)

 

[pmesjar]

Ports on root switch will never be in blocked state. The rest is based on Bridge IDs and whichever is higher than this one will have ports blocked... this is very simple though and if you are curios, why not to read something on inner workings of STP?

And the commands spanning-tree portfast keeps links going up in 2 seconds after a failure, however you can read recommendations not to configure portfast on ports that connect your switches together:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/1219ea1/scg/swstpopt.htm

Peter Mesjar
CCNP, A+ certified
pmesjar@centrum.sk

"The only true wisdom is in knowing you know nothing.

 

[ccmuser]

as a general practice use portfast on access ports only.
As your network grows someone eventually will make an improper patch and bring your network down.. Be carefull with portfast!!!!

 

[Dlweeksjr]

Peter,
Portfast is only good for edge devices. Uplink-fast is used for switches. If you look at my configuration above, you can see the set up used.
Don

 

[pmesjar]

Don't get me wrong, but I think I am starting to loose the point, the "what about" in your questions...

Peter Mesjar
CCNP, A+ certified
pmesjar@centrum.sk

"The only true wisdom is in knowing you know nothing.