Flat Network & no Spanning tree?

Similar Messages

• Prime Infrastructure 2.2 - Network Topology View - Spanning Tree View

  Hello Team,
  Is it possible on PI 2.2 (latest version) under Maps/Network Topology View to be able to "monitor" the spanning-tree performance?
  thanks in advance,
  George

  Sorry but that's not a currently offered feature.
  It would be nice - the Netsys product that Cisco acquired 18-1/2 years ago (and subsequently abandoned) used to do this quite nicely.

• Debug spanning-tree bpdu brought the network down

  I'm troubleshooting a pair of Dell Power-Connect switches in a Dell blade chassis connected to a pair of Cisco 4900M switches. I have my 4900M switches set as spanning-tree root and backup root. The Dell switches are connected via LACP trunks to the 4900M's. Dell switch 1 to 4900 #1 and Dell switch 2 to 4900M #2. Both of the Dell switches are reporting as root switches.
  I was trying to troubleshoot this yesterday and ran 'debug spanning-tree bpdu' on the primary 4900M. There was a masive amount of BPDU events scrolling by. This debug command actually took the network down. The primary 4900M was non-responsive and the secondary unit had it's CPU go to 100%. The fix was to power cycle the primary 4900M.
  Why did this command take my network down?
  --Patrick

  Typically, the device prioritizes console output ahead of other functions. The debug spanning-tree bpdu generates a lot of output. That is what jumped the CPU to 100% and ultimately caused the device to crash.
  You should be very careful with debug commands and log to the internal buffer, instead of the console.
  See: http://www.cisco.com/c/en/us/support/docs/dial-access/integrated-services-digital-networks-isdn-channel-associated-signaling-cas/10374-debug.html.

• Different spanning tree modes in 1 network

  I've noticed that we use MST and PVST in our network, is this a good way to tackle spanning tree ? ( I guess not ) and how am I able to disable MST and use PVST instead.
  Also, what impact will it have if I change MST to PVST ?

  MST allows you to build multiple spanning trees over trunks. You can group and associate VLANs to spanning tree instances. MST converges faster than PVST.Refer the following URL for more information
  http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_guide_chapter09186a008007e71a.html#wp1050594

• ISE - 802.1X - Loop not detected by spanning-tree

  Hello,
  I have recently implemented the 802.1X on switchs 3750-X running 15.0(2)SE IOS version.
  The spanning-tree bpdufilter and bpduguard are globally enabled on the switchs.
  A user has created a loop on the network by connecting its Cisco IP-Phone twice on the network : one wire connected normally from switch to the RJ-45 phone connector and the second wire that should be connected to the PC had also been connected to the switch !
  The loop created has not been detected by the switch !
  I have made several tests and re-created the problem 3 times on 4 (only one time, the loop has been detected by bpduguard  20 seconds after the port up).
  Notice that without 802.1X configured on the same switch port, the loop is quickly detected and ports are err-disabled shutdown.
  Switch port with 802.1X is following :
  interface GigabitEthernet1/0/9
  switchport access vlan 950
  switchport mode access
  switchport nonegotiate
  switchport voice vlan 955
  no logging event link-status
  authentication control-direction in
  authentication event fail action next-method
  authentication event server dead action reinitialize vlan 950
  authentication event server dead action authorize voice
  authentication event server alive action reinitialize
  authentication host-mode multi-auth
  authentication order dot1x mab
  authentication priority dot1x mab
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  mab
  dot1x pae authenticator
  dot1x timeout tx-period 10
  storm-control broadcast level 10.00
  storm-control multicast level 10.00
  spanning-tree portfast
  If I change the host-mode to multi-domain, a MAC violation restriction occurs and shutdown the port. But this is not the config I need.
  Is there any reason for spanning-tree not works properly with 802.1X ?
  Thanks,
  Olivier

  Hello Olivier
  When using bpdufilter, bpduguard and portfast all at the same time there are many things going on which are not well documented. Now when you add 802.1x to the mix then you really have no documentation. I had to do many labs on my own to finally have my configuration, and also discovered some bugs. According to my experience you shouldn't use bpdufilter and you should use bpduguard on the switchport not in the global config.
  Please read the following links about the differences between global and port bpdufilter, differences between global and port bpduguard, configuring bpduguard along with portfast , configuring bpdufilter along with portfast, and configuring bpduguard along with bpdufilter.
  http://aitaseller.wordpress.com/2010/01/17/bpdu-filter-vs-bpdu-guard-what-is-the-difference/
  http://costiser.wordpress.com/2011/05/23/subtle-difference-for-portfast-bpdufilter-used-together-globally-or-at-interface-level/
  https://learningnetwork.cisco.com/thread/21103
  http://blog.ipexpert.com/2010/12/06/bpdu-filter-and-bpdu-guard/
  Please rate if this helps

• Switching Best Practice - Spanning Tree andEtherchannel

  Dear All,
  Regarding best practice related to Spanning Tree and Etherchannel, we have decided to configure following.
  1. Manually configure STP Root Bridge.
  2. On end ports, enable portfast and bpduguard.
  3. On ports connecting to other switches enable root guard.
  In etherchannel config, we have kept mode on on both side, need to change to Active and desirable as I have read that mode on may create loops? Please let me know if this is OK and suggest if something missing.
  Thank You,
  Abhisar.

  Hi Abhisar,
  Regarding your individual decisions: Manually configuring the Root Bridge is a natural thing to do. You should never leave your network just pick up a root switch based on default switch settings.
  On end ports, using PortFast and BPDU Guard is a must especially if you are running Rapid PVST+ or MSTP.
  Regarding the Root Guard on ports to other switches - this is something I do not recommend. The Root Guard is a protective mechanism in situations when your network and the network of your customer need to form a single STP domain, yet you want to have the STP Root Bridge in your network part and you do not want your customer to take over this root switch selection. In these cases, you would put the Root Guard on ports toward the customer. However, inside your own network, using Root Guard is a questionable practice. Your network can be considered trustworthy and there is no rogue root switch to protect against. Using Root Guard in your own network could cause your network to be unable to converge on a new workable spanning tree if any of the primary links failed, and it would also prevent your network from converging to a secondary root switch if the primary root switch failed entirely. Therefore, I personally see no reason to use Root Guard inside your own network - on the contrary, I am concerned that it would basically remove the possibility of your network to actually utilize the redundant links and switches.
  Regarding EtherChannels - yes, you are right, using the on mode can, under circumstances, lead to permanent switching loops. EtherChannel is one of few technologies in which I wholeheartedly recommend on relying on a signalling protocol to set it up, as opposed to configuring it manually. The active mode is my preferred mode, as it utilizes the open LACP to signal the creation of an EtherChannel, and setting both ends of a link to active helps to bring up the EtherChannel somewhat faster.
  If you are using fiber links between switches, I recommend running UDLD on them to be protected against issues caused by uni-directional links. UDLD is not helpful on copper ports and is not recommended to be run on them. However, I strongly recommend running Loop Guard configured globally with the spanning-tree loopguard default. Loop Guard can, and should, be run regardless of UDLD, and they can be used both as they nicely complement each other.
  My $0.02...
  Best regards,
  Peter

• SGE2010 switches, VLAN's and a blocked port in spanning-tree

  Folks,
  I have 2 switch groups.
  2 SGE2010's with VLAN's defined as 10,20 and 30
  Vlan 10 is the management VLAN, and it uplinks to our border router.
  Vlan 20 is the workstation VLAN, and all workstations point to the switch as their default GW
  Vlan 30 is the ip phone VLAN, and all phones use this as their gateway.
  I would like to put a LAG between said switches, we have some servers on the ip phone switch that need to be accessed by the workstation clients, and the single 100mb link through the router is probably not going to be enough.
  As I understand it, because the switches have different networks on them, a simple lag will not work. I did create a lag, and assign ip addresses to each side, however in that mode, it doesn't appear I can block vlan 10 from transiting the LAG, and with out that block I will end up with a logical loop, and spanning-tree will block one of the uplinks, or the LAG itself.
  I have attached an image with a diagram of our current set up.
  Any help/advice would be much appreciated.

  Tom,
  I remember our conversation a few weeks ago. I did not get a chance to have a go at MSTP, mainly because I have no expierence with it, and looking at the configuration properities, it looks a little daunting.
  It has also been a very busy few weeks with the deployment of 200+ phones across several sites, and the system is functioning great with out the LAG trunk, I am just trying to plan for the future.
  I made a few postings a few weeks ago, one here and one on the Cisco forums on reddit, and a user there gave me some advice I have been unable to make work (I think it's just wrong), but I would love to go this route if it is in fact possible.
  Here is the thread : http://www.reddit.com/r/Cisco/comments/x91tc/vlan_trunks_spanning_tree_and_a_port_blocked/c5kskch
  This user implies it's possible to block a VLAN across the LAG which would end the logical loop problems.
  It looks like his advice is to make the LAG into a trunk, and then block specific VLAN's from transiting it, but in trunk mode, I can't assign it an IP, so I am sorta wondering how exactly you transport packets across it.
  Can you confirm that his advice is in fact incorrect?
  If MSTP is my only route, then I suppose it's time to dig into the docs and see If I cant get it up and running.

• When is it appropriate to use "spanning-tree bpdufilter enable"

  What exactly does enabling bpdu filter do?  I see some examples where bpdu filtering is enabled on access ports?  Is this correct or are there dangers in this approach? 

  Hi John,
  Simple way of saying would that it would disable the STP on that port.
  BPDU filter filters the BPDU's coming in both directions. which means it effectively disable the STP on the port.
  Detailed explanation:
  ===============
  BPDUfilter on the other hand just filters BPDUs in both directions, which effectively disables STP on the port.Bpdu filter will prevent inbound and outbound bpdu but will remove portfast state on a port if a bpdu is received.Enabling BPDU filtering on an interface is the same as disabling spanning tree on it and can result in spanning-tree loops.
  Following are the method to configure BPDU Filter in switches
  Interface mode:
  spanning-tree bpdufilter enable                        (Results port to not participate in STP, loops may occur).
  Global mode:                                                
  spanning-tree portfast bpdufilter default             (It enables bpdufiltering on ports that have port-fast configuration, so it sends a few bpdu while enabling port then it filters bdpu unless receives a bpdu, after that itchanges from port-fast mode and disables filtering for port to operate like a normal port cause it has received bpdu).
  You always should allow STP to run on a switch to prevent loops. However, in special cases when you need to prevent BPDUs from being sent or processed on one or more switch ports, you can use BPDU filtering to effectively disable STP on those ports.you would use bpdufilter when you want a switch plugged into your network but you don't want it participating in spanning tree.
  An example:  In an office environment where someone needs  another network drop under their desk but you don't have time/budget to  run a new line for now.  you are been given a small switch but don't want it to break spanning tree.The switch  you have lying around for this task is a simple unmanaged switch and  will only have one uplink into your network. so you put bpdufilter on your  switch port.
  Ref:https://supportforums.cisco.com/docs/DOC-11825
  HTH
  Regards
  Inayath
  *Plz rate if this info is helpfull and mark as answered if this resolved your query.

• Moving Toward Flat Networks

  What exactly is meant by a flat network? Please read on before you give a quick answer.
  I have some definite ideas, but I would love to hear other people's inputs, ideas and perceptions.
  The   trend in the data center is to go in the direction of flat networks,  which to me means  that the multi-tiered architectural model can be  collapsed into 2  layers. Juniper says they will collapse the data  center into one tier:  the Stratus project promises the equivalent of  one gigantic logical  switch.
  So, the implication is that there will be a flattening of the network in 2 ways: first, in terms of physical layers of networking and secondly, in terms of creating one logical L2   domain that is horizontally expanded (across data centers, too), but   the redesigned L2 domain will not require STP, blocked uplinks, or   unknown unicast flooding.
  I do require some clarification:
  1.)   How exactly can the access and aggregation layers be flattened? If,  for  example, one can stack all the top of rack (accesss layer) switches  to  create a single virtual chassis and then do the same, or something  similar, like VSS, to the aggregation  layer, the result is that each  layer will see the other layer as one  switch. So, 10 access switches  will look like 1 switch to the  aggregation layer, and 2 aggregation  layer switches will look like 1  switch to the access layer. This will  allow one to create multi-chassis  etherchannels that can expand the  network horizontally, HOWEVER, there  are still 2 layers of networking.
  Does this make sense?
  2.)   The value in spanning L2 domains across data centers in a  services-oriented architecture is clear. It facilitates vMotion and  vStorage and creates clusters of compute and  storage resources, which  can be leveraged for SAN replication, disaster  recovery, cloud  computing (IT/Software as a Service), and running active/active  application services).
  But  does  flattening the network mean that there will be one massive subnet  that  will be considered one broadcast domain? Albeit, unicast flooding  and  ARPs will have to be re-engineered to operate in this environment.  This doesn't seem likely.
  Any   thoughts?
  Thanks

  There are as many ways to skin the cat as you can dream up.
  But clearly you cannot expect to change roles completely and have everything stay the same.. although the Mac should not need to start over.. TM should be able to have multiple setups where it recognises the different network layouts.. at least with ML it can do that. If you are using SL as per your profile.. no.. it has to be manually setup.
  The first obvious solution is this.
  Network B: Mac connects to LAN via a non-Apple wi-fi router; TC connects to Mac via ethernet cable
  Do the same in network A.. Use the Mac by wireless for internet.. and backups to the TC connected directly by ethernet. Do not plug the TC into the network.
  A variation on this.
  You can even do it by ethernet.. simply have a switch and plug in both Mac and TC.. but use the TC on a different IP address. You can set statically double IP on the one ethernet port.
  Even better plug in a USB drive and use that.. it will be faster, more stable, and more reliable for backups than the TC. Leave the TC in network A.

• No Spanning-Tree Vlan # on C2950

  Hello everyone,
  I've recently found that one of the switches on my network (which I never set up) is running a "no spanning-tree vlan 3, 5, 10" command, which I want to remove, but I have been unable to. When I do try and type in "spanning-tree vlan 3" nothing comes up, but when I show spanning tree it lets me know that it doesn't exist.
  Is there a command I'm missing? (It's a larger number of vlans)
  Thanks in advance,
  David

  I'm not sure there would be anything for spanning tree to calculate if no ports on the switch are assigned to vlan 3.  Try assigning an unused port to vlan 3 and see if your output of sh spanning-tree vlan 3 changes.

• Setting up ML cards in 454 so that Spanning Tree one side blocks

  Currently we have two ML 1000 cards in our Main ONS 454. We have spanning tree set up on a 3560G switch that brings the IP portion of the SONET to all the other 310's in our network. Now when I do a sh spanning tree on the both ports on the switch that go up to ports 1 on the ML 1000 cards it shows me that both are in forwarding mode. How do I set this up so that one of the is blocking?
  Thanks

  Hi,
  if you remove "encryption mode ciphers aes-ccm tkip" from the radio interface does it help?
  it should remain like this:
  interface Dot11Radio0
  no ip address
  no ip route-cache
  encryption vlan 1 mode ciphers aes-ccm tkip
  ssid WLAN_Corporate
  ssid WLAN_HartKitGuest
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• Spanning Tree MST per Vlan, best practice

  Hi Community.
  I did the following MST Spanning Tree Config
  spanning-tree mst configuration
    name xxxxxxx
    revision1
    instance 1 vlan 1, 10-20, 25, 30
  So I added every Vlan to the config which we use. But every time when I add one more vlan to the config the whole network get a little outage.
  I see lots of MAC Flaps on ports with two Server links and the outage is for some seconds.
  Is it a better practice to add all possible Vlans to the config. So I do the config like that:
    instance 1 vlan 1-4096
  What you think.
  Best Regards patrick

  Hi,
  So I added every Vlan to the config which we use. But every time when I add one more vlan to the config the whole network get a little outage.
  Correct, that is normal behavior with MST.
  I would just add "instance 1 vlan 1-4094" this way there is no outage when you bring up a new vlan.
  HTH

• Nexus spanning tree pseudo configuration

  Hi
  I am trying to understand the pseudo configuration commands in a Nexus hybrid topology.
  I have vlans a, b and c only in the vPC side of the topology.  I have peer switch configured and the same stp priority on both switches.
  In the standard Spaning-tree topology I have completely seperate vlans x, y and z.
  What should I be configuring in the pseudo config section ?  Do I define a pseudo root priority for all vlans a, b, c and x, y, z or just for the standard spanning tree vlans x, y and z.  I need to avoid and, even short, spanning tree outages if I take one Nexus out of service for a short time.
  My thinking is that if one Nexus is out of service the physical mac will be used and potentially reduce the root priority of the vPC vlans causing a TCN and STP recalculation in vlans a, b and c.  This can be avoided by configuring a pseudo root priority for all Vlans lower than the current spanning tree priority shared by the vPC peers.  Is this correct ?  However, since I have a shared priority of 8192 on current vPC vlans will configuring, for example, a pseudo root priority of 4096 on those vPC vlans won't this also cause the TCN and recalculation I am trying to avoid ?  Is the benefit of the pseudo root config only obtained if it is configured at the start when the vPC is formed and prior to the peer switch command being issued ?
  Thanks, Stuart.

  Hi Ajay,
  It is recommended that switch-to-switch links are configured with the spanning-tree port type normalcommand. The one exception is the vPC peer-link which is recommended to configure with the spanning-tree port type network command.
  Take a read of the Best Practices for Spanning Tree Protocol Interoperability from page 56 of the vPC Best Practice Design Guide for further information on this.
  Regards

• View spanning tree configuraton for all the switches in ciscoworks

  Hi All,
  Is there any way I can see spanning tree configuration for all the switches we have on our networks in Ciscoworks.
  Waiting for your kind reply.
  Thanks in advance
  samir

  This can be done from within Campus Manager's Topology Services.  Open up the LAN Edge View map, and you should seesome switch clouds on the map.  If you drill into one of the clouds, you should see a Spanning Tree option in the right-hand tree.  If you expand this, you can visualize the spanning tree for MISTP or even for each VLAN.

• Spanning-tree link-type shared

  Hi,
  i 've this problem.
  My PC must boot OS (windows) from network (Server sends Operating System by PC's mac-address)
  PC needs a ip-address within 5-10 seconds.
  I try it using hub and PC loads correctly OS and works properly.
  I try on my network (without hub) using Catalyst Switch in 2 ways:
  IOS and CatOS
  For the IOS i find this solution:
  i use the follows CLI:
  spanning-tree portfast
  spanning-tree link-type shared
  in this case i resolved my problem.
  FOR catOS , this command not work properly
  i use the follows CLI:
  set spantree portfast mod/port enable
  set spantree link-type mod/port shared
  After, if i see the configuration , i find the CLI
  "set spantree mst link-type mod/port shared"
  Can you help me?
  Thanks
  FCostalunga

  Configuring a ports STP link type to shared is sort of invalid if the port is also configured as an STP portfast port. 'Shared' effectively means this is a half-duplex connection to a hub that may also be connected to another switch (hence it can't be a point-to-point link). Normal STP operation should operate over 'shared' links and you won't get the rapid start a P2P link has.
  If the port is connected directly to a host then simply configuring the port as a portfast port will be enough (it will also make it a P2P link by default).
  HTH
  Andy