Spanning tree loop prevention

Question

Can I get some advice on what STP features to enable as best practice please, mainly to mitigate loops? In the past a user mistakenly connected two floor ports together causing a loop.

Below are the global settings, but on individual access ports I have bpdu guard and port fast enabled.

Switch is in rapid-pvst mode
EtherChannel misconfig guard is enabled
Extended system ID           is enabled
Portfast Default             is disabled
PortFast BPDU Guard Default  is disabled
Portfast BPDU Filter Default is disabled
Loopguard Default            is disabled
UplinkFast                   is disabled
BackboneFast                 is disabled
Configured Pathcost method used is short

best practice is to avoid Radia Perlman's spanning tree protocol as much as possible. if you post the actual switch models you are deploying you'll get some good advice on best topology. — Ronnie Royston, Jun 07 '22 at 02:31
@RonnieRoyston I hope your advice is about avoiding the original 802.1D STP protocol and not about the significantly improved RSTP and MSTP. Those have their shortcomings as well but are pretty much irreplaceable in a complex network. — Zac67, Aug 14 '22 at 16:02
Has any answer solved your question? Then please accept it or your question will keep popping up here forever. Please also consider voting for useful answers. — Zac67, Nov 03 '22 at 18:34

score 2 · Answer 1 · answered Jun 06 '22 at 13:28

2

The most important thing is to select your root bridge by setting it to the lowest priority value. Default is 8/32768, the root should be 0/0 or 1/4096. The root bridge is the base of your spanning tree(s) - if you leave that to chance, some minor edge switch might become root (based on its MAC address).

RPVST+ forms a separate spanning tree for each VLAN, so you should be aware of that, possibly selecting other root bridges for those.

RPVST+ does not interoperate with IEEE MSTP or RSTP. If you (plan to) use non-Cisco switches you might want to use MSTP.

The rest of your config is AOK.

answered Jun 06 '22 at 13:28

Zac67

84,333
4
69
133

Forgot to mention, my root bridge is set to 4096 for all the relevant VLANs. So, with my current setup, any loop caused by user error will be mitigated..? – gs78 Jun 06 '22 at 13:38
Yes, any loop between STP ports. A loop on a switch not participating in STP isn't detected if that switch filters BPDUs (few unmanaged switches actually do). – Zac67 Jun 06 '22 at 13:58
May be a dumb question. how does inter-connecting two access ports cause BPDUs seen on that port..? – gs78 Jun 07 '22 at 15:36
@gs78 All ports participating in STP send out BPDUs in hello time intervals. If one of the switch's own BPDUs is received on an access port, there's a direct loop, so STP logically blocks the port. BPDU-guard even administratively shuts down the port to counter the connection of rogue switches. – Zac67 Jun 07 '22 at 15:52

score 2 · Answer 2 · answered Jun 06 '22 at 13:46

You should connect switches with trunk links and limit the VLANs allowed on each trunk to only those used on the switch with the switchport trunk allowed vlan <vlan list> command.

Use the global spanning-tree portfast default and spanning-tree portfast bpduguard default commands. That will enable those on all access interfaces, but not trunk interfaces. If someone then mistakenly connects the access interfaces of two switches, the interface will errdisable when it sees BPDUs, preventing a loop.

Some more best practices we got from Cisco are See this answer:

Do not use a native VLAN.

Disable the VLAN 1 SVI on all switches and do not include VLAN 1 in the switchport trunk allowed vlan <vlan list>.

Only connect access switches to the distribution switches; never connect an access switch to an access switch (no daisychaining). Use "V" shaped connections (connect the access switch only to both distribution switches), not "U" shaped connections.

Do this:

 ------------------    ------------------
 | Distribution 1 |----| Distribution 2 |
 ------------------    ------------------
        \          \  /         /
         \          \/         /
          \         /\        /
           \       /  \      /
       ------------    -----------
       | Access 1 |    | Access 2|
       ------------    -----------

Not this:

 ------------------    ------------------
 | Distribution 1 |----| Distribution 2 |
 ------------------    ------------------
        \                       /
         \                     /
          \                   /
           \                 /
       ------------    -----------
       | Access 1 |----| Access 2|
       ------------    -----------

Use different VLANs on each access switch. One access switch per VLAN (not one VLAN per switch as some people think). You can have as many VLANs on an access switch as you like, but those VLANs should not be extended to any other access switch.

Disable VTP by using the vtp mode transparent command. You will need to manually create the VLANs used on each switch.

Specifically use the switchport mode trunk command on the trunk interfaces and the switchport mode access command on the access interfaces and use the switchport nonegotiate command on all the switch interfaces to prevent DTP autodetection.

Spanning tree loop prevention

2 Answers2