Meraki

Community

Best practice design

AAS
New here
22 hours ago
22 hours ago

Best practice design

Hello all,

 

we are looking for best practice for below:

 

Connect 1 MX (FW) firewall to 2 MS (SW00 & SW01) switch with full resiliency:

 

We have 1 MX85 and 2 x MS130-48P we would like to achieve the below:

 

1- Connect the switches between each other with 2 ports in LACP trunk with all vlans:

 

We will connect the switches port 10 and 11 on sw00 and port 10 and port 11 on sw01 between each other in LACP in trunk mode, and we have RSTP emabled and STP bridge priority was set to be 4096 for SW00 and 8192 for SW01 , do we suppose to enable any STP guard on those ports? 

 

SW00 Port 10 --> SW01 Port 10

SW01 Port 11 --> SW01 port 11

 

2- Connect the firewall to each switches in case sw00 went down the traffic will not be impacted (to prevent single point of failure):

 

FW Port 5 --> SW00 Port 1 

FW Port 6 --> SW01 Port 1

 

FW port 7 --> SW00 Port 2 (access port for management)

FW Port 8 --> SW01 Port 2 (access port for management)

 

currently port 1 on each switches they are connected to the firewall on port 5 and 6 respectively in trunk mode, on SW00 we are enabling Loop Guard STP on port 1 and it is working as expected, however, when we enabled the Loop Guard on the other switch SW01 the switch goes down (lose access to the internet and will be shown as down on dashboard) and to make it work we have enabled Root Guard STP on port 1 on SW01 and we started to see the message (Root guard activated, STP discarding packets), as well as same situation for the access port for management (Port 2 on the switches).

 

the question for this part is what we suppose to use as STP guard on the ports between the switch and the firewall to make this work.

 

Diagram:

 

Capture.PNG

 

 

Labels:
0 Kudos
1 Reply 1
alemabrahao
Kind of a big deal
Kind of a big deal
19 hours ago
19 hours ago

If the MX received BPDUs on the LAN, these BPDUs will be re-forwarded within the broadcast domain that they were received on. If there are multiple switches connected to the LAN of the MX participating in an STP election, all BPDUs sent to the MX will be forwarded to other links with the same VLAN allowed, which can cause switches to see BPDUs from multiple other switches, causing ports to get into an unknown/unidentifiable state and impacting the root bridge election process.

 

Below is a diagram illustrating how the STP election process can be affected by this MX LAN forwarding behavior - when 3+ switches are connected in the same broadcast domain, each switch will receive BPDUs from 2 or more switches on their connected uplinks. In the case of switches 2 and 3, the uplink is both a root port and a designated port from the switches' perspectives, causing the ports to go into an unknown state. In practice, this can also result in rapid STP port status changes for uplinks on multiple switches.

 

alemabrahao_0-1756727661013.png

 

 

https://documentation.meraki.com/MX/Networks_and_Routing/MX_Layer_2_Functionality#Spanning_Tree_Prot...)

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.