Meraki

AAS · ‎Sep 1 2025

Hello all,

we are looking for best practice for below:

Connect 1 MX (FW) firewall to 2 MS (SW00 & SW01) switch with full resiliency:

We have 1 MX85 and 2 x MS130-48P we would like to achieve the below:

1- Connect the switches between each other with 2 ports in LACP trunk with all vlans:

We will connect the switches port 10 and 11 on sw00 and port 10 and port 11 on sw01 between each other in LACP in trunk mode, and we have RSTP emabled and STP bridge priority was set to be 4096 for SW00 and 8192 for SW01 , do we suppose to enable any STP guard on those ports?

SW00 Port 10 --> SW01 Port 10

SW01 Port 11 --> SW01 port 11

2- Connect the firewall to each switches in case sw00 went down the traffic will not be impacted (to prevent single point of failure):

FW Port 5 --> SW00 Port 1

FW Port 6 --> SW01 Port 1

FW port 7 --> SW00 Port 2 (access port for management)

FW Port 8 --> SW01 Port 2 (access port for management)

currently port 1 on each switches they are connected to the firewall on port 5 and 6 respectively in trunk mode, on SW00 we are enabling Loop Guard STP on port 1 and it is working as expected, however, when we enabled the Loop Guard on the other switch SW01 the switch goes down (lose access to the internet and will be shown as down on dashboard) and to make it work we have enabled Root Guard STP on port 1 on SW01 and we started to see the message (Root guard activated, STP discarding packets), as well as same situation for the access port for management (Port 2 on the switches).

the question for this part is what we suppose to use as STP guard on the ports between the switch and the firewall to make this work.

Diagram:

alemabrahao · ‎Sep 1 2025

If the MX received BPDUs on the LAN, these BPDUs will be re-forwarded within the broadcast domain that they were received on. If there are multiple switches connected to the LAN of the MX participating in an STP election, all BPDUs sent to the MX will be forwarded to other links with the same VLAN allowed, which can cause switches to see BPDUs from multiple other switches, causing ports to get into an unknown/unidentifiable state and impacting the root bridge election process.

Below is a diagram illustrating how the STP election process can be affected by this MX LAN forwarding behavior - when 3+ switches are connected in the same broadcast domain, each switch will receive BPDUs from 2 or more switches on their connected uplinks. In the case of switches 2 and 3, the uplink is both a root port and a designated port from the switches' perspectives, causing the ports to go into an unknown state. In practice, this can also result in rapid STP port status changes for uplinks on multiple switches.

https://documentation.meraki.com/MX/Networks_and_Routing/MX_Layer_2_Functionality#Spanning_Tree_Prot...)

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

GIdenJoe · ‎Sep 10 2025

Best practice design using non stackable switches means you need to connect lower numbered ports between the switches and having higher numbered ports connected from the switches to the firewall. However if you use port-channels ONLY have dual links betwen the switches in a port channel and have single links from each switch to the upstream MX.

About your root guard enquiry: The MX does not participate in STP and does not even know the protocol and will just forward BDPU's. So when your MS sends a BPDU upstream on the port towards the MX, the MX will just forward it out it's other ports including the one going to the other switch. This is why you just don't enable any STP guard on ports leading UP to the MX. You can still use root guard on the switch acting as root bridge towards the other switch on the port channel.