Meraki recommended STP & UDLD config

MikeHunt
Here to help

Meraki recommended STP & UDLD config

Over the years we've built a couple of Meraki sites but seem to have ended up with slightly different configs & conflicting advice re root & loop guard usage.

Previously had months of site stability until recent core switch MLAG additions appears to have kicked off a bunch of weirdness like 'Port running LACP and LACP has disabled this port' madness knocking out a bunch of links unexpecting. Firmware updating seems to have helped a lot, but I'm in need of a sanity check to clarify what Meraki's best practices for spanning tree.

Is this the recommended STP & UDLD config for a LACP trunk between a stacked MS425 core & MS225 access switches?


MikeHunt_0-1723618814409.png

Inter-Meraki Switch trunk - AGGR/x (Core-side)


  • Type = Trunk
Native = 1
  • Allowed = all (or as required)
  • RSTP = Enabled
  • STP Guard = Root Guard
  • UDLD = Alert

 

Inter-Meraki Switch trunk - AGGR/x (Access-Stack-side)

  • Type = Trunk
Native = 1
  • Allowed = all (or as required)
  • RSTP = Enabled
  • STP Guard = Loop Guard

  • UDLD = Enforce



And whilst we're on the topic....

All end devices, computers, servers, users, etc

  • Type = Access
  • RSTP = Enabled
  • STP Guard = BPDU Guard
  • UDLD = Alert Only

 

Non-Meraki Wi-Fi Access Point with VLANs

  • Type = Trunk 

  • STP Guard = Root Guard

  • UDLD = Alert Only


 

Non-Meraki Switch with VLANs & any inbound STP not to be trusted

  • Type = Trunk
  • STP Guard = Root Guard

  • UDLD = Alert Only

 

Unmanaged Switch

  • Type = Access 

  • STP Guard = BPDU Guard

 

Non-Meraki Firewall cluster, LACP Trunk to each HA Node - no STP support since failing over results in MAC address jumping between ports 

  • Type = trunk 

  • RSTP = Disabled
  • Native VLAN = 1
  • Allowed VLAN = (selected ID's as required)
  • UDLD = Alert Only



Trusted DAI not enabled globally, so that's not a factor.

Thanks in advance!

4 Replies 4
CoreyDavoll1
Getting noticed

At first glance your config looks good.  I've been chasing the same issues with UDLD but I'm using MS130's in my access and they connect to C9300's.  I think the 16.x firmware has had issues and support had me update to 17.x to test and that has helped some.  Might be worth opening a support case to see if you're running into that bug.

Holli69
Getting noticed

Hi,

I would suggest STP Guard here to BPDU Guard.

 

Non-Meraki Wi-Fi Access Point with VLANs

  • Type = Trunk 

  • STP Guard = Root Guard

  • UDLD = Alert Only
MikeHunt
Here to help

From history (and not recently "tested") - I had UniFi AP's forward STP. If your user's connect a STP generating device like a Sonos to your Guest Wi-Fi - that resulted in the switch port shutting down - and that entire AP going offline 😞

Jinbe
Meraki Employee
Meraki Employee

This document will cover the STP guard settings in detail and when they would be recommended: https://documentation.meraki.com/MS/Port_and_VLAN_Configuration/Configuring_Spanning_Tree_on_Meraki_...

 

In this case I believe your current configuration follows best practice using Loop guard with UDLD on any of the physically redundant links. 

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.
Get notified when there are additional replies to this discussion.