Recommended STP port settings for WAN Breakout Network

rhbirkelund
Kind of a big deal
Kind of a big deal

Recommended STP port settings for WAN Breakout Network

I have a network setup in the topology as shown below.

The two breakout switches are MS120-8LP.

 

warmspare2.PNG

 

All dashed links are currently disabled/disconnected.

 

I know that as soon as I open port 4 on either of my two WAN breakout switches, a loop wil occur.

RSTP is enabled and STP bridge priorities are as follows;

WAN Breakout Sw1 - priority 0 (likely root).

WAN Breakout Sw 2 - priority 4096

HX1-SW1 - priority 8192

Default - priority 32768

 

Assuming I cant configure anything on the two routers (they are ISP managed), what should I configure on the ports of the two WAN Breakout switches? HX1-SW1?

I've been looking into Meraki Docs on STP as well as Cisco's own general descriptions, and I feel I am going blind trying to understand them. 

 

I feel that WAN-Sw1/3 should be Root Guard, and all other ports should be Loop Guard.

 

 

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
4 Replies 4
ww
Kind of a big deal
Kind of a big deal

if you  activate port 4, stp on your switch will block a port you will not have a loop?

 

isp routers are not routed links but L2 ports?, are they running stp..?

 

root guard is good for protecting a root switch to other not managed devices. you don't really need it if you config the other switches yourself because you set the stp prio yourself.

 

loop guard is good to active on ports with fiber links. 

rhbirkelund
Kind of a big deal
Kind of a big deal

The ISP routers have routed links "on the outside". That is i.e. Gi8. 

On the inside, the WAN link is a VLAN (vlan30). 

Basically, the entire VLAN30 is one big Layer 2 Network on the WAN side. So there are four (six including virtual IPs) L3 interfaces on vlan30. 

 

I'll admit though, I just realised that there is a slight error on the drawing. The link from Gi8 to the cloud, should NOT be green, as this is not exactly vlan30. The Gi8 link is a transit link on the ISP side. Nothing that I administer. 

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
rhbirkelund
Kind of a big deal
Kind of a big deal

I tried today to, enable all links on the vlan30. So far, it seems to be stable. Port 3 and 4 that to Router 1 and Router 2, respectively have gone into a Blocking state, yet no problems.

 

Afterwards, however, I attempted to enable port 1 on the WAN Breakout Switch 2, thus creating a loop on VLAN 100. Now I'm getting very erratic behaviour, with a high amount of packets being dropped. 

 

WAN Breakout Switch 2, port 1 is connected to the secondary MX's LAN3 port. Can the MX's LAN side talk Spanning Tree? 

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
rhbirkelund
Kind of a big deal
Kind of a big deal

Okay, so I may have discovered something here, regarding the vlan100, network loop. It seems it may not look like a Spanning Tree issue, however a VRRP issue.

 

Meraki kan perform at packet capture, up untill a maximum of 100.000 packets. Doing a packet capture on the LAN side of both MX's, shows that about 99% of all frames are VRRP Announcement frames.

 

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels