cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

STP guard setup - best practices

SOLVED
Conversationalist

STP guard setup - best practices

Curious what the consensus is on STP guard settings for ports on Meraki switches.  We've turned on BPDU guard for all access ports.  However, I was wondering under what circumstances Root or Loop guard would be used.  We have a few 3rd party switches uplinked to some of our Meraki switches (trunk ports).  Would Root or Loop guard be worthwhile to activate?

 

The same question goes for fiber uplinks - from Meraki switches to a core.  Is there a best practice on what STP guard settings should be?  Or is "disabled" the norm?

 

Thanks for your input.  Happy to provide more topology details if need be.

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
A model citizen

Re: STP guard setup - best practices

- We use bpdu-guard for client ports to prevent spanning-tree problems f.e. when users connect switches to the ports.

- We use loop-guard on switches with multiple uplink-ports to prevent loops in case of spanning-tree or aggregation problems.

- We don´t use the root-guard option because our core-switch is the rootguard with the best bridge ID priority value. So it´s not neccessary.

 

https://documentation.meraki.com/MS/Port_and_VLAN_Configuration/RSTP_on_the_MS_Switch

https://documentation.meraki.com/MS/Port_and_VLAN_Configuration/Switch_Ports

https://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-protocol/10596-84.html

https://documentation.meraki.com/MS/Other_Topics/Switch_Settings

20 REPLIES 20
Highlighted
A model citizen

Re: STP guard setup - best practices

- We use bpdu-guard for client ports to prevent spanning-tree problems f.e. when users connect switches to the ports.

- We use loop-guard on switches with multiple uplink-ports to prevent loops in case of spanning-tree or aggregation problems.

- We don´t use the root-guard option because our core-switch is the rootguard with the best bridge ID priority value. So it´s not neccessary.

 

https://documentation.meraki.com/MS/Port_and_VLAN_Configuration/RSTP_on_the_MS_Switch

https://documentation.meraki.com/MS/Port_and_VLAN_Configuration/Switch_Ports

https://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-protocol/10596-84.html

https://documentation.meraki.com/MS/Other_Topics/Switch_Settings

Conversationalist

Re: STP guard setup - best practices

Thanks for this redsector.  A follow-up question, and to quote the Cisco STP article link you sent... 

 

"The biggest issue with STP is that some hardware failures can cause it to fail" 

 

With that said, is there any benefit (or drawback / issue) to enabling Loop guard on a single uplink port?  I'm not certain on what type of hardware failure on a Meraki switch that would cause an overall STP failure.  However, if Loop guard has inherent protections against something weird, it sounds like a good idea.

 

Thanks again for your input.

Kind of a big deal

Re: STP guard setup - best practices

LoopGuard is to protect against uni-directional links. So yes, even if there's only one uplink it can be useful. 

 

However, my personal preference is to use UDLD over LoopGuard. 

Kind of a big deal

Re: STP guard setup - best practices

I don't ever use root guard. I have had it bite me in the past when various failures happened, and it made those failures more severe.

Kind of a big deal

Re: STP guard setup - best practices

I'm not really a fan of loop guard unless there are redundant paths. Othewise if you have a single link and it triggers it'll take out the downstream network.

Here to help

Re: STP guard setup - best practices

Follow normal recommendations for STP.

On out case, we are using MS devices as L2 only at the access layer.. Our core L3 devices are 4500 cisco.

we use the follwing settings that work perfect.
*Root guard: Configure at core on all ports to access switches and on access switches to APs
*BPDU guard: Configure in all access ports
*Loop guard: Configure in uplinks to core
*UDLD enforce on uplinks to core

Conversationalist

Re: STP guard setup - best practices

On AP's do you mean Access Ports or Access Points?

Conversationalist

Re: STP guard setup - best practices

I would think AP's meaning Wireless Access Points.

 

As a follow up, we now activate BPDU guard (with enforcement) on all access ports and any truck ports connected to a switch not under our control (a reality in a campus + residential environment).  Has worked as advertised and saved our keisters on at least a dozen occasions since.

Conversationalist

Re: STP guard setup - best practices

Thank you LFA. I just don't understand why you need Root Guard for Wireless APs... Looking for clarification. Didn't see any immediate help from Googling - Root Guard Wireless Access points
Conversationalist

Re: STP guard setup - best practices

We also use BPDU guard on access ports. Our keister also saved after one of our less than intelligent admins decided to bring a switch from home and attempt to plug into our network.
A model citizen

Re: STP guard setup - best practices

 
Conversationalist
Re: STP guard setup - best practices

On AP's do you mean Access Ports or Access Points?

---------------------

Accesspoints.

Meraki Employee

Re: STP guard setup - best practices

Thanks for bringing this question forward! We have published new documentation on STP guard configuration that incorporates STP guard recommendations. Check it out and let us know what you think!

Conversationalist

Re: STP guard setup - best practices

Very helpful. Still curious why one of the comments in this thread mentioned good practice to configure Access point ports for Root Bridge.
Conversationalist

Re: STP guard setup - best practices

Sorry, I meant root guard.
Meraki Employee

Re: STP guard setup - best practices

Autonomous Access Points (APs) can send out BPDUs and participate in STP. There is the potential that the AP BPDU may have a better BID than the current Root Bridge. In that case, applying Root Guard to the port connecting to the AP would protect your network from electing the AP as the new Root Bridge.
Conversationalist

Re: STP guard setup - best practices

CJones - Thank you for posting this.  It is very helpful.

Getting noticed

Re: STP guard setup - best practices

Redsector had a great answer. 

 

However that said, I don't use any of these settings because the Meraki already has RSTP on by default.  I definitely don't configure them on Meraki-Meraki links because the expectation is to use RSTP.  In my mind you should only use these spanning tree options if the port is connected to a switch that doesn't support RSTP.

 

As for root guard - I set the priority on my core switches, a stack of MS425s, to 0, and that stopped the inter-vendor squabbling over who thinks it's root.

Conversationalist

Re: STP guard setup - best practices

i try to avoid using 0. as long as bridge priority is less than default, shouldn't run into issues.
Getting noticed

Re: STP guard setup - best practices

I have my root priority set to the core switch in the network but a few locations are still somehow wanting to use a core switch in another network.

 

Would that be something to be concerned with?

Building a reputation

Re: STP guard setup - best practices

I always do the following:
- BPDU guard on all client ports and access point ports if they are Meraki (Meraki AP's don't send BPDU's).
- Root guard on all downlinks from CORE to access layer
- I would have wanted to put loopguard on uplinks of access layer switches but Meraki won't let me because we use the management inline with the network.

 

Also and this is important.  If you have a MX warmspare with the four uplinks from the switch network towards those MX's that you DON'T enable bpdu guard on those ports leading to the MX and never ever use drop untagged traffic on the MX because that causes a loop.

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.