Spanning tree dilemma

Hi all,

Here’s another dilemma. I currently have 2x separate RSTP networks that are physically separate.
I’m setting up a Nexus VPC core and will need to connect both of these networks, since Internet access will be arranged via these Nexus switches. Therefore, I will need to allow several VLANs on both sides (including a management one).
I was myself looking at BPDU filter for one of the networks (since I only have 2x switch stack connected directly via fiber).
Any other tips as to what I could implement on the Nexus side to avoid spanning tree conflicts/loops?

Kind regards,
Vlad

@lagapidis any insights on this one? :slight_smile:

Hello Vlad

If these two separate networks are connecting to the Nexus switches on L3 interfaces, you should be OK with STP, as no loops will be created. However, I assume you want to connect the networks to the Nexus pair using L2 connections? Even then, you shouldn’t create L2 loops, unless you are also connecting the two networks directly as well. Can you share a network topology so that we can more clearly see the dilemma you’re facing?

I hope this has been helpful!

Laz


Here you go, to get an idea. I don’t really have the option for L3 links, since switches in STP domain 1 are L2.
Let me know!!

Hello Vlad

From what I see in your diagram, you have two networks (Network 1 and Network 2). And you have indicated that these two are in a single STP domain. However, these are not connected to each other, so they are two separate STP domains. Unless there’s a link there between the two networks that you are not showing in your diagram.

In any case, even if they are connected, I would suggest that you create EtherChannel uplinks from each of the switches in each network. That way you won’t have to worry about STP, and you’ll be able to take advantage of the full upload speed of all uplinks. If you’ve set up your Nexus devices using vPC, you can easily create EtherChannel bundles that span the two Nexus switches.

BPDUFilter essentially disables spanning tree on a port, or if it is configured globally, it will cause any interface with portfast enabled to not send any BPDUs. If it receives a BPDU, portfast will be disabled, and it will act as a normal interface. So this feature would not resolve your problem. More info on BPDUFilter can be found here:

I hope this has been helpful!

Laz

Hi Laz,

Network 1 & 2 are different STP domains right now. They are also physically separated.
The drawing is what I am planning to do, as in connecting them to the same Nexus VPC pair.
I will indeed use PortChannels for all switches. My question is, what would be the best way to keep connectivity but avoid possible STP conflicts based on priorities

Hello Vlad

I understand, thanks for the clarification. With the topology as you have it, with the use of PortChannels, there is no fear of layer 2 loops, so you’re covered there. If you want to configure a particular switch (one of the Nexus switches?) as the STP root, and you want to ensure it remains the root, then you have several features that you can use.

First of all, if you have full control over the whole topology, then you can simply use the priority configurations for each VLAN so that your switch of choice becomes the root. More details about that can be found here:

Secondly, if you want to protect your STP topology further by ensuring that no malicious user will send superior BPDUs, then you can use RootGuard.

What tools and features you use to protect your STP topology depend upon the specific topology as well as the particular threats you want to protect it from.

I hope this has been helpful!

Laz

Thanks Laz,

I was indeed also considering playing with the priorities. Meraki support RootGuard as well fortunately. Thanks again!

1 Like