STP causing outage?

mikearamamikearama Member Posts: 749
Yes, I'm a CCNP, and yes, I'm still uncertain about the answer to this question that came up this morning.

We've had a few complaints this morning about user outages while accessing network resources of any kind.

In checking STP, I noted that we've had reconvergences about 10 times so far this morning.

Now then, my understanding from my studies was that during convergence, the root port continued to forward. However, the issues today give me the impression that ALL ports go into blocking state during convergence.

Sure would appreciate confirmation, one way or the other. Links appreciated.

BTW, our Implementations team appears to be the culprit... they've got a nortel switch they use to stage devices that they decided to plug into a pair of network ports. Wingnuts.
There are only 10 kinds of people... those who understand binary, and those that don't.

CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110

Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project.

Comments

  • networker050184networker050184 Mod Posts: 11,962 Mod
    mikearama wrote: »
    Yes, I'm a CCNP, and yes, I'm still uncertain about the answer to this question that came up this morning.

    We've had a few complaints this morning about user outages while accessing network resources of any kind.

    In checking STP, I noted that we've had reconvergences about 10 times so far this morning.

    Now then, my understanding from my studies was that during convergence, the root port continued to forward. However, the issues today give me the impression that ALL ports go into blocking state during convergence.

    Sure would appreciate confirmation, one way or the other. Links appreciated.

    BTW, our Implementations team appears to be the culprit... they've got a nortel switch they use to stage devices that they decided to plug into a pair of network ports. Wingnuts.

    It sounds like the root is changing which is causing everything to go out.
    An expert is a man who has made all the mistakes which can be made.
  • chmorinchmorin Member Posts: 1,446 ■■■■■□□□□□
    mikearama wrote: »
    BTW, our Implementations team appears to be the culprit... they've got a nortel switch they use to stage devices that they decided to plug into a pair of network ports. Wingnuts.

    To me the only reason all of the nodes on the switch should lose connectivity is if the root port was to be changing. Should some, as you said, wingnut decide to plug one layer 2 into two deferent ports on a network, there is a chance that the STP root port might change and low and behold everything goes done for x seconds depending on the STP version.

    Is there a way to force which port is going to the root?

    Edit: You use RSTP right? How long is the downtime?
    Currently Pursuing
    WGU (BS in IT Network Administration) - 52%| CCIE:Voice Written - 0% (0/200 Hours)
    mikej412 wrote:
    Cisco Networking isn't just a job, it's a Lifestyle.
  • mikearamamikearama Member Posts: 749
    chmorin wrote: »
    You use RSTP right? How long is the downtime?

    Yep, so the outage each time is about 10 seconds. Nothing serious, but enough to cause internal portal pages and mapped drives to not respond. Our user base will complain about anything... geez.

    Anyway, thanks guys... it has settled down without the extra switch in the mix, so I'll chalk this up to STP and call it a day.
    There are only 10 kinds of people... those who understand binary, and those that don't.

    CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110

    Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project.
  • notgoing2failnotgoing2fail Member Posts: 1,138
    It's ok if you don't know everything as a CCNP. :D

    I know already that the day I become CCNP does not, and will not mean I expect to have all the answers.

    Heck, even as a CCNA I am doubtful about some technologies. It's all about figuring things out.

    Glad you figured it out, but make sure that it is really solved....

  • chrisonechrisone Senior Member Member Posts: 2,198 ■■■■■■■■■□
    If you are running Cisco switches at your Distro (thanks deth) i would suggest implementing the following to protect your root.

    Implement the following

    1.Root guard
    2.Loop guard
    3.Remove any portfast on access layer switches (unless BPDU-guard is enabled, leave portfast) To save some seconds but also introduce loops, STP root changes, port fast is not worth the headaches.


    Some tips from my CCDP book i am studying.

    • Loop guard is implemented on the Layer 2 ports between distribution switches, and on the uplink ports from the access switches to the distribution switches.
    • Root guard is configured on the distribution switch ports facing the access switches.
    • BPDU guard or root guard is configured on ports from the access switches to the end devices, as is PortFast.
    Certs: CISSP, OSCP, CRTP, eCTHPv2, eCPPT, eCIR, LFCS, CEH, AZ-900, VHL:Advanced+, Retired Cisco CCNP/SP/DP
    2021 Goals
    Courses: eLearnSecurity - PTXv2 (complete), SANS 699: Purple Team Tactics (completed), PentesterLabs Pro (ongoing)
    Certs: eCPTXv2, CRTE, AZ-500, SC-200 (March 5th)
  • deth1kdeth1k Member Posts: 312
    chrisone wrote: »
    If you are running Cisco switches at your core i would suggest implementing the following to protect your root.

    Implement the following

    1.Root guard
    2.Loop guard
    3.Remove any portfast on access layer switches (unless BPDU-guard is enabled, leave portfast) To save some seconds but also introduce loops, STP root changes, port fast is not worth the headaches.


    Some tips from my CCDP book i am studying.

    • Loop guard is implemented on the Layer 2 ports between distribution switches, and on the uplink ports from the access switches to the distribution switches.
    • Root guard is configured on the distribution switch ports facing the access switches.
    • BPDU guard or root guard is configured on ports from the access switches to the end devices, as is PortFast.


    He shouldn't be running STP in the core to start with.

    To mikearama - please explain how's things setup where you work (topology wise) do you follow Ciscos recommended 3 tier model?
  • chrisonechrisone Senior Member Member Posts: 2,198 ■■■■■■■■■□
    Yeah your right should be distribution and access layer. Like deth1k said what Model are you using? From the sounds of it , seems like it's a collapsed core where you distro/core are the same.
    Certs: CISSP, OSCP, CRTP, eCTHPv2, eCPPT, eCIR, LFCS, CEH, AZ-900, VHL:Advanced+, Retired Cisco CCNP/SP/DP
    2021 Goals
    Courses: eLearnSecurity - PTXv2 (complete), SANS 699: Purple Team Tactics (completed), PentesterLabs Pro (ongoing)
    Certs: eCPTXv2, CRTE, AZ-500, SC-200 (March 5th)
  • CucumberCucumber Member Posts: 192
    Rootguard is your friend.

    EDIT:I just remember I was having the same kind of complaints from system administrators of servers in a data centers about random short outages in the network. It turns out whole switches did not have any portfast configuration on them. So I had to review about 600 access ports, and change them to portfast+bpduguard. It was an annoyin task, but since then the spanning tree is a lot more stable.
    I hate pandas
Sign In or Register to comment.