Network Management

 View Only
last person joined: 13 hours ago 

Keep an informative eye on your network with HPE Aruba Networking network management solutions
Back to discussions
Expand all | Collapse all

2 trunks per Switch- What is the best configuraton between BPDU Guard / Root Guard + Loop Guard

This thread has been viewed 30 times

  • 1.  2 trunks per Switch- What is the best configuraton between BPDU Guard / Root Guard + Loop Guard

    Posted Jan 22, 2021 09:49 AM
    What is the best configuration to deploy to avoid Loop / traffic issue if i have 2 trunks per switch
    ( directly linked to the Core Switch L3 ),
    Did i have to enable Root guard for first trunk  and loop guard of the second trunk?

    For infos - the two port of these switch  (SFP FIber 10g plug) are both member of Trk1 group  wich are configured to transport several VLAN from my organistation.

    This is actual Trunk configuration : 

    spanning-tree

    spanning-tree Trk1 priority 4

    spanning-tree force-version rstp-operation

    no tftp server

    no autorun

    no dhcp config-file-update

    no dhcp image-file-update

    no dhcp tr69-acs-url

    trunk-load-balance L4-based

    For BPDU Guard if thinks to only actived them on Edge port.

    Please let me now if i do the rgiht things or not - and if some features can be added too. Many thanks

    ------------------------------
    maxime FUHRMANN
    ------------------------------


  • 2.  RE: 2 trunks per Switch- What is the best configuraton between BPDU Guard / Root Guard + Loop Guard

    EMPLOYEE
    Posted Jan 23, 2021 07:28 AM
    Hi Maxime,

    BPDU Guard is only for Edge Ports and has nothing to do with trunks between your switches. It will simply block stp BPDU's on the port and set the port to blocking. This is something you will not have on your link to the core. 

    Root Guard is there to protect your root from being replaced by a different as root for your network. Might be something you can look into for your scenario. 

    You might look at this page for more information:

    https://community.arubanetworks.com/browse/articles/blogviewer?blogkey=8f0b9755-b30f-49b8-b3f5-ad00ac65d022

    BR
    Florian

    ------------------------------
    -------------------------------------------------------------------------------
    Florian Baaske
    -------------------------------------------------------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    -------------------------------------------------------------------------------
    Also visit the AirHeads Youtube Channel:
    https://www.youtube.com/channel/UCFJCnuXFGfEbwEzfcgU_ERQ
    -------------------------------------------------------------------------------
    Feel free to visit my personal Blog
    https://www.flomain.de
    ------------------------------

    Original Message


  • 3.  RE: 2 trunks per Switch- What is the best configuraton between BPDU Guard / Root Guard + Loop Guard

    Posted Jan 23, 2021 08:20 AM
    Hello and thanks for your feedback! 
    My core Switch are connected with 2 fiber SFP 10g on aruba 2930M switch- this is a loop yes but it's provide also redundancy. Then what's the beat practice? Define 1 fiber port root guard? Create trunks lacp? 



    Original Message


  • 4.  RE: 2 trunks per Switch- What is the best configuraton between BPDU Guard / Root Guard + Loop Guard

    MVP GURU
    Posted Jan 23, 2021 08:31 AM
    Hi! IMHO...without any doubt...if you can (there aren't specific restrictions to not do so) go with a 10G+10G Port Trunking using LACP between your Core and its downlink peer switch  (remember: involved physical interfaces must have same speed, duplex mode and media type). The logical interface TrkX you will end up will then configured normally as you would do with a physical one (this with regards to root-guard Core Switch side and to other parameters...).



    Original Message


  • 5.  RE: 2 trunks per Switch- What is the best configuraton between BPDU Guard / Root Guard + Loop Guard

    Posted Jan 23, 2021 12:45 PM
    Ok then thanks for advising me - go for it then. But do you mean than from my Core Switch -  Root guard  need to be enable for at least one of the 2 active Port links to 1 peer switch?
    If have 2 core Switch links to almost +- 120 downlink peer switch in these situation i i really don't want to mess p :)
    just to resume :  trunk LACP from Core switch  and Peer switch to enable on both side ( TrkXx number identical for both or it doesn't matter? )
    Then from Core switch root guard on all first interface links to Peer switches. Correct?

    ------------------------------
    maxime FUHRMANN
    ------------------------------

    Original Message


  • 6.  RE: 2 trunks per Switch- What is the best configuraton between BPDU Guard / Root Guard + Loop Guard

    Posted Jan 24, 2021 04:50 AM
    Trk numbering does not matter, we usually try to match it on both ends to make configuring/troubleshooting easier.

    A lot of these guards/filters are there to prevent issues from devices that you don't manage. Like the whole STP :) If you/anyone else does anything incorrect, there is no need for STP even.

    Last place I saw some Aruba recommendations was "VSX Configuration best practices for Aruba CX". It lists these best practices (there are more check the document) regarding STP stuff. You can find the document from asp.arubanetworks.com --> software & documents --> switches --> search for VSX

    The best practice on Aggregation layer are:
    • No loop-protect (MSTP used instead).
    • Use the default common instance 0: MST0
    • Lower the spanning-tree priority to 4 to make VSX aggregation the STP root bridge (easier for support)
    • Use root-guard on all downlinks to prevent any access switches from becoming Root Bridge.
    • Keep the default port-type admin-network

    The best practice on Access layer are:
    • Use loop-protect for all endpoint access ports (not configured on uplinks). Set the re-enable timer to 1hour.
    • Keep the default common instance 0: MST0
    • Keep the default spanning-tree priority of 8.
    • All endpoint access ports are admin-edge, should not receive any BPDU (BDPU guard), should not trigger any Topology Change Notification (tcn-guard).
    • Use loop-protection on all endpoint access ports as an extra-protection mechanism (in case of MSTP BPDUs are filtered by insertion of unmanaged switches which create a loop).
    • Use loop-guard on all uplinks to prevent any flood due to failure of BPDU reception (fiber strand cut).
    Original Message


  • 7.  RE: 2 trunks per Switch- What is the best configuraton between BPDU Guard / Root Guard + Loop Guard

    MVP GURU
    Posted Jan 24, 2021 05:10 AM
    Hi!

    @pubjohndoe : I'm not sure the OP has a VSX as the Core Switch so I'll try to answer his doubts step by step:

    "​​Ok then thanks for advising me - go for it then. But do you mean than from my Core Switch -  Root guard  need to be enable for at least one of the 2 active Port links to 1 peer switch?"

    Clearly if your Core Switch has Spanning Tree already correctly configured and enabled and it is also the root of your Spanning Tree topology you would protect this state by applying the root-guard concept directly on the Trk (the Port Trunk) logical interface connecting your downstream peer switch (as said, once you start dealing with a an aggregated interface, what we call Trk (the Port Trunk) logical interface - you have to simply forget its physical member interfaces they are indeed "fused" - and disappear - into the Port Trunk itself).

    "If have 2 core Switch links to almost +- 120 downlink peer switch in these situation i i really don't want to mess p :)"

    Reasonable, so do one test with one switch.

    "just to resume :  trunk LACP from Core switch  and Peer switch to enable on both side ( TrkXx number identical for both or it doesn't matter? )"

    As @pubjohndoe already wrote there is no need to have both Trk logical interfaces with the same Id (sometime it's simply not possible at all): so it's good to have Trk<id-1> on Core and Trk<id-2> on Access...it doesn't matter.

    "Then from Core switch root guard on all first interface links to Peer switches. Correct?"

    See above.    ​​

    ------------------------------
    Davide Poletto
    ------------------------------

    Original Message


  • 8.  RE: 2 trunks per Switch- What is the best configuraton between BPDU Guard / Root Guard + Loop Guard

    Posted Jan 24, 2021 05:15 AM
    Ah true, forgot to mention that the document was about VSX switches, but the best practices are still valid for 2930 deployments too :)

    With Aruba you have to get pieces of documentation/best practices from here and there and also beg some of them from your local SE :)
    Original Message