Spanning Tree Tuning
Ideally the root bridge should be the core switch. but the root bridge placement shoult try to minimize the number of hops to the furthest switch. A secondary bridge should be specified to limit the number of overall changes. This secondary would the next down stream device.
Commands to set priority
spanning-tree vlan 1-4095 root primary diameter 7
The diameter key word makes it possible to tune the STP convergence and set the max number of hops in a layer 2 domain. This command would only need to be set on the root bridge. This command will also set the priority to 24576, secondary would be 28672
Primary
spanning-tree vlan 1-4094 priority 0
Secondary
spanning-tree vlan 1-4094 priority 4096
To set the port priority use the following command. This command can be used to help a switch prefer a link when multiple links exist between 2 switches
Conf t
Int gi1/0/1
Spanning-tree port-priority 64
Mac flapping should be looked into as this can indicate there is a loop
Root Guard: is a feature that prevents a configured port from becoming a root port. this should be configured on downstream devices. If a superior BPDU is received the port is put into a err-disabled state.
Conf t
Int gi1/0/1
Spanning-tree guard root
Port Fast: generation of a TCN doesn’t make sense if a host only has one connection to the network. Enabling port-fast will disable TCN’s
Conf t
Int gi1/0/1
Spanning-tree port-fast
BPDU Guard: will shut down a port with port fast configured if a BPDU is received
Conf t
Int gi1/0/1
Spanning-tree bpduguard enable
BPDU Filter: will block BPDU from being sent out a port, most network designs should not require the use of this command.
Conf t
Int gi1/0/1
Spanning-tree bpdufilter enable
Loop Guard: this will prevent any alternate or root port from becoming a designated port. this should not be configured with ports running portfast
Conf t
Int gi1/0/1
Spanning-tree guard loop
Unidirectional Link Direction: looks for bi-directional monitoring of a fiber optic cable. There are 2 modes. Normal; if a frame is not acknowledged the link is undetermined and the port will remain up. Aggressive if a frame is not acknowledged the switch will send another 8 packets in a 1-second duration. If there is no acknowledgment the port is error disabled. Udld must be on both the local and remote switch.
Conf t
udld enable [mode]