«

Hello, Arnold!
You wrote on Sun, 03 Oct 2004 01:46:45 +0200:

m>>> if you have a single switch, then you can disable spanning tree.

m>>> If you have two or more switches connected togther then
m>>> disabling spanning tree is generally not a good idea...
??>>
??>> It's not a good idea even with a single switch.
??>>
AN> It is ... you most likely don't need it. Hence turn it off but
AN> don't forget to have still BPDU guard turned on.

Well, you can do a little experiment - plug a loopback and see what will happen
with STP and without. Even if you have new IOS based switch with keepalives
turned on by default it might be up to 10 seconds of downtime before port gets
disabled.

With best regards,
Andrey.

On 03.10.2004 02:19 Andrey Tarasov wrote:

> Hello, Arnold!
> You wrote on Sun, 03 Oct 2004 01:46:45 +0200:
>
> m>>> if you have a single switch, then you can disable spanning tree.
>
> m>>> If you have two or more switches connected togther then
> m>>> disabling spanning tree is generally not a good idea...
> ??>>
> ??>> It's not a good idea even with a single switch.
> ??>>
> AN> It is ... you most likely don't need it. Hence turn it off but
> AN> don't forget to have still BPDU guard turned on.
>
> Well, you can do a little experiment - plug a loopback and see what will happen
> with STP and without. Even if you have new IOS based switch with keepalives
> turned on by default it might be up to 10 seconds of downtime before port gets
> disabled.
>

Well, why do you need STP when port security is turned on?



Arnold
--
Arnold Nipper, AN45

Hello, Arnold!
You wrote on Sun, 03 Oct 2004 02:44:05 +0200:

AN> Well, why do you need STP when port security is turned on?

Don't you think it's a strange approach to do two things - 1) disable STP; 2)
enable port security - to achieve behavior provided by default configuration?

Even though port security is very useful thing it's not a direct replacement of
functionality provided by STP in this case.

With best regards,
Andrey.

Hi Andreay,

On 03.10.2004 04:59 Andrey Tarasov wrote:

> Hello, Arnold!
> You wrote on Sun, 03 Oct 2004 02:44:05 +0200:
>
> AN> Well, why do you need STP when port security is turned on?
>
> Don't you think it's a strange approach to do two things - 1) disable STP; 2)
> enable port security - to achieve behavior provided by default configuration?
>

No ... in nowadays switch configuration BPDU guard/filter and port
security is a must.

> Even though port security is very useful thing it's not a direct replacement of
> functionality provided by STP in this case.
>

And turning off unneeded features as well. Hence if I don't need STP I
will turn it off.

As always ... YMMV


Arnold
--
Arnold Nipper, AN45

> On 02.10.2004 23:39 Andrey Tarasov wrote:
[snip: killing STP]
> > It's not a good idea even with a single switch.


In article <cjnel6$bv0$>, arnold- says...
> It is ... you most likely don't need it. Hence turn it off but don't
> forget to have still BPDU guard turned on.

It is not. Because you can't guarantee someone will not create a loop
by accident. It's min sized frames every two seconds...what is the big
deal???


--

hsb

"Somehow I imagined this experience would be more rewarding" Calvin
*************** USE ROT13 TO SEE MY EMAIL ADDRESS ****************
************************************************** ******************
Due to the volume of email that I receive, I may not not be able to
reply to emails sent to my account. Please post a followup instead.
************************************************** ******************

In article <cjolfv$bv0$>, arnold- says...
[snip]
> And turning off unneeded features as well. Hence if I don't need STP I
> will turn it off. As always ... YMMV

Arnold...dollar to donuts I've got more experience than you. I've
personally seen four sites melt down because some IDIOT, yes IDIOT,
turned off STP. That's like saying I don't drive over 10M from my
house, so I'll forgo the insurance.

It's simply not worth it. Unless you can lock the switches, and never
have to recable at 3AM after 15 hours of troubleshooting, leave STP on.


--

hsb

"Somehow I imagined this experience would be more rewarding" Calvin
*************** USE ROT13 TO SEE MY EMAIL ADDRESS ****************
************************************************** ******************
Due to the volume of email that I receive, I may not not be able to
reply to emails sent to my account. Please post a followup instead.
************************************************** ******************

On 05.10.2004 07:45 Hansang Bae wrote:

>>On 02.10.2004 23:39 Andrey Tarasov wrote:
>
> [snip: killing STP]
>
>>>It's not a good idea even with a single switch.
>
>
>
> In article <cjnel6$bv0$>, arnold- says...
>
>>It is ... you most likely don't need it. Hence turn it off but don't
>>forget to have still BPDU guard turned on.
>
>
> It is not. Because you can't guarantee someone will not create a loop
> by accident. It's min sized frames every two seconds...what is the big
> deal???
>
>

BPDU guard and port security is your friend ....



Arnold
--
Arnold Nipper, AN45

Hello, Arnold!
You wrote on Tue, 05 Oct 2004 08:18:42 +0200:

??>> [snip: killing STP]
??>>
??>>>> It's not a good idea even with a single switch.
??>>
??>>> It is ... you most likely don't need it. Hence turn it off but
??>>> don't forget to have still BPDU guard turned on.
??>>
??>> It is not. Because you can't guarantee someone will not create
??>> a loop by accident. It's min sized frames every two
??>> seconds...what is the big deal???
??>>
AN> BPDU guard and port security is your friend ....

Tell us, how are you going to configure port security on ports where you can't
predict number of MAC addresses? Like the ones where wireless access point
connected to?

With best regards,
Andrey.

On 05.10.2004 18:34 Andrey Tarasov wrote:

> AN> BPDU guard and port security is your friend ....
>
> Tell us, how are you going to configure port security on ports where you can't
> predict number of MAC addresses? Like the ones where wireless access point
> connected to?
>

quite easy ... just pick a reasonable number for number of clients for
that acccess-point.



Arnold
--
Arnold Nipper, AN45

Hello, Arnold!
You wrote on Tue, 05 Oct 2004 23:53:15 +0200:

AN> quite easy ... just pick a reasonable number for number of
AN> clients for that acccess-point.

Hmm... We have about 15 access points and more than 300 NICs given out to users.
At any day there is no more than 100 users active total. So how many MAC
addresses should be configured in order to avoid support call saying "We can't
get on a wireless network!" but at the same time to prevent network outage if
loop is going to happen on this port?

Guess what, if you wouldn't mess with STP you wouldn't be doing this exercise.

With best regards,
Andrey.