Mostly during our SNAC/NAC 802.1x implementations, we used to sign-off the deployment & leave the city the same day. Next day (and this is almost becoming a trend) we get calls/complaints about Switch performance/throughput having dropped considerably after SNAC/NAC deployment. Their gut feeling was always to contact Cisco for a hardware upgrade and that Symantec to provide the input for sizing/hardware enhancement.
Hence, writing this article, to in way highlight the fact, that mostly this issue has/had turned out to be with STP (802.1D) configuration more than a sizing gap.
Please read further details if you're somehow sailing or have had sailed in the same boat:
Problem Stament:
The IEEE 802.1D Spanning Tree Protocol (STP) in part of the Industry since 1985. STP we know is a L2 protocol that runs between bridges to help create a loop-free network topology. Bridge Protocol Data Units (BPDUs) are packets sent between Ethernet switches (essentially multi-port bridges) to elect a root bridge, calculate the best path to the root and block any ports that create loops. The resulting tree, with the root at the top, spans all bridges in the LAN, hence the name: spanning tree.
STP is the most efficient means for preventing loops, atleast with default and most simple configuration settings. Thus, it is easy to not to tune parameters and accept the defaults. This leads STP network without a proper designs and especially when SNAC is implemented and 802.1x is enabled we all are surprised to discover the network issues related to spanning tree.
There are several aspects which could go wrong in terms of STP, however I would like to focus on the most common (default configuration on Cisco Swithces) is the "No Manual Root Bridge Configured"
No Manual Root configuration itself represents lack of STP architecture design. This leaves all switches in the environment using the default root bridge priority of 32768. If all switches have the same root bridge priority, the switch with the lowest MAC address will be elected as the root bridge.
Many networks have not been configured with a single switch to have a lower root bridge priority which would force that core switch to be elected as the STP root for any or all VLANs.
Point to Poner - Isn't it common for the lowest MAC generally to be older/low-end hardware?
Anyways, it is possible that a small access-layer switch with a low MAC address could be the STP root. This situation would add some performance overhead and make for longer convergence times because of the root bridge reelection.
Resolution:
When enabling SNAC & 802.1x configure the core switches with lower STP priorities so that one will be the root bridge and any other core bridges will have a slightly higher value and take over should the primary core bridge fail. Having "tiered" STP priorities configured on the switches determines which switch should be root bridge in the event of a bridge failure. This makes the STP network behave in a more deterministic manner.
On the core Cisco switch you would configure the primary root switch with this command:
Switch1(config)# spanning-tree vlan 1-4096 root primary
On the core Cisco switch you would configure the secondary root switch with this command:
Switch2(config)# spanning-tree vlan 1-4096 root secondary
The net effect from these two commands will set the primary switch root bridge priority to 8192, and the secondary switch root bridge priority to 16384.
- If you are facing a congestion issue after NAC deployment even after configuring a manual root - feel free to reach me & I'll try to partner along in helping find a Solution.