I'm trying to figure out the appropriate spanning tree protocol settings for a redundant network topology I'm in the process of implementing. The graphic demonstrates what the physical layer will look like(everything in question is labeled accordingly). I'm running all dell powerconnect series switches(2848's & 6224's).

    R1       R2
     |        |
     |        |
     |        |
     /\  X  /\
    /  \/ \/  \
   |   /\ /\   |
   |  /  |  \  |
   | / ESW3  \ |
   |/         \|
 ESW1        ESW2


  • R1-2 are routers setup for high availability
  • RSW1-2(6224's) are root bridge switches
  • ESW1-3(2848's) are network endpoints and do not directly connect to one another

My intention with this design is to have redundant root/core switches to include redundant router interfaces. In reality, there are 9 ESW* switches, but I scaled it down in my graphic for simplicity.

In order for STP to work efficiently in this design I would need to set the bridge priority to the lowest possible value, let's say 4096, on RSW1 and set the 2nd lowest bridge priority on RSW2 to 8192.

Now, is it necessary to set the switches bridge priority for ESW1-3 in increments of 4096 starting from 12288 or can I set 12288 for all ESW* switches? It seems inefficient/wasteful having to configure a unique bridge priority for ESW1-3 when they are only endpoints. If RSW1-2 both failed then each ESW* would delegate itself as the root bridge switch because it'll see that it's the only lowest bridge priority accessible. I just want to make sure there isn't any complications or gotcha's with that setup.

My next question pertains to the powerconnect STP port settings. Majority of the ports on ESW1-3 are strictly server nodes and not additional network endpoints. Would it be better to:

  • disable STP for the ports connected to servers, leaving enabled for network appliances connected to the switch(e.g. additional routers/smaller switches)
  • enable fast link+root guard on the ports connected to servers, but disable fast link with root guard enabled for network appliances

My last question, for optimal performance of STP are there settings you can suggest(similar to the above question) for the ESW# <-> RSW# ports? In reality they are vlan trunked LAG ports.

Let me know if you need any clarification. I appreciate any suggestions.

Regards, Brent

  • 13
  • 1
  • 3

2 Answers2


Short answers:

  1. It is not necessary to set STP Priorities on the leaf switches, as they are not connected to each other.
  2. Enable fast link & root guard on the edge ports and just root guard for ports connecting to other switches
  3. Use RSTP, so your network converges faster.



Falk Stern
  • 141
  • 5

The Spanning Tree Algorithm in use by 802.1d (STP), 802.1w (RSTP), and 802.1s (MST) states that the bridge (switch) with the lowest bridge ID (BID) will become the root bridge. The bridge ID is composed of a 2 byte priority value followed by a 6 byte MAC address (usually a burned in address [BIA] on the switch). As such, even if you were to configure two bridges with the same priority value -- their BID's would be different. The lower BID would win and become the root bridge.

Note that a feature known as "System ID" or MAC Address Reduction is often used changing the way the 2 byte priority value is used. In such a case, the 2 byte priority field is further broken into a 4 bit priority field and 12 bit VLAN ID field. This is used with Per-VLAN spanning tree, Rapid Per-VLAN Spanning Tree, and MST to hold both the priority of the bridge and the respective VLAN ID or MST instance number in the BPDU. Regardless of System ID, the overall lowest BID will always win/be root.


  1. Use Multi-Spanning Tree Protocol (MST/MSTP) instead of RSTP if you have a green field network and your devices support it. It scales better and requires less CPU as the number of VLANs increase.
  2. Configure your aggregation switches (looks like a collapsed core) (RSW) with the lowest STP bridge priorities. Choose one as the lowest and root.
  3. Leave your access/edge switches (ESW) alone as far as STP bridge priority is concerned. If both your aggregation switches fail (leaving you without an administratively configured STP root) the lack of administratively configured STP root will be the least of your problems.
  4. Configure the relevant ports on the access/edge switches (ESW) with the fast link (Cisco calls it PortFast) feature.

Optional - The points below lock down spanning tree. Configure with caution.

  1. If you desire, configure Root Guard (Cisco also calls the feature Root Guard) on the necessary access ports on the access/edge switches (except their uplinks to the core).
  2. If you desire to lock down spanning tree even more than Root Guard, configure BPDU Guard (Cisco also calls the feature BPDU Guard) on the necessary access ports on the access/edge switches (except their uplinks to the core).

Note that Root Guard and BPDU Guard cannot be enabled at the same time. BPDU Filter is another option to explore but I recommend staying away from it as BPDU Filter can allow loops to form.

  • 1,932
  • 11
  • 12
  • Weaver, thank you for the additional information/clarification. I would have considered moving over to that protocol as you suggested, but that idea was dead in the water when I noticed that these edge switches(powerconnect 2848) don't support 802.1s/mstp. – xtrusion May 15 '12 at 17:13
  • When you say to leave the bridge priority alone for the edge switches, what value would you consider? I know that the edge switches still need to be enrolled in the stp protocol so I'd have to set their bridge id to something meaningful. A value above the root bridge id 4096(referencing my examples), but lower than 32768. I learned from a situation where a similar bridge switch(multiple endpoints) took priority due to the default bridge id of 32768 on most appliances. It was a network appliance that showed up on our network that I(we) didn't/don't manage -- costly mistake. – xtrusion May 15 '12 at 17:25
  • @xtrusion Default bridge *priority* is generally 32768. The bridge ID combines bridge priority and a MAC address. By setting the priority value on your cores to 4096 (and 8192) the 4096 will become the STP root as its bridge ID (which includes the priority) is the lowest. With all other bridges defaulting to 32768 you do not have to be concerned with other bridge's becoming the root (unless your core's fail). Combined with Root Guard it is a simple and safe design for a small/medium size network. – Weaver May 16 '12 at 22:27