Bridge assurance vs Loop Guard
Hi all!
I can't understand practical advantages of Bridge Assurance compared with Loop Guard.
What exactly can do BA and can't do Loop Guard?
Than you!!
Hi,
I hope you might have already read the below link which gives detailed explanation of what these two stp features does:
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/stp_enha.html#wp1052528
http://www.netcraftsmen.net/blogs/entry/what-is-bridge-assurance.html
2)
There are a few scenarios where LoopGuard would not be effective at detecting loops and/or unidirectional links.
- can only be enabled on root & alternate ports. it CANNOT run on 'designated ports'.
- ineffective at detecting a port that has been unidirectional since link-up.
Bridge Assurance (BA) is effective at mitigating those remaining scenarios that LoopGuard could not.
BA works because it turns STP into operating more like a routing protocol where BPDUs now go both ways on a given link verifying device health/awareness / lack of braindeadness.
i.e. it turns STP from traditional "fail open" behavior to "fail closed".
compare figure 1 to figure 3 in
<http://www.cisco.com/en/US/docs/switches/datacenter/sw/4_2/nx-os/layer2/configuration/guide/Cisco_Nexus_7000_Series_NX-OS_Layer_2_Switching_Configuration_Guide_Release_4.2_chapter7.html#con_1285149>
and it should be clear.
HTH
Regards
Inayath
***** Please rate if this post if the info is usefull.
Similar Messages
-
3750x2 Disable loop guard and the effect on connectivity
Hello,
I have two building about 500 yards apart. They are connected via a Lightpointe FSO (Free Space Optics) Laser and Airbridge (802.11n RF) point to point bridge. The transport up to the head is done via a multimode fiber optic cable.
When the signal level is good, FSO can achieve the full 1gbps link between buildings. When the signal level falls below a definable threshold (in my case 250 mV), the Airbridge 802.11n RF point to point takes over. This runs in the 5 GHz band on a 40 MHz channel, theoretic speed of 144 to 300mbps.
The issue I have is when this failover occurs, the switch port will go into Loopguard_block and the remote building is dead in the water. I happened to be over there today when this occurred and my quick fix was to unplug the fiber and plug it back in. I since changed the thresholds and widened the window for the Laser to RF failover. If the signal is below 250 mV, it fails over to RF. It does not attempt to return to Laser until the signal hits 350 mV. This "deadband" of 100 mV is to prevent flapping. Previously it was a low of 250 and a high of 300. So hopefully this helps.
However if I were to want to disable Loop Guard, can I do it and what kind of ill effects would that have - if any? Would I do this at both endpoints, or just the remote location? The other end is our HQ and it goes right into the core switch stack (a group of 3750 switches).
sh log on remote switch
001056: Apr 30 18:04:12.261: %SPANTREE-2-LOOPGUARD_BLOCK: Loop guard blocking port GigabitEthernet1/1/1 on VLAN0044.
001057: Apr 30 18:04:12.269: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan44, changed state to down
001058: Apr 30 18:07:50.839: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/1/1, changed state to down
001059: Apr 30 18:07:52.853: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/1/1, changed state to up
001060: Apr 30 18:07:52.920: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan44, changed state to up
001061: Apr 30 18:43:32.900: %SPANTREE-2-LOOPGUARD_BLOCK: Loop guard blocking port GigabitEthernet1/1/1 on VLAN0044.
001062: Apr 30 18:43:32.908: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan44, changed state to down
001063: Apr 30 18:43:32.925: %SPANTREE-2-LOOPGUARD_UNBLOCK: Loop guard unblocking port GigabitEthernet1/1/1 on VLAN0044.
001064: Apr 30 18:43:33.000: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan44, changed state to up
001065: Apr 30 20:06:40.829: %SPANTREE-2-LOOPGUARD_BLOCK: Loop guard blocking port GigabitEthernet1/1/1 on VLAN0044.
001066: Apr 30 20:06:40.846: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan44, changed state to down
001067: Apr 30 20:06:40.863: %SPANTREE-2-LOOPGUARD_UNBLOCK: Loop guard unblocking port GigabitEthernet1/1/1 on VLAN0044.
001068: Apr 30 20:06:40.913: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan44, changed state to up
Physical connectivity:
Cat6 cable solely for powering (not connected to switch - connected to Lightpointe 48vdc power injector)
multimode fiber cable connected to Lightpointe FSO head.
FSO head has a cat 5e data port that passes power and data to a ubiquiti AirOS 5 powered nanostation (they brand this Airbridge).
Something internally in the FSO linkhead shifts the data flow to the ubiquity nanostation (and back) automatically. Regardless of this activity, all data traverses that multimode fiber. We do not handle any type of routing as the Lightpointe unit does it itself. It is supposed to look like an ethernet handoff.
We use VLAN44 (192.168.4.1) as a transport network and the switches are in layer 3 mode.Ok this is from the vendor:
On a Cisco 3750x2 L3 switch, would there be any special port config statements to mitigate this? Should not be needed, but you can turn off Spanning Tree since the redundancy is being handled by the laser / RF combination on the roof.
So if I put spanning-tree portfast on the uplink port at the HQ and at the Remote side, that would effectively turn off spanning tree and prevent the port from going into loopguard? Am I correct? If the hardware on the roof handles 100% of the laser or RF mode of operation, then I don't need the Cisco switch to intervene. Thoughts? -
I am planning to implement the enable the loop guard option. I Just want to Know will there be any STP topology change.( topology recalculation)
I suppose everybody thinks they know what they are doing when they are doing it.
Configuring portfast on a live switch can be very dangerous.
Scenario:
Two access switches are uplinked to a pair of core switches without portfast enabled on the access ports. A user has connected a hub in a conference room and mistakenly connected 2 ports on the hub to the network, one to each access switch. An engineer configures portfast on the access switches and a bridge loop is created. So much traffic floods through the loop that HSRP and routing protocols start breaking, STP is unable to break the loop. The whole network comes to a stand still.
This isnt something made up. This has actually happened. I was called to the scene to help clean up the mess. -
Disable Bridge Assurance breaks the vPC on NEXUS 5500?
I`m trying to figure out a way to disable Bridge Assurance "spanning-tree port type normal" withowt breaking the vPC connection between two datacentres.
Considering the diagram attached, I`m hoping to configure vPC 10 without any disruption.
I was thinking on the following procedure:
"shutdown" switchports for vPC 10 (on the left link)
configure switches on the left of both domains with "spanning-tree port type normal"
"no shutdown" switchports for vPC 10 (at this point one link will have BA enabled and the other will have BA disabled...is this a problem??)
repeat process on the other 2 switches
I realy need to be sure of a non-disruptive way to do this because, if vPC 10 breaks both firewall will be active at the same time and that`s not going to be pretty :)First Reload
CORE-B# 2009 Mar 5 12:53:37 CORE-B %$ VDC-1 %$ %VPC-2-VPC_SUSP_ALL_VPC: Peer-link going down, suspending all vPCs on secondary
2009 Mar 5 12:53:43 CORE-B %$ VDC-1 %$ %VPC-2-PEER_KEEP_ALIVE_RECV_FAIL: In domain 10, VPC peer keep-alive receive has failed
Second Reload
CORE-B# 2009 Mar 5 13:02:59 CORE-B %$ VDC-1 %$ %VPC-2-PEER_KEEP_ALIVE_RECV_FAIL: In domain 10, VPC peer keep-alive receive has failed
I’m consoled in to CORE-B, ssh’d to CORE-A and reloading CORE-A (The primary). No changes at all between the two reloads.
During the first one, it seems to lose the VPC peer link before it loses the keepalives, so it suspends all the VPC’s on B and I lose everything for a while.
During the second one, it loses the peer keepalive first and all is good. -
Why would you NOT enable Loop Guard on switch ports?
Hello
Why would you NOT enable Loop Guard on switch ports?
It is disabled by default on all ports.
Since it prevents loops, in the absence of receiving BPDUs on non-designated ports, why would it not be enabled by default?Ziffy wrote:
The Galaxy S4 supports Google Wallet, but yet you block it from being used. Why exactly? This is not right. I suggest you enable it before you start losing customers. Is there anybody out there that would like to start a petition? Perhaps look into whether or not this is actually legal? Seems like unfair practices to me. Thoughts?
Good luck with that. FCC already did and have left it alone... My theory is because... Google charges carriers to use allow devices to use it. At one point Sprint paid to go exclusive for wallet. FCC can't force you to buy your competitors product. -
Spantree Loop Guard (question)
Hi All,
I would like to ask about one feature:-
(Spantree loopguard default), what does this feature provide?? And when should I use it??Hello,
Ive never seen it configured in the networks I've worked on, but loopguard is STP feature that will monitor ports that were once receiving BPDU packtes. If these port stop receiving it, this could create a loop, so if you have loopguard enabled on this port the STP will block the port for going to FWD state.
Check:
The loop guard is intended to provide additional protection against L2 forwarding loops (STP loops). An STP loop is created when an STP blocking port in a redundant topology erroneously transitions to forwarding state. This usually happens because one of the ports of a physically redundant topology (not necessarily the STP blocking port) stopped receiving STP BPDUs. In its operation, STP relies on continuous reception or transmission of BPDUs, depending on the port role (designated port transmits, non-designated port receives BPDUs).
When one of the ports in a physically redundant topology stops receiving BPDUs, the STP conceives the topology as loop free. Eventually, the blocking port from the alternate or backup port becomes designated, and moves to forwarding state, thus creating a loop.
With the loop guard, an additional check is made. If BPDUs are not received any more on a non-designated port and the loop guard is enabled, that port will be moved into the STP loop-inconsistent blocking state instead of moving to the listening / learning / forwarding state. Without the loop guard, the port would assume the designated port role. The port would move to STP forwarding state, and thus create a loop. "
So, on which ports should the loop guard be enabled? The most obvious answer is on the blocking ports. However, this is not totally correct. The loop guard needs to be enabled on the non-designated ports (more precisely, on root and alternate ports) for all possible combinations of active topologies."
HTH,
if it does, I'd appreciate if you rated this post.
Vlad -
Loop guard & udld agressive - etherchannel
Hi,
Can anybody pls share whether I need to enable loop guard & udld agressive config on Ether-Channel
what is the ciso recomendation / Pls share the document for the same
Also pls share in case the same is required on Physical interface or on Port-channel interface,
As per my understanding it is required on Physical interface
Br/Subhojitwhat is the ciso recomendation / Pls share the document for the same
Link: STP Enhancements using Loop Guard and BPDU Skew Detection Features # Loop Guard versus UDLD
"(...) UDLD might be more flexible in the case of unidirectional links on EtherChannel. In this case, UDLD disables only failed links, and the channel should remain functional with the links that remain. In such a failure, the loop guard puts it into loop-inconsistent state in order to block the whole channel."
HTH
Rolf -
Hi everyone, I've a question for you guys:
Please check this topology: http://www.cisco.com/warp/public/473/84d.gif
I've read that you must enable loop guard on every nondesignated port (root and alternate ports) to prevent unidirectional related loops. I understand the situation where switch C unblooks the AP port and cause a loop. But what if the link is not unidirectional, what if switch B has some problem and indeed switch C should forward traffic to the segment C-B? Is there a difference between the link going down (disconected)and just stop seeing BPDUs?
Also, why would anyone configure loop guard on a root port? If for example, SWC stops seeing BPDUs from SWA, what would loop guard do? put the port in a block state or it would recalculate its Root port (port to SWB) and put the port to SWA into a designated state (after not receiving BPDS from SWA)? I'm very confused, any help would be greatly apretiated.
Omar MontesThe assumption made by STP is that if a link is not able to transmit BPDU, it is down. So if there is bidirectional link failure, the case is natively handled by STP. If there is only unidirectional link failure, you could end up with a unidirectional loop (which is about as bad as a bidirectional loop;-))
Loopguard is relevant on each port that is supposed to continuously receive BPDU. If your root port stop receiving BPDU, STP will move it to designated and elect a new root port. This is ok if your old root port cannot receive and transmit traffic. However, if the link is unidirectional and the port does not get blocked by loopguard, you will have a loop through the old and the new root port (in one direction only, the old root port TX direction).
Configuring loopguard on a designated port will not cause any problem anyway, so in fact you can configure loopguard blindly on all the port.
The IEEE introduced a feature (the dispute mechanism) that works much better than loopguard in order to protect against unidirectional link failure. However, this mechanism requires an RSTP bpdu format. It is currently only implemented in MST on cisco switches (it will be soon available in rapid-pvst). No need to use loopguard with the latest MST code at least.
Regards,
Francois -
Playbook 64gb
Software 2.0.1.358
Free storage 59.4gb
Torch 9800
Yes Optus - Australia
Software 6.0 bundle 3049 v6.0.0.706 platform 6.6.0.246
Free memory 268562422 Bytes
Application Memory Free space 256.1mb
Device memory free space3.6gb
Blackberry Bridge – Email goes into a loop
The indicator on the top left will show I have 4 emails. I then open BB Bridge and open Messages – I see the shape of two rectangles filling the screen, then a full white screen, then black then back to rectangles, white, black …again and again .. All the while the green circle (hourglass) goes around. It is as if it has hit a programming loop. I can exit it, and go to other Bridge options such as Contacts, calendar and they all work perfect.
I have tried restarts, I have tried breaking the ling and re connecting I have tried removing and reinstalling bridge on my Torch
It was working …. And I can’t think of any install or changes made since it worked.
Any suggestions? I have run out of options.
Thanks !
Gary
Solved!
Go to Solution.Lost_at_Sea wrote:
Have you tried the three button reset. It is similar to Control - Alt - Delete on the computer. Hold down the Power Button and both volume buttons at the same time for 15 seconds and then wait 1 minute. Then hold down the power button only until the red light flashes then release it. The PB will restart in about 4 minutes. Report back.
The procedure that you are suggesting does not work with this specific problem, I have personnaly tried it, I even re-installed the OS on my Bold 9900, I have a new OS 7.1 on it, and the I was forced when I attempted to make a backup to reset the Playbook to factory setting, and I still have the same problem as mentioned by the OP
Using the Playbook and the Z10 and the Z30 and loving them
Martin -
Hi,
We have 45xx switch & we enabled spanning tree root guard on ports connected with access switch via fiber uplink
& we enable spanning tree loop guard on access switch side
One of my core switch port connected to Juniper Netscreen Firewall
Whether I need to enable spanning tree guard root on the same port on core switch side ? or not
In case of yes, any config changes required on JUniper Netscreen box
Br/SubhojitHi, Pls find the output
Port 130 (GigabitEthernet3/2) of VLAN0054 is designated forwarding
Port path cost 4, Port priority 128, Port Identifier 128.130.
Designated root has priority 8246, address 001b.d474.8a40
Designated bridge has priority 16438, address 001b.0cee.0440
Designated port id is 128.130, designated path cost 3
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
Link type is point-to-point by default
Bpdu filter is enabled
Root guard is enabled on the port
BPDU: sent 5847158, received 0
Present the bold config enabled on the port
Br/Subhojit -
Stp loop, Not able to trace source
Hello,
I am new to cisco switches and learning about cisco switches now. we have a LAN with 6509 as core router and 2950s/3550s as access switches.
When I ran wireshark on my machine, I saw an stp loop repeating from a cisco device. I have noted down the MAC-address and tried in vain to find the same in our LAN. I am seeing packets like Address: "Spanning-tree-(for-bridges)_00" and "loop reply". I am not able to see any of the MAC addresses found in this loop conversation, on my LAN. I read that these loops are not good for the network. Where can I start to resolve this problem?
Thanks in advance for your advice.There is likely no problem at all. ;-)
If you were really experiencing a loop, you would have other problems.
Best for you will be to start making a study of spanning tree (STP) and it's inner workings. Here is a good starting point:
http://www.cisco.com/en/US/tech/tk389/tk621/tsd_technology_support_protocol_home.html
Armed with this knowledge you can try to analyze the traffic that was observed by wireshark.
regards,
Leo -
Bridge continuall​y locking, can't access emails
password unlock keeps coming up. opens email, then the locked screen appears.
have rebooted playbook, re paired devices.
any suggestions, frustrating
thank you in advanceI've Cracked It!
I have had my PB for 2 days and whilst this worked fine to start with, I then found the "Bridge is Locked" loop. After reading several forums all saying that I had to do a security wipe on either the PB or the BB and not wanting to do either, I decided to do a little investigating on my own and voila! I did it.
First delete the PB from Bridge on the BB.
Second remove ALL bluetooth paired devices from the PB
Third go through the Bridge setup process using the QR code.
All fixed.
I hope this helps others too.
BTW: I have a Bold 9900 and a PB 64GB with OS 2.0.1. -
Switching Best Practice - Spanning Tree andEtherchannel
Dear All,
Regarding best practice related to Spanning Tree and Etherchannel, we have decided to configure following.
1. Manually configure STP Root Bridge.
2. On end ports, enable portfast and bpduguard.
3. On ports connecting to other switches enable root guard.
In etherchannel config, we have kept mode on on both side, need to change to Active and desirable as I have read that mode on may create loops? Please let me know if this is OK and suggest if something missing.
Thank You,
Abhisar.Hi Abhisar,
Regarding your individual decisions: Manually configuring the Root Bridge is a natural thing to do. You should never leave your network just pick up a root switch based on default switch settings.
On end ports, using PortFast and BPDU Guard is a must especially if you are running Rapid PVST+ or MSTP.
Regarding the Root Guard on ports to other switches - this is something I do not recommend. The Root Guard is a protective mechanism in situations when your network and the network of your customer need to form a single STP domain, yet you want to have the STP Root Bridge in your network part and you do not want your customer to take over this root switch selection. In these cases, you would put the Root Guard on ports toward the customer. However, inside your own network, using Root Guard is a questionable practice. Your network can be considered trustworthy and there is no rogue root switch to protect against. Using Root Guard in your own network could cause your network to be unable to converge on a new workable spanning tree if any of the primary links failed, and it would also prevent your network from converging to a secondary root switch if the primary root switch failed entirely. Therefore, I personally see no reason to use Root Guard inside your own network - on the contrary, I am concerned that it would basically remove the possibility of your network to actually utilize the redundant links and switches.
Regarding EtherChannels - yes, you are right, using the on mode can, under circumstances, lead to permanent switching loops. EtherChannel is one of few technologies in which I wholeheartedly recommend on relying on a signalling protocol to set it up, as opposed to configuring it manually. The active mode is my preferred mode, as it utilizes the open LACP to signal the creation of an EtherChannel, and setting both ends of a link to active helps to bring up the EtherChannel somewhat faster.
If you are using fiber links between switches, I recommend running UDLD on them to be protected against issues caused by uni-directional links. UDLD is not helpful on copper ports and is not recommended to be run on them. However, I strongly recommend running Loop Guard configured globally with the spanning-tree loopguard default. Loop Guard can, and should, be run regardless of UDLD, and they can be used both as they nicely complement each other.
My $0.02...
Best regards,
Peter -
Hi,
I'm working for a company that has 2x 6500 chasis switches in the main building as Core switches (CORE1 and CORE2). There are 3 other buildings that house employees (Building 2 and Building 3) and a DR site. The "Core" switches at these other buildings are 3750 switches (stacks of 2). The buildings are connected with 1Gb fibre (MM) leased lines in a square:
Since a few days we are seeing alot of spanning tree recalculations on the Core switches of Building 2 and 3 which causes alot of network issues for the people in those buildings. More precisely the Gi1/0/1 interface on both core switches of those buildings (see red crosses in picture) are constantly displaying these messages:
Feb 3 10:25:31 Building2-CORE 801113: 690303: Feb 3 10:24:20.544 cet: RSTP(750): Gi1/0/1 rcvd info expired
Feb 3 10:25:31 Building2-CORE 801114: 690304: Feb 3 10:24:20.544 cet: %SPANTREE-2-LOOPGUARD_BLOCK: Loop guard blocking port GigabitEthernet1/0/1 on VLAN0750.
Feb 3 10:25:32 Building2-CORE 801115: 690305: Feb 3 10:24:20.544 cet: RSTP(750): updt roles, information on root port Gi1/0/1 expired
Feb 3 10:25:32 Building2-CORE 801116: 690306: Feb 3 10:24:20.544 cet: RSTP(750): we become the root bridge
Feb 3 10:25:32 Building2-CORE 801117: 690307: Feb 3 10:24:20.552 cet: RSTP(750): updt roles, received superior bpdu on St1
Feb 3 10:25:32 Building2-CORE 801118: 690308: Feb 3 10:24:20.552 cet: RSTP(750): St1 is now root port
Feb 3 10:25:32 Building2-CORE 801119: 690309: Feb 3 10:24:20.552 cet: RSTP(750): synced St1
Feb 3 10:25:32 Building2-CORE 801120: 690310: Feb 3 10:24:20.561 cet: RSTP(750): transmitting an agreement on St1 as a response to a proposal
Feb 3 10:26:21 Building2-CORE 801193: 690383: Feb 3 10:25:10.910 cet: %SPANTREE-2-LOOPGUARD_UNBLOCK: Loop guard unblocking port GigabitEthernet1/0/1 on VLAN0750.
Feb 3 10:26:21 Building2-CORE 801194: 690384: Feb 3 10:25:10.910 cet: RSTP(750): initializing port Gi1/0/1
Feb 3 10:26:21 Building2-CORE 801195: 690385: Feb 3 10:25:10.910 cet: RSTP(750): Gi1/0/1 is now designated
Feb 3 10:26:21 Building2-CORE 801196: 690386: Feb 3 10:25:10.910 cet: RSTP(750): updt roles, received superior bpdu on Gi1/0/1
Feb 3 10:26:21 Building2-CORE 801197: 690387: Feb 3 10:25:10.910 cet: RSTP(750): Gi1/0/1 is now root port
Feb 3 10:26:21 Building2-CORE 801198: 690388: Feb 3 10:25:10.910 cet: RSTP(750): St1 blocked by re-root
Feb 3 10:26:21 Building2-CORE 801199: 690389: Feb 3 10:25:10.910 cet: RSTP(750): St1 is now designated
Feb 3 10:26:21 Building2-CORE 801209: 690399: Feb 3 10:25:10.919 cet: RSTP(750): transmitting a proposal on St1
Feb 3 10:26:21 Building2-CORE 801211: 690401: Feb 3 10:25:10.927 cet: RSTP(750): synced Gi1/0/1
Feb 3 10:26:22 Building2-CORE 801212: 690402: Feb 3 10:25:10.927 cet: RSTP(750): received an agreement on St1
And less than a minute later the same again. This is happening with all VLANs. There's about 125 VLANs and all go over the square.
From what I understand this means BPDU packts are not received in time (2 seconds) and spanning tree starts recalculation. We already asked the provider of the leased lines to test them but they claim nothing is wrong with them. It"s also a bit weird that we are seeing this on 2 different places (physically different locations and lines).
CPU usage looks normal (around 14%) on all switches in this square. Since it's happening on 2 locations I don't think a faulty cable or SFP is causing this.
Any ideas from you guys?
RegardsHi,
All links between the buildings are configured as trunks indeed with no VLAN restrictions (all VLANs allowed).
Here is the extract of the command on all 5 switches/stacks:
MAIN-CORE1#sh spanning-tree vlan 750
VLAN0750
Spanning tree enabled protocol rstp
Root ID Priority 8192
Address 001c.0edc.eaee
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 8192
Address 001c.0edc.eaee
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
Interface Role Sts Cost Prio.Nbr Type
Gi1/3 Desg FWD 4 128.3 P2p
Gi1/4 Desg FWD 4 128.4 P2p
Gi1/5 Desg FWD 4 128.5 P2p
Gi1/6 Desg FWD 4 128.6 P2p
Gi1/7 Desg FWD 4 128.7 P2p
Gi2/22 Desg FWD 4 128.150 P2p
Gi2/23 Desg FWD 4 128.151 P2p
Po10 Desg FWD 3 128.1666 P2p
Interface Role Sts Cost Prio.Nbr Type
Po11 Desg FWD 3 128.1667 P2p
MAIN-CORE2#sh spanning-tree vlan 750
VLAN0750
Spanning tree enabled protocol rstp
Root ID Priority 8192
Address 001c.0edc.eaee
Cost 3
Port 1666 (Port-channel10)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 16384
Address 001c.0edc.daee
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
Interface Role Sts Cost Prio.Nbr Type
Gi1/3 Desg FWD 4 128.3 P2p
Gi1/4 Desg FWD 4 128.4 P2p
Gi1/5 Desg FWD 4 128.5 P2p
Gi1/6 Desg FWD 4 128.6 P2p
Gi1/9 Desg FWD 4 128.9 P2p
Po10 Root FWD 3 128.1666 P2p
Po21 Desg FWD 4 128.1667 P2p
Building2-CORE1#show spanning-tree vlan 750
VLAN0750
Spanning tree enabled protocol rstp
Root ID Priority 8192
Address 001c.0edc.eaee
Cost 7
Port 1 (GigabitEthernet1/0/1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 33518 (priority 32768 sys-id-ext 750)
Address 108c.cf03.1d00
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
Interface Role Sts Cost Prio.Nbr Type
Gi1/0/1 Root FWD 4 128.1 P2p
St1 Desg FWD 100 128.872 P2p
Gi2/0/1 Desg FWD 4 128.55 P2p
Building3-CORE1#show spanning-tree vlan 750
VLAN0750
Spanning tree enabled protocol rstp
Root ID Priority 8192
Address 001c.0edc.eaee
Cost 11
Port 55 (GigabitEthernet2/0/1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 33518 (priority 32768 sys-id-ext 750)
Address 8cb6.4fb9.7300
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
Interface Role Sts Cost Prio.Nbr Type
Gi1/0/1 Root BKN*4 128.1 P2p *LOOP_Inc
St1 Root FWD 100 128.872 P2p
Gi2/0/1 Root FWD 4 128.55 P2p
DR-01#show spanning-tree vlan 750
VLAN0750
Spanning tree enabled protocol rstp
Root ID Priority 8192
Address 001c.0edc.eaee
Cost 4
Port 54 (GigabitEthernet2/0/2)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 33518 (priority 32768 sys-id-ext 750)
Address 0013.c37a.e300
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
Interface Role Sts Cost Prio.Nbr Type
Gi2/0/2 Root FWD 4 128.54 P2p
Gi1/0/1 Desg FWD 4 128.1 P2p
Fa1/0/13 Desg FWD 19 128.15 P2p
Here is the config of MAIN-CORE1 (I removed most interfaces, VLAN interfaces and ACL's from it):
MAIN-CORE1#sh run
Building configuration...
Current configuration : 44402 bytes
upgrade fpd auto
version 12.2
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
service counters max age 5
hostname MAIN-CORE1
boot-start-marker
boot system flash sup-bootdisk:s72033-ipservicesk9-vz.122-33.SXI6.bin
boot system flash sup-bootdisk:s72033-ipservicesk9-vz.122-18.SXF8.bin
boot-end-marker
security passwords min-length 1
logging buffered 5000000
no logging console
no logging monitor
aaa new-model
aaa authentication login default group radius local
aaa authentication login CONSOLE local
aaa authentication dot1x default group radius
aaa authorization exec default group radius local
aaa authorization network default group radius local
aaa session-id common
clock timezone cet 1
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
no ip domain-lookup
ip tftp source-interface Vlan60
ip ftp source-interface Vlan60
ip flow ingress layer2-switched vlan 20
ip sla 3
icmp-echo 172.31.99.5 source-ip X.X.X.X
timeout 2000
frequency 5
ip sla schedule 3 life forever start-time now
ip sla 4
icmp-echo X.X.X.X source-ip X.X.X.X
frequency 5
ip sla schedule 4 life forever start-time now
udld aggressive
udld message time 7
mls qos map cos-dscp 0 10 18 24 34 46 48 56
mls qos
mls netflow interface
no mls acl tcam share-global
mls cef error action freeze
errdisable recovery cause udld
errdisable recovery cause security-violation
errdisable recovery cause psecure-violation
errdisable recovery interval 30
diagnostic bootup level minimal
spanning-tree mode rapid-pvst
spanning-tree vlan 1,21,166,168,210,842-843 priority 16384
spanning-tree vlan 2-3,7,10,17-18,28,41,44,60,70,78,96,110,112 priority 8192
spanning-tree vlan 121-122,125,127,140,169-170,199,209,213-214 priority 8192
spanning-tree vlan 220-221,253-254,299,318-322,343,350,411,415 priority 8192
spanning-tree vlan 420-421,425,430,450-451,460,500-501,540,602 priority 8192
spanning-tree vlan 650,702,710-716,740,750,895,900-902,910,920 priority 8192
spanning-tree vlan 940 priority 8192
spanning-tree vlan 20 priority 9
spanning-tree vlan 40 priority 8191
redundancy
main-cpu
auto-sync running-config
mode sso
vlan internal allocation policy ascending
vlan access-log ratelimit 2000
class-map match-any test
class-map match-all DoubleTake_map
match access-group name DoubleTake
policy-map DoubleTake_Pol
class DoubleTake_map
set ip dscp af41
interface Port-channel10
description connection between cores
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
mls qos trust cos
interface GigabitEthernet1/3
description Trunk To access-sw1
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 17,20,100,112,140,209,300,740,750
switchport mode trunk
switchport nonegotiate
mls qos trust cos
interface GigabitEthernet1/4
description Trunk To access-sw2
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 17,20,27,100,112,209,740,750
switchport mode trunk
switchport nonegotiate
interface GigabitEthernet1/5
description Trunk To access-sw3
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 17,20,70,112,209,221,740,750,901,902
switchport mode trunk
switchport nonegotiate
interface GigabitEthernet1/6
description Trunk To access-sw4
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,17,20,28,60,70,100,112,140,209,220,300,343
switchport trunk allowed vlan add 350,540,602,640,641,740,750,840-842,902
switchport mode trunk
switchport nonegotiate
mls qos trust cos
interface GigabitEthernet1/7
description Trunk to DR
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
speed nonegotiate
mls qos trust cos
interface GigabitEthernet2/22
description Link to FW1
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,40,165,211-214,220,318,420,451,501,650,651
switchport trunk allowed vlan add 750
switchport mode trunk
logging event link-status
logging event spanning-tree status
load-interval 30
interface GigabitEthernet2/23
description link to FW1
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 78,121,122,124-127,221,319-322,411,415,425,430
switchport trunk allowed vlan add 450,460,461,465,602,712,713,716,750
switchport mode trunk
logging event link-status
logging event spanning-tree status
load-interval 30
mls qos trust dscp
spanning-tree portfast edge
interface GigabitEthernet5/1
description Trunk To MAIN-CORE2
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
mls qos trust cos
channel-group 10 mode on
interface GigabitEthernet5/2
description Trunk To MAIN-CORE2
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
mls qos trust cos
channel-group 10 mode on
ip default-gateway X.X.X.X
ip classless
ip forward-protocol nd
ip forward-protocol udp discard
ip route X.X.X.X Y.Y.Y.Y
ip http server
ip http access-class 39
ip http authentication local
no ip http secure-server
ip flow-export source Vlan20
ip flow-export version 9
ip flow-export destination X.X.X.X 2000
ip radius source-interface Vlan20
logging trap debugging
logging source-interface Vlan20
logging X.X.X.X
tftp-server sup-bootdisk:s72033-ipservicesk9-vz.122-33.SXH1.bin
snmp-server community X
snmp-server ifindex persist
snmp ifmib ifindex persist
radius-server host X.X.X.X. auth-port 1645 acct-port 1646 key 7 Y
radius-server host X.X.X.X auth-port 1645 acct-port 1646 key 7 Y
control-plane
dial-peer cor custom
line con 0
exec-timeout 20 0
privilege level 15
password 7 Y
logging synchronous
login authentication CONSOLE
stopbits 1
line vty 0 4
session-timeout 300
access-class vty_mgmt in
transport input telnet
line vty 5 15
session-timeout 60
access-class vty_mgmt in
transport input telnet
exception core-file
mac-address-table notification mac-move
ntp clock-period 17179825
ntp source Vlan20
ntp master 1
end -
Looking for some guidance with a problem. I have 3 Nexus 2248T switches dual homed to 2 Nexus 5672 in the core. (See Attachment)
Problem: on one of the FEX I have an Exchange NLB cluster. Several of our systems that require POP3 mail to communicate messaging have experience connectivity issues (unable to send mail) and require the connection to be hard coded to one of the IP Address in a cluster server instead of the NLB address.
Configuration: I have not setup Spanning-tree on the trunk ports from the 5672s and am showing that BPDU guard is disabled for the edge ports.
Nexus5672-1# sh spanning-tree summary totals
Switch is in rapid-pvst mode
Root bridge for: none
Port Type Default is disable
Edge Port [PortFast] BPDU Guard Default is disabled
Edge Port [PortFast] BPDU Filter Default is disabled
Bridge Assurance is enabled
Loopguard Default is disabled
Pathcost method used is short
STP-Lite is enabled
Question: I am thinking I missed the "boat" on the configuration and need to include spanning-tree at the port level to correct the problem. Any advice please?You don't need spanning tree config at the FEX level. You just need spanning tree on the 5762 devices to determine what device is the root and what device is the backup root.
HTH
Maybe you are looking for
-
Mail stops accessing mails in most cases after downloading many of them. The rest will follow then and when. I am not sure if there is a rest because I forget the number of the downloaded mails when the procedure is finished.
-
Toshiba 5200-903: TV-out
Hallo My English is not very good and I hope you will understand me. First I will tell you some basic details of my System: Hardware: Toshiba S5200-903 OS: Debian Linux Kernel 2.6.15-1-686 I want to use the TV-out of my System. I need this mainly to
-
MSN Messenger ALWAYS asks me to download latest version
Not sure if this is the right forum but here goes. I'm using MSN Messenger but almost every time I Sign I get This: "A newer version of MSN Messenger for Macintosh is available. You must download the newer version in order to continue using MSN Messe
-
Hi, I am having problem with HR Forms. I am trying to edit renumeration statement form (Copy of the standard form, with custom infotype fileds). One of the Single Fields was spelled wrongly, and I am trying to correct it. I went to the chnage screen,
-
Not receiving twitter notification sounds in IPhone 5s.
Hello all, I have bought iPhone 5s recently and downloaded the twitter app. Unfortunately, even after fiddling with all the sound settings, I do not receive the notification sound for twitter either when my tweet is re-tweeted, favourited or when I r