Bridge assurance vs Loop Guard

Similar Messages

• 3750x2 Disable loop guard and the effect on connectivity

  Hello,
  I have two building about 500 yards apart.  They are connected via a Lightpointe FSO (Free Space Optics) Laser and Airbridge (802.11n RF) point to point bridge.  The transport up to the head is done via a multimode fiber optic cable.
  When the signal level is good, FSO can achieve the full 1gbps link between buildings.  When the signal level falls below a definable threshold (in my case 250 mV), the Airbridge 802.11n RF point to point takes over.  This runs in the 5 GHz band on a 40 MHz channel, theoretic speed of 144 to 300mbps.
  The issue I have is when this failover occurs, the switch port will go into Loopguard_block and the remote building is dead in the water.  I happened to be over there today when this occurred and my quick fix was to unplug the fiber and plug it back in.  I since changed the thresholds and widened the window for the Laser to RF failover.  If the signal is below 250 mV, it fails over to RF.  It does not attempt to return to Laser until the signal hits 350 mV.  This "deadband" of 100 mV is to prevent flapping.  Previously it was a low of 250 and a high of 300.  So hopefully this helps.
  However if I were to want to disable Loop Guard, can I do it and what kind of ill effects would that have - if any?  Would I do this at both endpoints, or just the remote location?  The other end is our HQ and it goes right into the core switch stack (a group of 3750 switches).
  sh log on remote switch
  001056: Apr 30 18:04:12.261: %SPANTREE-2-LOOPGUARD_BLOCK: Loop guard blocking port GigabitEthernet1/1/1 on VLAN0044.
  001057: Apr 30 18:04:12.269: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan44, changed state to down
  001058: Apr 30 18:07:50.839: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/1/1, changed state to down
  001059: Apr 30 18:07:52.853: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/1/1, changed state to up
  001060: Apr 30 18:07:52.920: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan44, changed state to up
  001061: Apr 30 18:43:32.900: %SPANTREE-2-LOOPGUARD_BLOCK: Loop guard blocking port GigabitEthernet1/1/1 on VLAN0044.
  001062: Apr 30 18:43:32.908: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan44, changed state to down
  001063: Apr 30 18:43:32.925: %SPANTREE-2-LOOPGUARD_UNBLOCK: Loop guard unblocking port GigabitEthernet1/1/1 on VLAN0044.
  001064: Apr 30 18:43:33.000: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan44, changed state to up
  001065: Apr 30 20:06:40.829: %SPANTREE-2-LOOPGUARD_BLOCK: Loop guard blocking port GigabitEthernet1/1/1 on VLAN0044.
  001066: Apr 30 20:06:40.846: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan44, changed state to down
  001067: Apr 30 20:06:40.863: %SPANTREE-2-LOOPGUARD_UNBLOCK: Loop guard unblocking port GigabitEthernet1/1/1 on VLAN0044.
  001068: Apr 30 20:06:40.913: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan44, changed state to up
  Physical connectivity:
  Cat6 cable solely for powering (not connected to switch - connected to Lightpointe 48vdc power injector)
  multimode fiber cable connected to Lightpointe FSO head.
  FSO head has a cat 5e data port that passes power and data to a ubiquiti AirOS 5 powered nanostation (they brand this Airbridge).  
  Something internally in the FSO linkhead shifts the data flow to the ubiquity nanostation (and back) automatically.  Regardless of this activity, all data traverses that multimode fiber.  We do not handle any type of routing as the Lightpointe unit does it itself.  It is supposed to look like an ethernet handoff.
  We use VLAN44 (192.168.4.1) as a transport network and the switches are in layer 3 mode.

  Ok this is from the vendor:
  On a Cisco 3750x2 L3 switch, would there be any special port config statements to mitigate this? Should not be needed, but you can turn off Spanning Tree since the redundancy is being handled by the laser / RF combination on the roof.  
  So if I put spanning-tree portfast on the uplink port at the HQ and at the Remote side, that would effectively turn off spanning tree and prevent the port from going into loopguard?  Am I correct?  If the hardware on the roof handles 100% of the laser or RF mode of operation, then I don't need the Cisco switch to intervene.  Thoughts?

• Loop guard

  I am planning to implement the enable the loop guard option. I Just want to Know will there be any STP topology change.( topology recalculation)

  I suppose everybody thinks they know what they are doing when they are doing it.
  Configuring portfast on a live switch can be very dangerous.
  Scenario:
  Two access switches are uplinked to a pair of core switches without portfast enabled on the access ports. A user has connected a hub in a conference room and mistakenly connected 2 ports on the hub to the network, one to each access switch. An engineer configures portfast on the access switches and a bridge loop is created. So much traffic floods through the loop that HSRP and routing protocols start breaking, STP is unable to break the loop. The whole network comes to a stand still.
  This isnt something made up. This has actually happened. I was called to the scene to help clean up the mess.

• Disable Bridge Assurance breaks the vPC on NEXUS 5500?

  I`m trying to figure out a way to disable Bridge Assurance "spanning-tree port type normal" withowt breaking the vPC connection between two datacentres.
  Considering the diagram attached, I`m hoping to configure vPC 10 without any disruption.
  I was thinking on the following procedure:
  "shutdown" switchports for vPC 10 (on the left link)
  configure switches on the left of both domains with "spanning-tree port type normal"
  "no shutdown" switchports for vPC 10 (at this point one link will have BA enabled and the other will have BA disabled...is this a problem??)
  repeat process on the other 2 switches
  I realy need to be sure of a non-disruptive way to do this because, if vPC 10 breaks both firewall will be active at the same time and that`s not going to be pretty :)

  First Reload
  CORE-B# 2009 Mar  5 12:53:37 CORE-B %$ VDC-1 %$ %VPC-2-VPC_SUSP_ALL_VPC: Peer-link going down, suspending all vPCs on secondary
  2009 Mar  5 12:53:43 CORE-B %$ VDC-1 %$ %VPC-2-PEER_KEEP_ALIVE_RECV_FAIL: In domain 10, VPC peer keep-alive receive has failed
  Second Reload
  CORE-B# 2009 Mar  5 13:02:59 CORE-B %$ VDC-1 %$ %VPC-2-PEER_KEEP_ALIVE_RECV_FAIL: In domain 10, VPC peer keep-alive receive has failed
  I’m consoled in to CORE-B, ssh’d to CORE-A and reloading CORE-A (The primary). No changes at all between the two reloads.
  During the first one, it seems to lose the VPC peer link before it loses the keepalives, so it suspends all the VPC’s on B and I lose everything for a while.
  During the second one, it loses the peer keepalive first and all is good.

• Why would you NOT enable Loop Guard on switch ports?

  Hello
  Why would you NOT enable Loop Guard on switch ports?
  It is disabled by default on all ports.
  Since it prevents loops, in the absence of receiving BPDUs on non-designated ports, why would it not be enabled by default?

  Ziffy wrote:
  The Galaxy S4 supports Google Wallet, but yet you block it from being used. Why exactly? This is not right. I suggest you enable it before you start losing customers. Is there anybody out there that would like to start a petition? Perhaps look into whether or not this is actually legal? Seems like unfair practices to me. Thoughts?
  Good luck with that.  FCC already did and have left it alone...  My theory is because... Google charges carriers to use allow devices to use it.  At one point Sprint paid to go exclusive for wallet.  FCC can't force you to buy your competitors product.

• Spantree Loop Guard (question)

  Hi All,
  I would like to ask about one feature:-
  (Spantree loopguard default), what does this feature provide?? And when should I use it??

  Hello,
  Ive never seen it configured in the networks I've worked on, but loopguard is STP feature that will monitor ports that were once receiving BPDU packtes. If these port stop receiving it, this could create a loop, so if you have loopguard enabled on this port the STP will block the port for going to FWD state.
  Check:
  The loop guard is intended to provide additional protection against L2 forwarding loops (STP loops). An STP loop is created when an STP blocking port in a redundant topology erroneously transitions to forwarding state. This usually happens because one of the ports of a physically redundant topology (not necessarily the STP blocking port) stopped receiving STP BPDUs. In its operation, STP relies on continuous reception or transmission of BPDUs, depending on the port role (designated port transmits, non-designated port receives BPDUs).
  When one of the ports in a physically redundant topology stops receiving BPDUs, the STP conceives the topology as loop free. Eventually, the blocking port from the alternate or backup port becomes designated, and moves to forwarding state, thus creating a loop.
  With the loop guard, an additional check is made. If BPDUs are not received any more on a non-designated port and the loop guard is enabled, that port will be moved into the STP loop-inconsistent blocking state instead of moving to the listening / learning / forwarding state. Without the loop guard, the port would assume the designated port role. The port would move to STP forwarding state, and thus create a loop. "
  So, on which ports should the loop guard be enabled? The most obvious answer is on the blocking ports. However, this is not totally correct. The loop guard needs to be enabled on the non-designated ports (more precisely, on root and alternate ports) for all possible combinations of active topologies."
  HTH,
  if it does, I'd appreciate if you rated this post.
  Vlad

• Loop guard & udld agressive - etherchannel

  Hi,
  Can anybody pls share whether I need to enable loop guard & udld agressive config on Ether-Channel
  what is the ciso recomendation / Pls share the document for the same
  Also pls share in case the same is required on Physical interface or on Port-channel interface,
  As per my understanding it is required on Physical interface
  Br/Subhojit                  

  what is the ciso recomendation / Pls share the document for the same
  Link: STP Enhancements using Loop Guard and BPDU Skew Detection Features # Loop Guard versus UDLD
  "(...) UDLD might be more flexible in the case of unidirectional links on EtherChannel. In this case, UDLD disables only failed links, and the channel should remain functional with the links that remain. In such a failure, the loop guard puts it into loop-inconsistent state in order to block the whole channel."
  HTH
  Rolf

• STP and Loop Guard

  Hi everyone, I've a question for you guys:
  Please check this topology: http://www.cisco.com/warp/public/473/84d.gif
  I've read that you must enable loop guard on every nondesignated port (root and alternate ports) to prevent unidirectional related loops. I understand the situation where switch C unblooks the AP port and cause a loop. But what if the link is not unidirectional, what if switch B has some problem and indeed switch C should forward traffic to the segment C-B? Is there a difference between the link going down (disconected)and just stop seeing BPDUs?
  Also, why would anyone configure loop guard on a root port? If for example, SWC stops seeing BPDUs from SWA, what would loop guard do? put the port in a block state or it would recalculate its Root port (port to SWB) and put the port to SWA into a designated state (after not receiving BPDS from SWA)? I'm very confused, any help would be greatly apretiated.
  Omar Montes

  The assumption made by STP is that if a link is not able to transmit BPDU, it is down. So if there is bidirectional link failure, the case is natively handled by STP. If there is only unidirectional link failure, you could end up with a unidirectional loop (which is about as bad as a bidirectional loop;-))
  Loopguard is relevant on each port that is supposed to continuously receive BPDU. If your root port stop receiving BPDU, STP will move it to designated and elect a new root port. This is ok if your old root port cannot receive and transmit traffic. However, if the link is unidirectional and the port does not get blocked by loopguard, you will have a loop through the old and the new root port (in one direction only, the old root port TX direction).
  Configuring loopguard on a designated port will not cause any problem anyway, so in fact you can configure loopguard blindly on all the port.
  The IEEE introduced a feature (the dispute mechanism) that works much better than loopguard in order to protect against unidirectional link failure. However, this mechanism requires an RSTP bpdu format. It is currently only implemented in MST on cisco switches (it will be soon available in rapid-pvst). No need to use loopguard with the latest MST code at least.
  Regards,
  Francois

• Bridge Email - endless loop

  Playbook 64gb
  Software   2.0.1.358
  Free storage 59.4gb
  Torch 9800
  Yes Optus - Australia
  Software 6.0 bundle 3049   v6.0.0.706  platform 6.6.0.246
  Free memory 268562422 Bytes   
  Application Memory Free space 256.1mb   
  Device memory free space3.6gb
  Blackberry Bridge – Email goes into a loop
  The indicator on the top left will show I have 4 emails.   I then open BB Bridge and open Messages – I see the shape of two rectangles filling the screen, then a full white screen, then black   then back to rectangles, white, black …again and again ..   All the while the green circle (hourglass) goes around.    It is  as if it has hit a programming loop.   I can exit it, and go to other Bridge options such as Contacts, calendar and they all work perfect.
  I have tried restarts, I have tried breaking the ling and re connecting   I have tried removing and reinstalling bridge on my Torch
  It was working …. And I can’t think of any install or changes made since it worked.
  Any suggestions?     I have run out of options.
  Thanks !
  Gary
  Solved!
  Go to Solution.

  Lost_at_Sea wrote:
  Have you tried the three button reset. It is similar to Control - Alt - Delete on the computer. Hold down the Power Button and both volume buttons at the same time for 15 seconds and then wait 1 minute. Then hold down the power button only until the red light flashes then release it. The PB will restart in about 4 minutes. Report back.
  The procedure that you are suggesting does not work with this specific problem, I have personnaly tried it, I even re-installed the OS on my Bold 9900, I have a new OS 7.1 on it, and the I was forced when I attempted to make a backup to reset the Playbook to factory setting, and I still have the same problem as mentioned by the OP
  Using the Playbook and the Z10 and the Z30 and loving them
  Martin

• Spanning tree guard root

                    Hi,
  We have 45xx switch & we enabled spanning tree root guard on ports connected with access switch via fiber uplink
  & we enable spanning tree loop guard on access switch side
  One of my core switch port connected to Juniper Netscreen Firewall
  Whether I need to enable spanning tree guard root on the same port on core switch side ? or not
  In case of yes, any config changes required on JUniper Netscreen box
  Br/Subhojit

  Hi, Pls find the output
  Port 130 (GigabitEthernet3/2) of VLAN0054 is designated forwarding
     Port path cost 4, Port priority 128, Port Identifier 128.130.
     Designated root has priority 8246, address 001b.d474.8a40
     Designated bridge has priority 16438, address 001b.0cee.0440
     Designated port id is 128.130, designated path cost 3
     Timers: message age 0, forward delay 0, hold 0
     Number of transitions to forwarding state: 1
     Link type is point-to-point by default
    Bpdu filter is enabled
     Root guard is enabled on the port
     BPDU: sent 5847158, received 0
  Present the bold config enabled on the port
  Br/Subhojit

• Stp loop, Not able to trace source

  Hello,
  I am new to cisco switches and learning about cisco switches now. we have a LAN with 6509 as core router and 2950s/3550s as access switches.
  When I ran wireshark on my machine, I saw an stp loop repeating from a cisco device. I have noted down the MAC-address and tried in vain to find the same in our LAN. I am seeing packets like Address: "Spanning-tree-(for-bridges)_00" and "loop reply". I am not able to see any of the MAC addresses found in this loop conversation, on my LAN. I read that these loops are not good for the network. Where can I start to resolve this problem?
  Thanks in advance for your advice.

  There is likely no problem at all. ;-)
  If you were really experiencing a loop, you would have other problems.
  Best for you will be to start making a study of spanning tree (STP) and it's inner workings. Here is a good starting point:
  http://www.cisco.com/en/US/tech/tk389/tk621/tsd_technology_support_protocol_home.html
  Armed with this knowledge you can try to analyze the traffic that was observed by wireshark.
  regards,
  Leo

• Bridge continuall​y locking, can't access emails

  password unlock keeps coming up. opens email, then the locked screen appears.
  have rebooted playbook, re paired devices.
  any suggestions, frustrating
  thank you in advance

  I've Cracked It!
  I have had my PB for 2 days and whilst this worked fine to start with, I then found the "Bridge is Locked" loop.  After reading several forums all saying that I had to do a security wipe on either the PB or the BB and not wanting to do either, I decided to do a little investigating on my own and voila! I did it.
  First delete the PB from Bridge on the BB.
  Second remove ALL bluetooth paired devices from the PB
  Third go through the Bridge setup process using the QR code.
  All fixed.
  I hope this helps others too.
  BTW: I have a Bold 9900 and a PB 64GB with OS 2.0.1.

• Switching Best Practice - Spanning Tree andEtherchannel

  Dear All,
  Regarding best practice related to Spanning Tree and Etherchannel, we have decided to configure following.
  1. Manually configure STP Root Bridge.
  2. On end ports, enable portfast and bpduguard.
  3. On ports connecting to other switches enable root guard.
  In etherchannel config, we have kept mode on on both side, need to change to Active and desirable as I have read that mode on may create loops? Please let me know if this is OK and suggest if something missing.
  Thank You,
  Abhisar.

  Hi Abhisar,
  Regarding your individual decisions: Manually configuring the Root Bridge is a natural thing to do. You should never leave your network just pick up a root switch based on default switch settings.
  On end ports, using PortFast and BPDU Guard is a must especially if you are running Rapid PVST+ or MSTP.
  Regarding the Root Guard on ports to other switches - this is something I do not recommend. The Root Guard is a protective mechanism in situations when your network and the network of your customer need to form a single STP domain, yet you want to have the STP Root Bridge in your network part and you do not want your customer to take over this root switch selection. In these cases, you would put the Root Guard on ports toward the customer. However, inside your own network, using Root Guard is a questionable practice. Your network can be considered trustworthy and there is no rogue root switch to protect against. Using Root Guard in your own network could cause your network to be unable to converge on a new workable spanning tree if any of the primary links failed, and it would also prevent your network from converging to a secondary root switch if the primary root switch failed entirely. Therefore, I personally see no reason to use Root Guard inside your own network - on the contrary, I am concerned that it would basically remove the possibility of your network to actually utilize the redundant links and switches.
  Regarding EtherChannels - yes, you are right, using the on mode can, under circumstances, lead to permanent switching loops. EtherChannel is one of few technologies in which I wholeheartedly recommend on relying on a signalling protocol to set it up, as opposed to configuring it manually. The active mode is my preferred mode, as it utilizes the open LACP to signal the creation of an EtherChannel, and setting both ends of a link to active helps to bring up the EtherChannel somewhat faster.
  If you are using fiber links between switches, I recommend running UDLD on them to be protected against issues caused by uni-directional links. UDLD is not helpful on copper ports and is not recommended to be run on them. However, I strongly recommend running Loop Guard configured globally with the spanning-tree loopguard default. Loop Guard can, and should, be run regardless of UDLD, and they can be used both as they nicely complement each other.
  My $0.02...
  Best regards,
  Peter

• Rapid pvst issues

  Hi,
  I'm working for a company that has 2x 6500 chasis switches in the main building as Core switches (CORE1 and CORE2). There are 3 other buildings that house employees (Building 2 and Building 3) and a DR site. The "Core" switches at these other buildings are 3750 switches (stacks of 2). The buildings are connected with 1Gb fibre (MM) leased lines in a square:
  Since a few days we are seeing alot of spanning tree recalculations on the Core switches of Building 2 and 3 which causes alot of network issues for the people in those buildings. More precisely the Gi1/0/1 interface on both core switches of those buildings (see red crosses in picture) are constantly displaying these messages:
  Feb  3 10:25:31 Building2-CORE 801113: 690303: Feb  3 10:24:20.544 cet: RSTP(750): Gi1/0/1 rcvd info expired
  Feb  3 10:25:31 Building2-CORE 801114: 690304: Feb  3 10:24:20.544 cet: %SPANTREE-2-LOOPGUARD_BLOCK: Loop guard blocking port GigabitEthernet1/0/1 on VLAN0750.
  Feb  3 10:25:32 Building2-CORE 801115: 690305: Feb  3 10:24:20.544 cet: RSTP(750): updt roles, information on root port Gi1/0/1 expired
  Feb  3 10:25:32 Building2-CORE 801116: 690306: Feb  3 10:24:20.544 cet: RSTP(750): we become the root bridge
  Feb  3 10:25:32 Building2-CORE 801117: 690307: Feb  3 10:24:20.552 cet: RSTP(750): updt roles, received superior bpdu on St1
  Feb  3 10:25:32 Building2-CORE 801118: 690308: Feb  3 10:24:20.552 cet: RSTP(750): St1 is now root port
  Feb  3 10:25:32 Building2-CORE 801119: 690309: Feb  3 10:24:20.552 cet: RSTP(750): synced St1
  Feb  3 10:25:32 Building2-CORE 801120: 690310: Feb  3 10:24:20.561 cet: RSTP(750): transmitting an agreement on St1 as a response to a proposal
  Feb  3 10:26:21 Building2-CORE 801193: 690383: Feb  3 10:25:10.910 cet: %SPANTREE-2-LOOPGUARD_UNBLOCK: Loop guard unblocking port GigabitEthernet1/0/1 on VLAN0750.
  Feb  3 10:26:21 Building2-CORE 801194: 690384: Feb  3 10:25:10.910 cet: RSTP(750): initializing port Gi1/0/1
  Feb  3 10:26:21 Building2-CORE 801195: 690385: Feb  3 10:25:10.910 cet: RSTP(750): Gi1/0/1 is now designated
  Feb  3 10:26:21 Building2-CORE 801196: 690386: Feb  3 10:25:10.910 cet: RSTP(750): updt roles, received superior bpdu on Gi1/0/1
  Feb  3 10:26:21 Building2-CORE 801197: 690387: Feb  3 10:25:10.910 cet: RSTP(750): Gi1/0/1 is now root port
  Feb  3 10:26:21 Building2-CORE 801198: 690388: Feb  3 10:25:10.910 cet: RSTP(750): St1 blocked by re-root
  Feb  3 10:26:21 Building2-CORE 801199: 690389: Feb  3 10:25:10.910 cet: RSTP(750): St1 is now designated
  Feb  3 10:26:21 Building2-CORE 801209: 690399: Feb  3 10:25:10.919 cet: RSTP(750): transmitting a proposal on St1
  Feb  3 10:26:21 Building2-CORE 801211: 690401: Feb  3 10:25:10.927 cet: RSTP(750): synced Gi1/0/1
  Feb  3 10:26:22 Building2-CORE 801212: 690402: Feb  3 10:25:10.927 cet: RSTP(750): received an agreement on St1
  And less than a minute later the same again. This is happening with all VLANs. There's about 125 VLANs and all go over the square.
  From what I understand this means BPDU packts are not received in time (2 seconds) and spanning tree starts recalculation. We already asked the provider of the leased lines to test them but they claim nothing is wrong with them. It"s also a bit weird that we are seeing this on 2 different places (physically different locations and lines).
  CPU usage looks normal (around 14%) on all switches in this square. Since it's happening on 2 locations I don't think a faulty cable or SFP is causing this.
  Any ideas from you guys?
  Regards

  Hi,
  All links between the buildings are configured as trunks indeed with no VLAN restrictions (all VLANs allowed).
  Here is the extract of the command on all 5 switches/stacks:
  MAIN-CORE1#sh spanning-tree vlan 750
  VLAN0750
    Spanning tree enabled protocol rstp
    Root ID    Priority    8192
               Address     001c.0edc.eaee
               This bridge is the root
               Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
    Bridge ID  Priority    8192
               Address     001c.0edc.eaee
               Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
               Aging Time 300
  Interface           Role Sts Cost      Prio.Nbr Type
  Gi1/3               Desg FWD 4         128.3    P2p
  Gi1/4               Desg FWD 4         128.4    P2p
  Gi1/5               Desg FWD 4         128.5    P2p
  Gi1/6               Desg FWD 4         128.6    P2p
  Gi1/7               Desg FWD 4         128.7    P2p
  Gi2/22              Desg FWD 4         128.150  P2p
  Gi2/23              Desg FWD 4         128.151  P2p
  Po10                Desg FWD 3         128.1666 P2p
  Interface           Role Sts Cost      Prio.Nbr Type
  Po11                Desg FWD 3         128.1667 P2p
  MAIN-CORE2#sh spanning-tree vlan 750
  VLAN0750
    Spanning tree enabled protocol rstp
    Root ID    Priority    8192
               Address     001c.0edc.eaee
               Cost        3
               Port        1666 (Port-channel10)
               Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
    Bridge ID  Priority    16384
               Address     001c.0edc.daee
               Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
               Aging Time 300
  Interface           Role Sts Cost      Prio.Nbr Type
  Gi1/3               Desg FWD 4         128.3    P2p
  Gi1/4               Desg FWD 4         128.4    P2p
  Gi1/5               Desg FWD 4         128.5    P2p
  Gi1/6               Desg FWD 4         128.6    P2p
  Gi1/9               Desg FWD 4         128.9    P2p
  Po10                Root FWD 3         128.1666 P2p
  Po21                Desg FWD 4         128.1667 P2p
  Building2-CORE1#show spanning-tree vlan 750
  VLAN0750
    Spanning tree enabled protocol rstp
    Root ID    Priority    8192
               Address     001c.0edc.eaee
               Cost        7
               Port        1 (GigabitEthernet1/0/1)
               Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
    Bridge ID  Priority    33518  (priority 32768 sys-id-ext 750)
               Address     108c.cf03.1d00
               Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
               Aging Time 300
  Interface        Role Sts Cost      Prio.Nbr Type
  Gi1/0/1          Root FWD 4         128.1    P2p
  St1              Desg FWD 100       128.872  P2p
  Gi2/0/1          Desg FWD 4         128.55   P2p
  Building3-CORE1#show spanning-tree vlan 750
  VLAN0750
    Spanning tree enabled protocol rstp
    Root ID    Priority    8192
               Address     001c.0edc.eaee
               Cost        11
               Port        55 (GigabitEthernet2/0/1)
               Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
    Bridge ID  Priority    33518  (priority 32768 sys-id-ext 750)
               Address     8cb6.4fb9.7300
               Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
               Aging Time 300
  Interface        Role Sts Cost      Prio.Nbr Type
  Gi1/0/1          Root BKN*4         128.1    P2p *LOOP_Inc
  St1              Root FWD 100       128.872  P2p
  Gi2/0/1          Root FWD 4         128.55   P2p
  DR-01#show spanning-tree vlan 750
  VLAN0750
    Spanning tree enabled protocol rstp
    Root ID    Priority    8192
               Address     001c.0edc.eaee
               Cost        4
               Port        54 (GigabitEthernet2/0/2)
               Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
    Bridge ID  Priority    33518  (priority 32768 sys-id-ext 750)
               Address     0013.c37a.e300
               Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
               Aging Time 300
  Interface        Role Sts Cost      Prio.Nbr Type
  Gi2/0/2          Root FWD 4         128.54   P2p
  Gi1/0/1          Desg FWD 4         128.1    P2p
  Fa1/0/13         Desg FWD 19        128.15   P2p
  Here is the config of MAIN-CORE1 (I removed most interfaces, VLAN interfaces and ACL's from it):
  MAIN-CORE1#sh run
  Building configuration...
  Current configuration : 44402 bytes
  upgrade fpd auto
  version 12.2
  no service pad
  service timestamps debug datetime msec localtime show-timezone
  service timestamps log datetime msec localtime show-timezone
  service password-encryption
  service sequence-numbers
  service counters max age 5
  hostname MAIN-CORE1
  boot-start-marker
  boot system flash sup-bootdisk:s72033-ipservicesk9-vz.122-33.SXI6.bin
  boot system flash sup-bootdisk:s72033-ipservicesk9-vz.122-18.SXF8.bin
  boot-end-marker
  security passwords min-length 1
  logging buffered 5000000
  no logging console
  no logging monitor
  aaa new-model
  aaa authentication login default group radius local
  aaa authentication login CONSOLE local
  aaa authentication dot1x default group radius
  aaa authorization exec default group radius local
  aaa authorization network default group radius local
  aaa session-id common
  clock timezone cet 1
  clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
  no ip domain-lookup
  ip tftp source-interface Vlan60
  ip ftp source-interface Vlan60
  ip flow ingress layer2-switched vlan 20
  ip sla 3
  icmp-echo 172.31.99.5 source-ip X.X.X.X
  timeout 2000
  frequency 5
  ip sla schedule 3 life forever start-time now
  ip sla 4
  icmp-echo X.X.X.X source-ip X.X.X.X
  frequency 5
  ip sla schedule 4 life forever start-time now
  udld aggressive
  udld message time 7
  mls qos map cos-dscp 0 10 18 24 34 46 48 56
  mls qos
  mls netflow interface
  no mls acl tcam share-global
  mls cef error action freeze
  errdisable recovery cause udld
  errdisable recovery cause security-violation
  errdisable recovery cause psecure-violation
  errdisable recovery interval 30
  diagnostic bootup level minimal
  spanning-tree mode rapid-pvst
  spanning-tree vlan 1,21,166,168,210,842-843 priority 16384
  spanning-tree vlan 2-3,7,10,17-18,28,41,44,60,70,78,96,110,112 priority 8192
  spanning-tree vlan 121-122,125,127,140,169-170,199,209,213-214 priority 8192
  spanning-tree vlan 220-221,253-254,299,318-322,343,350,411,415 priority 8192
  spanning-tree vlan 420-421,425,430,450-451,460,500-501,540,602 priority 8192
  spanning-tree vlan 650,702,710-716,740,750,895,900-902,910,920 priority 8192
  spanning-tree vlan 940 priority 8192
  spanning-tree vlan 20 priority 9
  spanning-tree vlan 40 priority 8191
  redundancy
  main-cpu
    auto-sync running-config
  mode sso
  vlan internal allocation policy ascending
  vlan access-log ratelimit 2000
  class-map match-any test
  class-map match-all DoubleTake_map
    match access-group name DoubleTake
  policy-map DoubleTake_Pol
    class DoubleTake_map
     set ip dscp af41
  interface Port-channel10
  description connection between cores
  switchport
  switchport trunk encapsulation dot1q
  switchport mode trunk
  switchport nonegotiate
  mls qos trust cos
  interface GigabitEthernet1/3
  description Trunk To access-sw1
  switchport
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 17,20,100,112,140,209,300,740,750
  switchport mode trunk
  switchport nonegotiate
  mls qos trust cos
  interface GigabitEthernet1/4
  description Trunk To access-sw2
  switchport
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 17,20,27,100,112,209,740,750
  switchport mode trunk
  switchport nonegotiate
  interface GigabitEthernet1/5
  description Trunk To access-sw3
  switchport
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 17,20,70,112,209,221,740,750,901,902
  switchport mode trunk
  switchport nonegotiate
  interface GigabitEthernet1/6
  description Trunk To access-sw4
  switchport
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 10,17,20,28,60,70,100,112,140,209,220,300,343
  switchport trunk allowed vlan add 350,540,602,640,641,740,750,840-842,902
  switchport mode trunk
  switchport nonegotiate
  mls qos trust cos
  interface GigabitEthernet1/7
  description Trunk to DR
  switchport
  switchport trunk encapsulation dot1q
  switchport mode trunk
  switchport nonegotiate
  speed nonegotiate
  mls qos trust cos
  interface GigabitEthernet2/22
  description Link to FW1
  switchport
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 10,40,165,211-214,220,318,420,451,501,650,651
  switchport trunk allowed vlan add 750
  switchport mode trunk
  logging event link-status
  logging event spanning-tree status
  load-interval 30
  interface GigabitEthernet2/23
  description link to FW1
  switchport
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 78,121,122,124-127,221,319-322,411,415,425,430
  switchport trunk allowed vlan add 450,460,461,465,602,712,713,716,750
  switchport mode trunk
  logging event link-status
  logging event spanning-tree status
  load-interval 30
  mls qos trust dscp
  spanning-tree portfast edge
  interface GigabitEthernet5/1
  description Trunk To MAIN-CORE2
  switchport
  switchport trunk encapsulation dot1q
  switchport mode trunk
  switchport nonegotiate
  mls qos trust cos
  channel-group 10 mode on
  interface GigabitEthernet5/2
  description Trunk To MAIN-CORE2
  switchport
  switchport trunk encapsulation dot1q
  switchport mode trunk
  switchport nonegotiate
  mls qos trust cos
  channel-group 10 mode on
  ip default-gateway X.X.X.X
  ip classless
  ip forward-protocol nd
  ip forward-protocol udp discard
  ip route X.X.X.X Y.Y.Y.Y
  ip http server
  ip http access-class 39
  ip http authentication local
  no ip http secure-server
  ip flow-export source Vlan20
  ip flow-export version 9
  ip flow-export destination X.X.X.X 2000
  ip radius source-interface Vlan20
  logging trap debugging
  logging source-interface Vlan20
  logging X.X.X.X
  tftp-server sup-bootdisk:s72033-ipservicesk9-vz.122-33.SXH1.bin
  snmp-server community X
  snmp-server ifindex persist
  snmp ifmib ifindex persist
  radius-server host X.X.X.X. auth-port 1645 acct-port 1646 key 7 Y
  radius-server host X.X.X.X auth-port 1645 acct-port 1646 key 7 Y
  control-plane
  dial-peer cor custom
  line con 0
  exec-timeout 20 0
  privilege level 15
  password 7 Y
  logging synchronous
  login authentication CONSOLE
  stopbits 1
  line vty 0 4
  session-timeout 300
  access-class vty_mgmt in
  transport input telnet
  line vty 5 15
  session-timeout 60
  access-class vty_mgmt in
  transport input telnet
  exception core-file
  mac-address-table notification mac-move
  ntp clock-period 17179825
  ntp source Vlan20
  ntp master 1
  end

• Dual-homed FEX

  Looking for some guidance with a problem. I have 3 Nexus 2248T switches dual homed to 2 Nexus 5672 in the core. (See Attachment)
  Problem: on one of the FEX I have an Exchange NLB cluster. Several of our systems that require POP3 mail to communicate messaging have experience connectivity issues (unable to send mail) and require the connection to be hard coded to one of the IP Address in a cluster server instead of the NLB address. 
  Configuration: I have not setup Spanning-tree on the trunk ports from the 5672s and am showing that BPDU guard is disabled for the edge ports.
  Nexus5672-1# sh spanning-tree summary totals 
  Switch is in rapid-pvst mode 
  Root bridge for: none
  Port Type Default                        is disable
  Edge Port [PortFast] BPDU Guard Default  is disabled
  Edge Port [PortFast] BPDU Filter Default is disabled
  Bridge Assurance                         is enabled
  Loopguard Default                        is disabled
  Pathcost method used                     is short
  STP-Lite                                 is enabled
  Question: I am thinking I missed the "boat" on the configuration and need to include spanning-tree at the port level to correct the problem. Any advice please?

  You don't need spanning tree config at the FEX level.  You just need spanning tree on the 5762 devices to determine what device is the root and what device is the backup root.
  HTH