Dlsw spanning-tree

Similar Messages

• Spanning Tree and Admin mac address issues srw2048

  Ok, I have a somewhat complex problem and hopefully someone may shed some light or have an idea as to whats wrong.
  First the scenario:
  I have two Cisco Cat 6509's etherchanneled to each other via two fiber cables.  One of these is the STP/RSTP root.  I have two SRW2048's.. one trunked to each of these 6509 switches.  There is also a trunk between the SRW2048's.  All this is to create a redundant topology so that if one of the switches fail's the others can still forward packets to each other.  Of course the scenario described is in fact a loop that should be handled by STP/RSTP.  I have RSTP enabled on all the switches in the scenario (PV RSTP on the cisco switches as they only do Cisco's brand of per vlan spanning tree).  There are 3 vlan's configured on each of the srw2048's (2,55,96).  There are corresponding vlan's also on the 6509's.  I have put the srw2048's management interface into vlan 2.
  The problem:
  I need to forward packets between the srw2048's primarily and only use the 6509 that is not the root when a failure happens.  I have configured the non-root 6509's spanning tree cost on the etherchannel to be higher then the alternate path through the srw's to the root.  I can hook everything up and view the spanning tree and see that the srw2048's interface that goes to the non-root 6509 is blocked, and all other interfaces on the other switches are forwarding.  I can in fact ping and get to the admin interface on all the switches.  Then for some strange reason the admin interface of the srw2048 plugged into the non-root 6509 stops responding.  If I disable either the interface its plugged into on the 6509 or the other srw2048 everything starts working again.  Sometimes it responds after many failures for no apparent reason.  I looked into the mac-address table on the 6509's and they are conflicting, pointing to each other for the mac-address of the broken srw2048.  When I clear the mac-table the admin port comes back for about 5 seconds then again goes dark.  When reviewing mac-table on the 6509's they are back to pointing to each other.  The odd thing (although I haven't confirmed this completely) is that hosts placed into vlan 2 on that same srw2048 seem to work fine.  If there was an STP loop or something misconfigured, I would expect it to effect any host in vlan 2 or the other vlan's for that matter on the srw2048 that stops responding.  Alas, I am stuck because I need to manage this switch remotely.  My only thought is that for some reason even when the STP status is blocked the broken srw2048 is still sending out arp's of its admin interface and bypassing the STP protocol.  I have no way to confirm this, but maybe someone has an idea as to what I'm doing wrong, or otherwise offer a solution.  For now, I simply removed vlan 2 from the 6509 that the broken srw2048 is plugged into and everything seems fine.
  My apologies for such a long post, but this is somewhat complicated.  Thanks in advance for any info.
  -Geoff
  Message Edited by gmyers on 08-19-2008 10:35 PM

  To follow up, I had a ticket open with Linksys about this for about 3 months with no resolution.  I submitted packet captures, stp outputs, etc and no luck.  I gave up and basically had to revert to a manual failover for redundancy.  It's no perfect or fast, but it works every time.
  Unless linksys issues a firmware upgrade with this as a fix, I doubt we will be able to ever resolve this on our own.

• Prime Infrastructure 2.2 - Network Topology View - Spanning Tree View

  Hello Team,
  Is it possible on PI 2.2 (latest version) under Maps/Network Topology View to be able to "monitor" the spanning-tree performance?
  thanks in advance,
  George

  Sorry but that's not a currently offered feature.
  It would be nice - the Netsys product that Cisco acquired 18-1/2 years ago (and subsequently abandoned) used to do this quite nicely.

• Can I disable spanning-tree in a vpc domain ?

  i have two N7718s in a vpc domain and each have a vpc connection to  300+ TORs(non cisco switch).
  each 7718 have 300+ trunk port and a trunk port carring 80 vlans . so the logical port number is 300*80 = 24000
  the problem is n7k r-pvst logical ports limit is 16000,it causes the vpc primary 7718 ping latancy time exceed 1000ms
  2 ways to solve this problem : use mst instead of rpvst or disable spanning-tree
  if i use mst , the logical ports limit is 90000, the problem will appear one day
  so i want to disable spanning-tree . 7718s' vpc link to TOR use lacp ,it will prevent some  layer2 loops. can i do it?

  I have the same problem. :)

• ISE - 802.1X - Loop not detected by spanning-tree

  Hello,
  I have recently implemented the 802.1X on switchs 3750-X running 15.0(2)SE IOS version.
  The spanning-tree bpdufilter and bpduguard are globally enabled on the switchs.
  A user has created a loop on the network by connecting its Cisco IP-Phone twice on the network : one wire connected normally from switch to the RJ-45 phone connector and the second wire that should be connected to the PC had also been connected to the switch !
  The loop created has not been detected by the switch !
  I have made several tests and re-created the problem 3 times on 4 (only one time, the loop has been detected by bpduguard  20 seconds after the port up).
  Notice that without 802.1X configured on the same switch port, the loop is quickly detected and ports are err-disabled shutdown.
  Switch port with 802.1X is following :
  interface GigabitEthernet1/0/9
  switchport access vlan 950
  switchport mode access
  switchport nonegotiate
  switchport voice vlan 955
  no logging event link-status
  authentication control-direction in
  authentication event fail action next-method
  authentication event server dead action reinitialize vlan 950
  authentication event server dead action authorize voice
  authentication event server alive action reinitialize
  authentication host-mode multi-auth
  authentication order dot1x mab
  authentication priority dot1x mab
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  mab
  dot1x pae authenticator
  dot1x timeout tx-period 10
  storm-control broadcast level 10.00
  storm-control multicast level 10.00
  spanning-tree portfast
  If I change the host-mode to multi-domain, a MAC violation restriction occurs and shutdown the port. But this is not the config I need.
  Is there any reason for spanning-tree not works properly with 802.1X ?
  Thanks,
  Olivier

  Hello Olivier
  When using bpdufilter, bpduguard and portfast all at the same time there are many things going on which are not well documented. Now when you add 802.1x to the mix then you really have no documentation. I had to do many labs on my own to finally have my configuration, and also discovered some bugs. According to my experience you shouldn't use bpdufilter and you should use bpduguard on the switchport not in the global config.
  Please read the following links about the differences between global and port bpdufilter, differences between global and port bpduguard, configuring bpduguard along with portfast , configuring bpdufilter along with portfast, and configuring bpduguard along with bpdufilter.
  http://aitaseller.wordpress.com/2010/01/17/bpdu-filter-vs-bpdu-guard-what-is-the-difference/
  http://costiser.wordpress.com/2011/05/23/subtle-difference-for-portfast-bpdufilter-used-together-globally-or-at-interface-level/
  https://learningnetwork.cisco.com/thread/21103
  http://blog.ipexpert.com/2010/12/06/bpdu-filter-and-bpdu-guard/
  Please rate if this helps

• Switching Best Practice - Spanning Tree andEtherchannel

  Dear All,
  Regarding best practice related to Spanning Tree and Etherchannel, we have decided to configure following.
  1. Manually configure STP Root Bridge.
  2. On end ports, enable portfast and bpduguard.
  3. On ports connecting to other switches enable root guard.
  In etherchannel config, we have kept mode on on both side, need to change to Active and desirable as I have read that mode on may create loops? Please let me know if this is OK and suggest if something missing.
  Thank You,
  Abhisar.

  Hi Abhisar,
  Regarding your individual decisions: Manually configuring the Root Bridge is a natural thing to do. You should never leave your network just pick up a root switch based on default switch settings.
  On end ports, using PortFast and BPDU Guard is a must especially if you are running Rapid PVST+ or MSTP.
  Regarding the Root Guard on ports to other switches - this is something I do not recommend. The Root Guard is a protective mechanism in situations when your network and the network of your customer need to form a single STP domain, yet you want to have the STP Root Bridge in your network part and you do not want your customer to take over this root switch selection. In these cases, you would put the Root Guard on ports toward the customer. However, inside your own network, using Root Guard is a questionable practice. Your network can be considered trustworthy and there is no rogue root switch to protect against. Using Root Guard in your own network could cause your network to be unable to converge on a new workable spanning tree if any of the primary links failed, and it would also prevent your network from converging to a secondary root switch if the primary root switch failed entirely. Therefore, I personally see no reason to use Root Guard inside your own network - on the contrary, I am concerned that it would basically remove the possibility of your network to actually utilize the redundant links and switches.
  Regarding EtherChannels - yes, you are right, using the on mode can, under circumstances, lead to permanent switching loops. EtherChannel is one of few technologies in which I wholeheartedly recommend on relying on a signalling protocol to set it up, as opposed to configuring it manually. The active mode is my preferred mode, as it utilizes the open LACP to signal the creation of an EtherChannel, and setting both ends of a link to active helps to bring up the EtherChannel somewhat faster.
  If you are using fiber links between switches, I recommend running UDLD on them to be protected against issues caused by uni-directional links. UDLD is not helpful on copper ports and is not recommended to be run on them. However, I strongly recommend running Loop Guard configured globally with the spanning-tree loopguard default. Loop Guard can, and should, be run regardless of UDLD, and they can be used both as they nicely complement each other.
  My $0.02...
  Best regards,
  Peter

• "Peer-switch" command on vPC domain and spanning-tree priority interaction

  Hi guy,
  We have 2 N7K (N7KA and N7KB) which will be running vPC in hybird and pure vPC environment.
  I have a question about the Hybird and pure vPC environment. With the "peer-switch" command enable, should i tune the spanning-tree priority to be the same for all the vlan running on vPC on both N7KA and N7KB? This way, when i enter the "sh spanning-tree vlan X(vPC vlan) detail" command on N7K, it will list both N7K announc itself as "We are the root of the spanning tree".Also the switch running spanning-tree with N7K vPC vlan (Hybird), will see both N7K has the same priority (4096), and it is not desirable for a spanning-tree environment. Therefore, i used the "spanning-tree pseudo-information" on N7KB to tune the spanning-tree priority to "8192" and the switch running spanning-tree with N7K will list N7KB has a priority of 8192(perfect).
  However, I notice some strange "show" output on the switch running Port-channel with the N7KA and N7KB. The "Designated bridge" priority is flapping as show on the switch. It is constantly changing between "4096 and 8192" with the same vPC system wide mac address.
  Entering the "sh spanning-tree vlan X detail" command repeatly on switch with port-channel toward N7KA and N7KB.
  >>sh spanning-tree vlan 10 detail
  Port 65 (Port-channel1) of VLAN10 is root forwarding
  Port path cost 3, Port priority 128, Port Identifier 128.65.
  Designated root has priority 4106, address 0013.05ee.bac8
  Designated bridge has priority 4106, address 0013.05ee.bac8
  Designated port id is 144.2999, designated path cost 0
  Timers: message age 15, forward delay 0, hold 0
  Number of transitions to forwarding state: 1
  Link type is point-to-point by default
  BPDU: sent 5, received 603
  one sec later.
  >>sh spanning-tree vlan 10 detail
  Port 65 (Port-channel1) of VLAN10 is root forwarding Port path cost 3, Port priority 128, Port Identifier 128.65. Designated root has priority 4106, address 0013.05ee.bac8 Designated bridge has priority 8202, address 0013.05ee.bac8 Designated port id is 144.2999, designated path cost 0 Timers: message age 15, forward delay 0, hold 0 Number of transitions to forwarding state: 1 Link type is point-to-point by default BPDU: sent 5, received 603
  Configuration:
  N7KA
  spanning-tree vlan 1-10 priority 4096
  vpc domain 200
  peer-switch
  N7KB
  spanning-tree vlan 1-10 priority 4096spanning-tree pseudo-information vlan 1-10 designated priority 8192
  vpc domain 200
  peer-switch

  We have a issue similar to this in our environment. I am trying to upgrade the existing 3750 stack router with 2 Nexus 5596 running VPC between them. For the transition I have planned to create a channel between 3750 stack and 5596's. Once this environment is set, my plan is to migrate all the access switches to N5k.
  The issue is when I connect the 3750 port channel to both N5Ks, all the Vlans on 3750 started to flap. If I connect the port channel to only one N5K everything is normal; but when I connect the port channel to both N5K running VPC, vlans are flapping. Any idea what is going wrong here? Am I missing something?

• SGE2010 switches, VLAN's and a blocked port in spanning-tree

  Folks,
  I have 2 switch groups.
  2 SGE2010's with VLAN's defined as 10,20 and 30
  Vlan 10 is the management VLAN, and it uplinks to our border router.
  Vlan 20 is the workstation VLAN, and all workstations point to the switch as their default GW
  Vlan 30 is the ip phone VLAN, and all phones use this as their gateway.
  I would like to put a LAG between said switches, we have some servers on the ip phone switch that need to be accessed by the workstation clients, and the single 100mb link through the router is probably not going to be enough.
  As I understand it, because the switches have different networks on them, a simple lag will not work. I did create a lag, and assign ip addresses to each side, however in that mode, it doesn't appear I can block vlan 10 from transiting the LAG, and with out that block I will end up with a logical loop, and spanning-tree will block one of the uplinks, or the LAG itself.
  I have attached an image with a diagram of our current set up.
  Any help/advice would be much appreciated.

  Tom,
  I remember our conversation a few weeks ago. I did not get a chance to have a go at MSTP, mainly because I have no expierence with it, and looking at the configuration properities, it looks a little daunting.
  It has also been a very busy few weeks with the deployment of 200+ phones across several sites, and the system is functioning great with out the LAG trunk, I am just trying to plan for the future.
  I made a few postings a few weeks ago, one here and one on the Cisco forums on reddit, and a user there gave me some advice I have been unable to make work (I think it's just wrong), but I would love to go this route if it is in fact possible.
  Here is the thread : http://www.reddit.com/r/Cisco/comments/x91tc/vlan_trunks_spanning_tree_and_a_port_blocked/c5kskch
  This user implies it's possible to block a VLAN across the LAG which would end the logical loop problems.
  It looks like his advice is to make the LAG into a trunk, and then block specific VLAN's from transiting it, but in trunk mode, I can't assign it an IP, so I am sorta wondering how exactly you transport packets across it.
  Can you confirm that his advice is in fact incorrect?
  If MSTP is my only route, then I suppose it's time to dig into the docs and see If I cant get it up and running.

• 2950 spanning tree issue

  Here is the problem we are having , we have a 2950 hooked to a 6509 hybrid dist box with approx 90 vlans on it . We hook up a new 2950 and we get the following message, Dec 21 19:47:45.116: %SPANTREE_VLAN_SW-2-MAX_INSTANCE: Platform limit of 64 STP instances exceeded. No instance created. Ok , I know about the spanning tree issues with the 2950 only having limited PVST instances . But up at the dist side we have "manually pruned off all but 5 vlans on the trunk feeding this 2950 with the "clear trunk" command . I thought manually pruning off the vlans from the trunk would eliminate this problem , maybe i have a misunderstanding of how this works. Also the message on the 2950 complains about it only having 64 instances of spanning tree yet when you do a "show vtp status it says it supports 250 instances locally so whats up with that , 2950 running 12.1.22EA4 . So I guess I'm asking is there any way around this for the 2950 . Also in client/server mode do you have to manually prune off the vlans on both the server side and the client side ??

  Hello Glen,
  I guess instead of manually pruning the VLANs off the trunk, you could also try and enable VTP pruning globally on the 6509 (set vtp pruning enable). I assume you have the 6509 configured as the VTP server (set vtp mode server) ?
  I am not sure if CatOS and IOS defaults to the same VTP version, can you check this (with 'show vtp domain' for CatOS and 'show vtp status' for the IOS switch) ?
  Also, in a purely IOS environment, manually pruning VLANs off a trunk requires doing that only on the server side, but with a mix of CatOS and IOS, it might have to be done on both sides, you might want to give it a try and use the 'switchport trunk allowed' command on the 2950 as well...
  Regards,
  GP

• When is it appropriate to use "spanning-tree bpdufilter enable"

  What exactly does enabling bpdu filter do?  I see some examples where bpdu filtering is enabled on access ports?  Is this correct or are there dangers in this approach? 

  Hi John,
  Simple way of saying would that it would disable the STP on that port.
  BPDU filter filters the BPDU's coming in both directions. which means it effectively disable the STP on the port.
  Detailed explanation:
  ===============
  BPDUfilter on the other hand just filters BPDUs in both directions, which effectively disables STP on the port.Bpdu filter will prevent inbound and outbound bpdu but will remove portfast state on a port if a bpdu is received.Enabling BPDU filtering on an interface is the same as disabling spanning tree on it and can result in spanning-tree loops.
  Following are the method to configure BPDU Filter in switches
  Interface mode:
  spanning-tree bpdufilter enable                        (Results port to not participate in STP, loops may occur).
  Global mode:                                                
  spanning-tree portfast bpdufilter default             (It enables bpdufiltering on ports that have port-fast configuration, so it sends a few bpdu while enabling port then it filters bdpu unless receives a bpdu, after that itchanges from port-fast mode and disables filtering for port to operate like a normal port cause it has received bpdu).
  You always should allow STP to run on a switch to prevent loops. However, in special cases when you need to prevent BPDUs from being sent or processed on one or more switch ports, you can use BPDU filtering to effectively disable STP on those ports.you would use bpdufilter when you want a switch plugged into your network but you don't want it participating in spanning tree.
  An example:  In an office environment where someone needs  another network drop under their desk but you don't have time/budget to  run a new line for now.  you are been given a small switch but don't want it to break spanning tree.The switch  you have lying around for this task is a simple unmanaged switch and  will only have one uplink into your network. so you put bpdufilter on your  switch port.
  Ref:https://supportforums.cisco.com/docs/DOC-11825
  HTH
  Regards
  Inayath
  *Plz rate if this info is helpfull and mark as answered if this resolved your query.

• What is the command to check the changes in the spanning-tree topology?

  What is the command to check the changes in the spanning-tree topology?

  Hi,
  Few commands which would help are:
  1- Show spanning-tree detail
  2-show spanning-tree detail | in ieee|from|occur|is exec  >> This will give from were the changes occuring- Ex:
  C6K1#show spanning-tree detail | in ieee|from|occur|is exec  
   VLAN0001 is executing the rstp compatible Spanning Tree protocol
    Number of topology changes 9536 last change occurred 00:00:29 ago
            from GigabitEthernet4/6
  3- show spanning-tree active  *& show spanning-tree root >> Will give you the root information.
  4-  show spanning-tree inconsistentports >> If there are any port which are inconsistent state due to STP features.
  STP running MST:
  ===============
  show spanning-tree mst configuration  >> Need to check and match the same outputs with the other switches running in the same MST domain/region.
  show spanning-tree mst detail
  show spanning-tree mst <name of the region>
  Debug on STP:
  ============
  debug spanning-tree events/bpdu >> would be good but to be run with more cautious.
  HTH
  Inayath
  *Plz rate if this info is usefull.

• 2960X 15.0(2)EX5 Stack Bug? Master Switch Ports link in Orange, no spanning Tree

  Is anyone aware of a bug in version 15.0(2)EX5 for 2960X Switches that would cause a switch in the master role to stop linking in new ports in green (and passing traffic).  I have 2 2960X-48FPD-L Switches in a stack and whichever switch I designate master will only link new connections in orange and not pass traffic.  All ports linked in show up/up and can be seen in a show cdp neighbor but won't pass any other traffic. 
  If I unplug the Stacking cables both switches become masters and ports linked in green on the previous member switch stay green, but after it switches to master any new connections plugged in only link in orange. 
  If I switch priorities and reboot the problem switches to the new master switch and the problem goes away on the member switch.
  Also, a switch in the master role does not show any spanning tree instances for ports in the orange link state. 
  Has anyone seen this issue and do you know of a solution? 
  Jim

  A quick update for those with this same problem.
  1.  15.2(3)E turned out to be very unstable causing my switch stack to randomly lockup/reboot one of the switches about once a week.
  2.  I downgraded back to 15.0(2)EX5 but found a workaround.  It turns out the switch stack with the 15.0 versions does not like the switchport voice vlan command on any of the interfaces on the master switch.  I simply removed the voice vlan configuration on the interfaces and all the switch ports linked in just fine.  I would prefer to run the phones on a voice vlan, but it still works without, just the PC's and phones are on the same vlan. 
  Jim

• No Spanning-Tree Vlan # on C2950

  Hello everyone,
  I've recently found that one of the switches on my network (which I never set up) is running a "no spanning-tree vlan 3, 5, 10" command, which I want to remove, but I have been unable to. When I do try and type in "spanning-tree vlan 3" nothing comes up, but when I show spanning tree it lets me know that it doesn't exist.
  Is there a command I'm missing? (It's a larger number of vlans)
  Thanks in advance,
  David

  I'm not sure there would be anything for spanning tree to calculate if no ports on the switch are assigned to vlan 3.  Try assigning an unused port to vlan 3 and see if your output of sh spanning-tree vlan 3 changes.

• Multiple Spanning Tree in a Hub and Spoke topology?

  My company is planning to implement Multiple Spanning tree into our hub and spoke topology. Is that possible?
  Should I divide up the vlans into instances based on assigned switch or assigned department?
  Thank You.

  hi, everyone,
  i have search a internet draft to describe this situation, "Using an LSA Options Bit to Prevent Looping in BGP/MPLS IP VPNs", from "http://www.ietf.org/internet-drafts/draft-ietf-ospf-2547-dnbit-03.txt"
  does anyone can tell me how can disable this function and clear the "DN" bit on a cisco router? thanks very much.

• Sh spanning-tree vlan

  Hello,
  When we type "sh spanning-tree vlan X detail", then we have :
  - Number of topology changes : Y
  - Times.... topology changes : Z
  - Timers... topology changes : T
  Is Y the number fo TC in vlan X ?
  Is Z the number of TC in all vlans ?
  What about T ?
  Thanks,
  Navid

  I think T is Y the no. of Tc in VLAN X.