Spanning tree bpdu

Similar Messages

• Debug spanning-tree bpdu brought the network down

  I'm troubleshooting a pair of Dell Power-Connect switches in a Dell blade chassis connected to a pair of Cisco 4900M switches. I have my 4900M switches set as spanning-tree root and backup root. The Dell switches are connected via LACP trunks to the 4900M's. Dell switch 1 to 4900 #1 and Dell switch 2 to 4900M #2. Both of the Dell switches are reporting as root switches.
  I was trying to troubleshoot this yesterday and ran 'debug spanning-tree bpdu' on the primary 4900M. There was a masive amount of BPDU events scrolling by. This debug command actually took the network down. The primary 4900M was non-responsive and the secondary unit had it's CPU go to 100%. The fix was to power cycle the primary 4900M.
  Why did this command take my network down?
  --Patrick

  Typically, the device prioritizes console output ahead of other functions. The debug spanning-tree bpdu generates a lot of output. That is what jumped the CPU to 100% and ultimately caused the device to crash.
  You should be very careful with debug commands and log to the internal buffer, instead of the console.
  See: http://www.cisco.com/c/en/us/support/docs/dial-access/integrated-services-digital-networks-isdn-channel-associated-signaling-cas/10374-debug.html.

• Spanning-tree not working: SG500 to Cat3650

  Hi All,
  Trying to turn up a new site. I have 2 switches: Cat 3650 & SG500-52P.  I want to connect up two ethernet cables between these switches in the event one fails, STP will put the blocked one in forwarding.  However, when I connect up the 2nd ethernet cable, I get the following:
  IPADTBL-N-IPDUPLICATE: Duplicate IP address 192.168.5.232 from MAC a0:ec:f9:ef:6a:18 was detected on VLAN 1, port gi1/1/24
  This log message is then followed by the network locking up & crashing until I remove the 2nd cable (i.e. STP Loop).  Removing the redundant cable solves the problem. This is because STP is allowing both links to transitioning to forwarding state (confirmed in show spanning-tree & show cdp neighbor).
  Why is spanning-tree not correctly blocking one of the lines? Is that type of architecture not supported when there is an SG300/500 in the equation?
  Configs below:
  Core 3650: (box configs basically)
  Switch#show run
  Building configuration...
  Current configuration : 2686 bytes
  ! Last configuration change at 10:01:53 UTC Thu Jan 22 2015
  ! NVRAM config last updated at 09:24:03 UTC Thu Jan 22 2015
  version 15.0
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  service compress-config
  hostname Switch
  boot-start-marker
  boot-end-marker
  vrf definition Mgmt-vrf
   address-family ipv4
   exit-address-family
   address-family ipv6
   exit-address-family
  logging console emergencies
  enable secret 5 $1$Qi5N$u/5q1HESY/TyQsPFNKVah1
  no aaa new-model
  clock timezone UTC -6 0
  clock summer-time UTC recurring
  switch 1 provision ws-c3650-24ts
  ip device tracking
  diagnostic bootup level minimal
  spanning-tree mode pvst
  spanning-tree extend system-id
  spanning-tree vlan 1 priority 24576
  redundancy
   mode sso
  class-map match-any non-client-nrt-class
    match non-client-nrt
  policy-map port_child_policy
   class non-client-nrt-class
      bandwidth remaining ratio 10
  interface GigabitEthernet0/0
   vrf forwarding Mgmt-vrf
   no ip address
   negotiation auto
  interface GigabitEthernet1/0/1
  interface GigabitEthernet1/0/2
  interface GigabitEthernet1/0/3
  interface GigabitEthernet1/0/4
  interface GigabitEthernet1/0/5
  interface GigabitEthernet1/0/6
  interface GigabitEthernet1/0/7
  interface GigabitEthernet1/0/8
  interface GigabitEthernet1/0/9
  interface GigabitEthernet1/0/10
  interface GigabitEthernet1/0/11
  interface GigabitEthernet1/0/12
  interface GigabitEthernet1/0/13
  interface GigabitEthernet1/0/14
  interface GigabitEthernet1/0/15
  interface GigabitEthernet1/0/16
  interface GigabitEthernet1/0/17
  interface GigabitEthernet1/0/18
  interface GigabitEthernet1/0/19
  interface GigabitEthernet1/0/20
  interface GigabitEthernet1/0/21
  interface GigabitEthernet1/0/22
  interface GigabitEthernet1/0/23
  interface GigabitEthernet1/0/24
  interface GigabitEthernet1/1/1
  interface GigabitEthernet1/1/2
  interface GigabitEthernet1/1/3
  interface GigabitEthernet1/1/4
  interface Vlan1
   ip address 192.168.5.230 255.255.255.0
  ip default-gateway 192.168.5.1
  ip http server
  ip http secure-server
  line con 0
   exec-timeout 0 0
   stopbits 1
  line aux 0
  line vty 0 4
   password scrubbed
   login
  line vty 5 15
   password scrubbed
   login
  wsma agent exec
   profile httplistener
   profile httpslistener
  wsma agent config
   profile httplistener
   profile httpslistener
  wsma agent filesys
   profile httplistener
   profile httpslistener
  wsma agent notify
   profile httplistener
   profile httpslistener
  wsma profile listener httplistener
   transport http
  wsma profile listener httpslistener
   transport https
  ap group default-group
  end
  SG500 Switch:
  switchff1182#show run
  config-file-header
  switchff1182
  v1.3.0.62 / R750_NIK_1_3_647_260
  CLI v1.0
  set system mode switch queues-mode 4
  file SSD indicator encrypted
  ssd-control-start
  ssd config
  ssd file passphrase control unrestricted
  no ssd file integrity control
  ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
  voice vlan oui-table add 0001e3 Siemens_AG_phone________
  voice vlan oui-table add 00036b Cisco_phone_____________
  voice vlan oui-table add 00096e Avaya___________________
  voice vlan oui-table add 000fe2 H3C_Aolynk______________
  voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
  voice vlan oui-table add 00d01e Pingtel_phone___________
  voice vlan oui-table add 00e075 Polycom/Veritel_phone___
  voice vlan oui-table add 00e0bb 3Com_phone______________
  hostname switchff1182
  no passwords complexity enable
  username cisco password encrypted scrubbed privilege 15
  ip ssh server
  snmp-server server
  no ip http server
  ip telnet server
  interface vlan 1
   ip address 192.168.5.231 255.255.255.0
   no ip address dhcp
  exit
  ip default-gateway 192.168.5.1

  Hi Peter,
  Thanks for replying. Unfortunately (or fortunately if it worked), STP is running and BPDU's are flooding below:
  SW500A#show spanning-tree
  Spanning tree enabled mode RSTP
  Default port cost method:  long
    Root ID    Priority    24577
               Address     a0:ec:f9:ef:6a:00
               Cost        20000
               Port        gi1/1/43
               Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec
    Bridge ID  Priority    32768
               Address     2c:3e:cf:ff:11:82
               Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec
  SW500A#show spanning-tree bpdu
  Global: Flooding
  I guess I'm doing etherchannels instead of redundant links :-/
  This is one of many reasons why I regret these small business models being made; A lot of things that are polished and functional in the enterprise grade (i.e. real switches) just don't seem to work on these units. But unfortunately, as the price is significantly cheaper, companies will continue purchasing these over the better quality units, and engineers like myself will be stuck working with the cut-corners version of a Cisco switch.

• Sg-300 - 3750 stack with SPANNING-TREE root problem.

  Morning. I think ive configured a few hundred switches, maybe a thousand in my time, but never have a faced such horribleness that is the SG-300. After this week, I think ill refuse to touch them.
  Got 2 voice vlans and running a few vrf's on a 3750 stack. but this discussion is about layer 2.
  2 x 3750 stacked
  1 x voice switch sg-300 company A voice vlan 18 - Po1 up to 3750 distributed etherchannel Po1 (LACP active both sides) 2 ports in channel
  1 x voice switch sg-300 company B voice vlan 19 - Po1 up to 3750 distributed etherchannel Po2 (LACP active both sides) 2 ports in channel
  Allowed vlans on both sides (command on Port-channel) are data A, Voice A, Mgt A to switch A
  Allowed vlans on both sides (command on Port-channel) are data B, Voice B, Mgt B to switch B
  It seems that these switches are limited to one voice vlan....
  and that spanning tree BPDU's are ignored (or not recevied- havnt released the shark yet).  let me explain.
  originally when using "smart port" the switch with the lowest mac address, whatever Voice vlan was configured would take over the other switche's voice vlan, argh what a nightmare.
  I gave up on the GUI as its far to complcated and have Almost got this working.
  I am now using auto voice vlan, but have disabled smart macro. I hope that disabling smart macro stop other switches from learning the switch with the lowest mac address's voice vlan.  So far so good - in the LAB. No where was it documented in the cli guide how do disable this stupid feature.
  DHCP is working from scope on core, can mange the switches etc etc, access vlan voice vlan all good (after a monster battle).
  Now I have an issue with spanning tree.
  spanning tree priority for vlans 1-4094 on the 3750 is 4096.
  spanning tree priority for vlans 1-4094 on the SG-300's is 6xxxx.
  ALL switches think that they are the root. (well the "logical" 3 of them) The 3750's for all vlans, and the SG-300 for the one instance as it doesnt support per vlan.  (I am not interested in trying MST here..this is not a datacentre)
  On the 3750's Ive tried ieee, pvst, rpvst, while matching the non per-vlan equivalent on the SG series.
  What is the difference between a General port and Trunk Port on a SG-300 specific to spanning tree, native vlans (when you can just configure an untagged vlan anyway!!) and what is the relevance to the way the bpdu's are carried?
  And why the need for a PVID, when you can tell a port what is tagged and what isnt.
  Does the trunk need Vlan1 to be explicitly allowed, and untagged? Does the Po trunk need to be a general port with PVID configured? in vlan 1?
  I need to sort this, as cannot put an access switch into production that thinks it is the root of the tree.  I wish I had a 2960.... a 3500XL..anything
  Does anyone have CLI commands that can help here?

  F.Y.I for catylyst heroes - here is the equivalent config for SG-300 - Vlan1 is required on the allowed list on the catylyst side (3xxx/4xxx/6xxx)
  In this example:
  VLANS - Voice on 188, data on 57, management on 56.
  conf t
  hostname XXX-VOICE-SWXX
  no passwords complexity enable
  username xxxx priv 15 password XXXXX
  enable password xxxxxx
  ip ssh server
  ip telnet server
  crypto key generate rsa
  macro auto disabled
  voice vlan state auto-enabled !(otherwise one switch controls your voice vlan….)
  vlan 56,57,188
  voice vlan id 188
  int vlan 56
  ip address 10.230.56.12 255.255.255.0
  int vlan1
  no ip add dhcp
  ip default-gateway 10.230.56.1
  interface range GE1 - 2
  switchport mode trunk
  channel-group 1 mode auto
  int range fa1 - 24
  switchport mode trunk
  switchport trunk allowed vlan add 188
  switchport trunk native vlan 57
  qos advanced
  qos advanced ports-trusted
  exit
  int Po1
  switchport trunk allowed vlan add 56,57,188
  switchport trunk native vlan 1
  do sh interfaces switchport po1
  !CATYLYST SIDE
  !Must Explicitly allow VLan1, this is not normal for catalysts - or spanning tree will not work ! Even though it’s the native vlan on both sides.
  interface Port-channel1
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 1,56,57,189
  switchport mode trunk

• BPDU-STP Discrpancy - Help Please - spanning-tree portfast bpduguard

  Hi,
  I get this discrepancy report by the CicoWorks saying that BPDU-STP is disabled on ports (all te ports on my switch). I have seen a document on this and how to enable this Spanning Tree feature but I am not really sure if I need to do this or not? what is the benefit in having or not having this feature enabled? if enabled, then, wont I get into the port disabling and traffic disrruption business? understanding that there is a time out feature available as well.
  Thx,
  Masood

  Hi Masood.
  STP BPDUGuard is used only on the ports which are set to STP portfast. As when the portfast is enabled on the switch it trnasitions from blocking --> forwarding as soon as you connect any device on it. If you connect a switch or a bridge, this can cause a STP loop in your network which can bring your entire N/W to halt/down.
  STP BPDUguard is specially designed for the edgeports. So as far as you have a centralized control on your network device and no one can connect any device without proper approval (your) ,you can have it disable. But if you understand the potential impact of connecting a switch or a bridge by anyone without proper authority then you might want it enable it on your switch.
  http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a008009482f.shtml
  HTH, Please rate if it does.
  regards,
  -amit singh

• Command Info spanning-tree optimize bpdu transmission

  Cannot find any information on CCO, anyone have a link or definition of this command ??

  "spanning-tree optimize bpdu transmission" enables the switch to send multiple BPDUs from the interrupt context thereby reducing the CPU usage for the transmission function.
  Note that not all platforms support it.
  PS: Remember to rate useful posts.

• ISE - 802.1X - Loop not detected by spanning-tree

  Hello,
  I have recently implemented the 802.1X on switchs 3750-X running 15.0(2)SE IOS version.
  The spanning-tree bpdufilter and bpduguard are globally enabled on the switchs.
  A user has created a loop on the network by connecting its Cisco IP-Phone twice on the network : one wire connected normally from switch to the RJ-45 phone connector and the second wire that should be connected to the PC had also been connected to the switch !
  The loop created has not been detected by the switch !
  I have made several tests and re-created the problem 3 times on 4 (only one time, the loop has been detected by bpduguard  20 seconds after the port up).
  Notice that without 802.1X configured on the same switch port, the loop is quickly detected and ports are err-disabled shutdown.
  Switch port with 802.1X is following :
  interface GigabitEthernet1/0/9
  switchport access vlan 950
  switchport mode access
  switchport nonegotiate
  switchport voice vlan 955
  no logging event link-status
  authentication control-direction in
  authentication event fail action next-method
  authentication event server dead action reinitialize vlan 950
  authentication event server dead action authorize voice
  authentication event server alive action reinitialize
  authentication host-mode multi-auth
  authentication order dot1x mab
  authentication priority dot1x mab
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  mab
  dot1x pae authenticator
  dot1x timeout tx-period 10
  storm-control broadcast level 10.00
  storm-control multicast level 10.00
  spanning-tree portfast
  If I change the host-mode to multi-domain, a MAC violation restriction occurs and shutdown the port. But this is not the config I need.
  Is there any reason for spanning-tree not works properly with 802.1X ?
  Thanks,
  Olivier

  Hello Olivier
  When using bpdufilter, bpduguard and portfast all at the same time there are many things going on which are not well documented. Now when you add 802.1x to the mix then you really have no documentation. I had to do many labs on my own to finally have my configuration, and also discovered some bugs. According to my experience you shouldn't use bpdufilter and you should use bpduguard on the switchport not in the global config.
  Please read the following links about the differences between global and port bpdufilter, differences between global and port bpduguard, configuring bpduguard along with portfast , configuring bpdufilter along with portfast, and configuring bpduguard along with bpdufilter.
  http://aitaseller.wordpress.com/2010/01/17/bpdu-filter-vs-bpdu-guard-what-is-the-difference/
  http://costiser.wordpress.com/2011/05/23/subtle-difference-for-portfast-bpdufilter-used-together-globally-or-at-interface-level/
  https://learningnetwork.cisco.com/thread/21103
  http://blog.ipexpert.com/2010/12/06/bpdu-filter-and-bpdu-guard/
  Please rate if this helps

• Switching Best Practice - Spanning Tree andEtherchannel

  Dear All,
  Regarding best practice related to Spanning Tree and Etherchannel, we have decided to configure following.
  1. Manually configure STP Root Bridge.
  2. On end ports, enable portfast and bpduguard.
  3. On ports connecting to other switches enable root guard.
  In etherchannel config, we have kept mode on on both side, need to change to Active and desirable as I have read that mode on may create loops? Please let me know if this is OK and suggest if something missing.
  Thank You,
  Abhisar.

  Hi Abhisar,
  Regarding your individual decisions: Manually configuring the Root Bridge is a natural thing to do. You should never leave your network just pick up a root switch based on default switch settings.
  On end ports, using PortFast and BPDU Guard is a must especially if you are running Rapid PVST+ or MSTP.
  Regarding the Root Guard on ports to other switches - this is something I do not recommend. The Root Guard is a protective mechanism in situations when your network and the network of your customer need to form a single STP domain, yet you want to have the STP Root Bridge in your network part and you do not want your customer to take over this root switch selection. In these cases, you would put the Root Guard on ports toward the customer. However, inside your own network, using Root Guard is a questionable practice. Your network can be considered trustworthy and there is no rogue root switch to protect against. Using Root Guard in your own network could cause your network to be unable to converge on a new workable spanning tree if any of the primary links failed, and it would also prevent your network from converging to a secondary root switch if the primary root switch failed entirely. Therefore, I personally see no reason to use Root Guard inside your own network - on the contrary, I am concerned that it would basically remove the possibility of your network to actually utilize the redundant links and switches.
  Regarding EtherChannels - yes, you are right, using the on mode can, under circumstances, lead to permanent switching loops. EtherChannel is one of few technologies in which I wholeheartedly recommend on relying on a signalling protocol to set it up, as opposed to configuring it manually. The active mode is my preferred mode, as it utilizes the open LACP to signal the creation of an EtherChannel, and setting both ends of a link to active helps to bring up the EtherChannel somewhat faster.
  If you are using fiber links between switches, I recommend running UDLD on them to be protected against issues caused by uni-directional links. UDLD is not helpful on copper ports and is not recommended to be run on them. However, I strongly recommend running Loop Guard configured globally with the spanning-tree loopguard default. Loop Guard can, and should, be run regardless of UDLD, and they can be used both as they nicely complement each other.
  My $0.02...
  Best regards,
  Peter

• "Peer-switch" command on vPC domain and spanning-tree priority interaction

  Hi guy,
  We have 2 N7K (N7KA and N7KB) which will be running vPC in hybird and pure vPC environment.
  I have a question about the Hybird and pure vPC environment. With the "peer-switch" command enable, should i tune the spanning-tree priority to be the same for all the vlan running on vPC on both N7KA and N7KB? This way, when i enter the "sh spanning-tree vlan X(vPC vlan) detail" command on N7K, it will list both N7K announc itself as "We are the root of the spanning tree".Also the switch running spanning-tree with N7K vPC vlan (Hybird), will see both N7K has the same priority (4096), and it is not desirable for a spanning-tree environment. Therefore, i used the "spanning-tree pseudo-information" on N7KB to tune the spanning-tree priority to "8192" and the switch running spanning-tree with N7K will list N7KB has a priority of 8192(perfect).
  However, I notice some strange "show" output on the switch running Port-channel with the N7KA and N7KB. The "Designated bridge" priority is flapping as show on the switch. It is constantly changing between "4096 and 8192" with the same vPC system wide mac address.
  Entering the "sh spanning-tree vlan X detail" command repeatly on switch with port-channel toward N7KA and N7KB.
  >>sh spanning-tree vlan 10 detail
  Port 65 (Port-channel1) of VLAN10 is root forwarding
  Port path cost 3, Port priority 128, Port Identifier 128.65.
  Designated root has priority 4106, address 0013.05ee.bac8
  Designated bridge has priority 4106, address 0013.05ee.bac8
  Designated port id is 144.2999, designated path cost 0
  Timers: message age 15, forward delay 0, hold 0
  Number of transitions to forwarding state: 1
  Link type is point-to-point by default
  BPDU: sent 5, received 603
  one sec later.
  >>sh spanning-tree vlan 10 detail
  Port 65 (Port-channel1) of VLAN10 is root forwarding Port path cost 3, Port priority 128, Port Identifier 128.65. Designated root has priority 4106, address 0013.05ee.bac8 Designated bridge has priority 8202, address 0013.05ee.bac8 Designated port id is 144.2999, designated path cost 0 Timers: message age 15, forward delay 0, hold 0 Number of transitions to forwarding state: 1 Link type is point-to-point by default BPDU: sent 5, received 603
  Configuration:
  N7KA
  spanning-tree vlan 1-10 priority 4096
  vpc domain 200
  peer-switch
  N7KB
  spanning-tree vlan 1-10 priority 4096spanning-tree pseudo-information vlan 1-10 designated priority 8192
  vpc domain 200
  peer-switch

  We have a issue similar to this in our environment. I am trying to upgrade the existing 3750 stack router with 2 Nexus 5596 running VPC between them. For the transition I have planned to create a channel between 3750 stack and 5596's. Once this environment is set, my plan is to migrate all the access switches to N5k.
  The issue is when I connect the 3750 port channel to both N5Ks, all the Vlans on 3750 started to flap. If I connect the port channel to only one N5K everything is normal; but when I connect the port channel to both N5K running VPC, vlans are flapping. Any idea what is going wrong here? Am I missing something?

• When is it appropriate to use "spanning-tree bpdufilter enable"

  What exactly does enabling bpdu filter do?  I see some examples where bpdu filtering is enabled on access ports?  Is this correct or are there dangers in this approach? 

  Hi John,
  Simple way of saying would that it would disable the STP on that port.
  BPDU filter filters the BPDU's coming in both directions. which means it effectively disable the STP on the port.
  Detailed explanation:
  ===============
  BPDUfilter on the other hand just filters BPDUs in both directions, which effectively disables STP on the port.Bpdu filter will prevent inbound and outbound bpdu but will remove portfast state on a port if a bpdu is received.Enabling BPDU filtering on an interface is the same as disabling spanning tree on it and can result in spanning-tree loops.
  Following are the method to configure BPDU Filter in switches
  Interface mode:
  spanning-tree bpdufilter enable                        (Results port to not participate in STP, loops may occur).
  Global mode:                                                
  spanning-tree portfast bpdufilter default             (It enables bpdufiltering on ports that have port-fast configuration, so it sends a few bpdu while enabling port then it filters bdpu unless receives a bpdu, after that itchanges from port-fast mode and disables filtering for port to operate like a normal port cause it has received bpdu).
  You always should allow STP to run on a switch to prevent loops. However, in special cases when you need to prevent BPDUs from being sent or processed on one or more switch ports, you can use BPDU filtering to effectively disable STP on those ports.you would use bpdufilter when you want a switch plugged into your network but you don't want it participating in spanning tree.
  An example:  In an office environment where someone needs  another network drop under their desk but you don't have time/budget to  run a new line for now.  you are been given a small switch but don't want it to break spanning tree.The switch  you have lying around for this task is a simple unmanaged switch and  will only have one uplink into your network. so you put bpdufilter on your  switch port.
  Ref:https://supportforums.cisco.com/docs/DOC-11825
  HTH
  Regards
  Inayath
  *Plz rate if this info is helpfull and mark as answered if this resolved your query.

• What is the command to check the changes in the spanning-tree topology?

  What is the command to check the changes in the spanning-tree topology?

  Hi,
  Few commands which would help are:
  1- Show spanning-tree detail
  2-show spanning-tree detail | in ieee|from|occur|is exec  >> This will give from were the changes occuring- Ex:
  C6K1#show spanning-tree detail | in ieee|from|occur|is exec  
   VLAN0001 is executing the rstp compatible Spanning Tree protocol
    Number of topology changes 9536 last change occurred 00:00:29 ago
            from GigabitEthernet4/6
  3- show spanning-tree active  *& show spanning-tree root >> Will give you the root information.
  4-  show spanning-tree inconsistentports >> If there are any port which are inconsistent state due to STP features.
  STP running MST:
  ===============
  show spanning-tree mst configuration  >> Need to check and match the same outputs with the other switches running in the same MST domain/region.
  show spanning-tree mst detail
  show spanning-tree mst <name of the region>
  Debug on STP:
  ============
  debug spanning-tree events/bpdu >> would be good but to be run with more cautious.
  HTH
  Inayath
  *Plz rate if this info is usefull.

• Blocked Stack Ports on 2960X-48FPD-L Stack (Unstable Switch Stack!) Spanning Tree?

  I am having an issue where 2 2960X-48FPD-L Switches in a redundant flexstack (stack port 1 SW1 to port  2 SW2 and port 2 SW1 to port 1 SW2) ring. 
  At first running the 15.0(2).EX5 (and earlier EX3, and EX4) version IOS yielded all the ports on the stack master switch refusing to run spanning tree and would only link in amber and not pass any traffic other than CDP information (the slave switch linked in fine). 
  I upgraded to 15.2(3)E and this solved the problem of the ports not linking in green and participating in spanning tree. 
  Now, however, about every week or two I lose connectivity to the switch stack and I was able to go to the switch stack locally and found that for some reason the switch stack is blocking and unblocking VLANs on StackPort1 frequently (see below).  When I was at the site, I sometimes had connectivity, sometimes not.  A stack hard reboot brought everything back up, but this is the second time this has occurred and I would expect the same problem in the next week or so. 
  Has anyone else run into these issues, and have you found a solution?
  I'm guessing that if I either get rid of the redundancy on the switch stack or stack using Ethernet cables between switches the problem will go away, but then what is the point of using stackable switches in a non redundant low speed stack.  It seems to me that Spanning tree thinks that I have a spanning tree loop going on with the stack ports which I didn't even think was possible.   
  What do you think?
  Jim
  _BAD_TLV: Received SSTP BPDU with bad TLV on StackPort1 VLAN1.
  Mar 11 09:02:59: %SPANTREE-2-UNBLOCK_CONSIST_PORT: Unblocking StackPort1 on VLAN0307. Port consistency restored.
  Mar 11 09:03:16: %SPANTREE-2-RECV_BAD_TLV: Received SSTP BPDU with bad TLV on StackPort1 VLAN1.
  Mar 11 09:03:27: %SPANTREE-2-BLOCK_PVID_PEER: Blocking StackPort1 on VLAN0307. Inconsistent peer vlan.
  Mar 11 09:03:42: %SPANTREE-2-UNBLOCK_CONSIST_PORT: Unblocking StackPort1 on VLAN0307. Port consistency restored.
  Mar 11 09:03:46: %SPANTREE-2-RECV_BAD_TLV: Received SSTP BPDU with bad TLV on StackPort1 VLAN1.
  Mar 11 09:03:47: %SPANTREE-2-BLOCK_PVID_PEER: Blocking StackPort1 on VLAN0307. Inconsistent peer vlan.
  Mar 11 09:04:12: %SPANTREE-2-UNBLOCK_CONSIST_PORT: Unblocking StackPort1 on VLAN0307. Port consistency restored.
  Mar 11 09:04:22: %SPANTREE-2-RECV_BAD_TLV: Received SSTP BPDU with bad TLV on StackPort1 VLAN1.
  Mar 11 09:04:56: %SPANTREE-2-RECV_BAD_TLV: Received SSTP BPDU with bad TLV on StackPort1 VLAN1.
  Mar 11 09:05:13: %SPANTREE-2-RECV_PVID_ERR: Received BPDU with inconsistent peer vlan id 207 on StackPort1 VLAN307.
  Mar 11 09:05:13: %SPANTREE-2-BLOCK_PVID_LOCAL: Blocking StackPort1 on VLAN0307. Inconsistent local vlan.
  Mar 11 09:05:30: %SPANTREE-2-RECV_BAD_TLV: Received SSTP BPDU with bad TLV on StackPort1 VLAN1.
  Mar 11 09:06:00: %SPANTREE-2-RECV_BAD_TLV: Received SSTP BPDU with bad TLV on StackPort1 VLAN1.
  Mar 11 09:06:04: %SPANTREE-2-UNBLOCK_CONSIST_PORT: Unblocking StackPort1 on VLAN0307. Port consistency restored.
  Mar 11 09:06:32: %SPANTREE-2-RECV_BAD_TLV: Received SSTP BPDU with bad TLV on StackPort1 VLAN1.
  Mar 11 09:07:02: %SPANTREE-2-RECV_BAD_TLV: Received SSTP BPDU with bad TLV on StackPort1 VLAN1.
  Mar 11 09:07:03: %SPANTREE-2-RECV_PVID_ERR: Received BPDU with inconsistent peer vlan id 207 on StackPort1 VLAN307.
  Mar 11 09:07:03: %SPANTREE-2-BLOCK_PVID_LOCAL: Blocking StackPort1 on VLAN0307. Inconsistent local vlan.
  Mar 11 09:07:34: %SPANTREE-2-RECV_BAD_TLV: Received SSTP BPDU with bad TLV on StackPort1 VLAN1.
  Mar 11 09:07:45: %SPANTREE-2-UNBLOCK_CONSIST_PORT: Unblocking StackPort1 on VLAN0307. Port consistency restored.

  Jim,
  We have also the same problem with our 2960-X switches (access) connecting to a pair of 4500x (VSS) except our issue is with Portchannel with 2 physical links connecting the 2960xs to the 4500.
  If we disconnect one of the physical links from the portchannel everything works fine, but when we connect the same physical link back all users lose connectivity and the physical link starts flapping. Here are some of the messages we see in the logs when both physical links are in the portchannel:
  Mar 10 18:00:43 EST: %SPANTREE-2-RECV_PVID_ERR: Received BPDU with inconsistent peer vlan id 1 on Port-channel5 VLAN90.
  Mar 10 18:00:43 EST: %SPANTREE-2-BLOCK_PVID_PEER: Blocking Port-channel5 on VLAN0001. Inconsistent peer vlan.
  Mar 10 18:00:43 EST: %SPANTREE-2-BLOCK_PVID_LOCAL: Blocking Port-channel5 on VLAN0090. Inconsistent local vlan.
  Mar 10 18:00:58 EST: %SPANTREE-2-UNBLOCK_CONSIST_PORT: Unblocking Port-channel5 on VLAN0001. Port consistency restored.
  Mar 10 18:00:58 EST: %SPANTREE-2-UNBLOCK_CONSIST_PORT: Unblocking Port-channel5 on VLAN0090. Port consistency restored.
  Mar 10 18:01:29 EST: %LINEPROTO-5-UPDOWN: Line protocol on Interface TenGigabitEthernet1/0/1, changed state to down
  Mar 10 18:01:37 EST: %LINEPROTO-5-UPDOWN: Line protocol on Interface TenGigabitEthernet1/0/1, changed state to up
  Mar 10 18:01:48 EST: %LINEPROTO-5-UPDOWN: Line protocol on Interface TenGigabitEthernet1/0/1, changed state to down
  Mar 10 18:01:51 EST: %LINEPROTO-5-UPDOWN: Line protocol on Interface TenGigabitEthernet1/0/1, changed state to up
  We have upgraded to 15.0(2a).EX5 and still have the same issue.
  We have a ticket open with Cisco and have sent them all the logs and debugs and waiting to hear back from IOS developers.
  HTH

• SF 300 Serires switch not participating in spanning tree?

  I just purchased an SF300-24 managed switch and I am running it in layer3 mode. I am testing it out right now and have it connected to two 2950 switches. The SF300 is connected to each 2950 with a four port etherchannel running LACP. When looking at spanning tree all three switches are configured the same when it comes to hello, forward, max age and all three are in RSTP mode. I adjusted the priorities so that the SF300 would be the root but that is not happening.
  I only have one VLAN as of right now set up and connectivity between the three switches is fine. The only problem seems to be that the two 2950 switches are the only two switches involved in the determination of the root bridge. Additionally it was the same way before I configured the etherchannel and had the switches connected over single trunk lines.
  I would appreciate if someone can expain to me why this is?
  Thanks in advance.

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin-top:0in;
  mso-para-margin-right:0in;
  mso-para-margin-bottom:10.0pt;
  mso-para-margin-left:0in;
  line-height:115%;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  Thanks for your help but know I still cannot get the three devices to talk MST either,it is getting frustrating. If i add a redundant link and directly connect the two 2950's they immediately talk and configure MST. But when I remove that link no info is passed and both 2950's think they are the root even though the SF 300 priority is 0 on all three MST instances. On the SF300 I have the following settings:
  Spanning tree: enabled
  STP Operation Mode: Multiple STP
  BPDU Handling: Flooding
  Path Cost: Long
  Region name: test
  Revision: 1
  Max Hops: 20
  Max-age: 20
  Hello Time: 2
  Forward Delay: 15
  MST instance 1 Vlan 100
  Bridge Priority 0
  Designated Root Bridge: Self
  Root port: 0
  Root path cost: 0
  MST instance 2 Vlan 2-5
  Bridge Priority 0
  Designated Root Bridge: Self
  Root port: 0
  Root path cost: 0
  MST instance 0 all vlans not in instance 1 and 2
  Bridge Priority 0
  Designated Root Bridge: Self
  Root port: 0
  Root path cost: 0
  For MST interface Settings (both LAGs/instances are thesame)
  Int Priority: 128
  Path Cost: 20000
  Port State: Boundary
  Mode: RSTP
  Type: Boundary
  Designated port ID: 128
  Designated Cost: 0
  Remain Hops: 20
  Forward Transitions: 1
  The 2950 switches: (The only difference on the other switch is that the priority is 8192, and the MACs of course)
  MST00 is executing the mstp compatible Spanning Treeprotocol
    Bridge Identifierhas priority 4096, sysid 0, address 000b.460e.e040
    Configured hello time 2, max age 20, forward delay 15
    Current root haspriority 0, address 6c50.4dcb.334b
    Root port is 65 (Port-channel1), cost of root path is 50000
    Topology change flag not set, detected flag not set
    Number of topology changes 7 last change occurred 00:18:54 ago
            from Port-channel1
    Times:  hold 1, topology change 35, notification 2
            hello 2, max age 20, forward delay 15
    Timers: hello 0, topology change 0, notification 0
  Port 65 (Port-channel1) of MST00 is root forwarding
     Port path cost 50000, Port priority 128, Port Identifier 128.65.
     Designated roothas priority 0, address 6c50.4dcb.334b
     Designatedbridge has priority 0, address 6c50.4dcb.334b
     Designated port id is 128.1000, designated path cost 0
     Timers: message age 4, forward delay 0, hold 0
     Number of transitions to forwarding state: 1
     Link type ispoint-to-point by default, Boundary RSTP
     BPDU: sent 571,received 568
  MST01 is executingthe mstp compatible Spanning Tree protocol
    Bridge Identifierhas priority 4096, sysid 1, address 000b.460e.e040
    Configured hello time 2, max age 20, forward delay 15
    We are the root of the spanning tree
    Topology change flag not set, detected flag not set
    Number of topology changes 9 last change occurred 00:18:55 ago
            from Port-channel1
    Times:  hold 1, topology change 35, notification 2
            hello 2, max age 20, forward delay 15
    Timers: hello 0, topology change 0, notification 0
  Port 65 (Port-channel1) of MST01 is boundary forwarding
     Port path cost 50000, Port priority 128, Port Identifier 128.65.
     Designated root has priority 4097, address 000b.460e.e040
     Designated bridge has priority 4097, address 000b.460e.e040
     Designated port id is 128.65, designated path cost 0
     Timers: message age 0, forward delay 0, hold 0
     Number of transitions to forwarding state: 1
     Link type ispoint-to-point by default, Boundary RSTP
     BPDU: sent 598,received 0
  MST02 is executingthe mstp compatible Spanning Tree protocol
    Bridge Identifierhas priority 4096, sysid 2, address 000b.460e.e040
    Configured hello time 2, max age 20, forward delay 15
    We are the root of the spanning tree
    Topology change flag not set, detected flag not set
    Number of topology changes 9 last change occurred 00:19:50 ago
            from Port-channel1
    Times:  hold 1, topology change 35, notification 2
            hello 2, max age 20, forward delay 15
    Timers: hello 0, topology change 0, notification 0
  Port 65 (Port-channel1) of MST02 is boundary forwarding
     Port path cost 50000, Port priority 128, Port Identifier 128.65.
     Designated root has priority 4098, address 000b.460e.e040
     Designated bridge has priority 4098, address 000b.460e.e040
     Designated port id is 128.65, designated path cost 0
     Timers: message age 0, forward delay 0, hold 0
     Number of transitions to forwarding state: 1
     Link type ispoint-to-point by default, Boundary RSTP
     BPDU: sent 611,received 0
  I notice that on MST01 and 02 they are not receiving BPDU’s,but I am not sure why or if that is the problem. It appears that the SF 300 is not sending BPDU packets for MST01 and 02, but is sending them for MST00. I also attached a capture. I captured the VLAN info for VLAN 100 which is in MST1. on the SF300, it appears that the SF 300 is recieving STP traffic but not generating any.

• Spanning Tree Reconfiguration - If Root Port is down.

  Hello All,
  I have some doubt on STP reconfiguration if Root port is down ...Can any one help...?
  As per my understanding, if any port is down due to any reason, the corresponding bridge shall sends a TCN to the root bridge through the root port.
  Lets say if a root port is down on a bridge, and so, the topology has to be re-established. As the root port itself is down, how does the Bridge convey the TCN to the root bridge ?
  Thanks,
  RajaSekhar                  

  Hi Raja, if the root port is down, the TCN notification can't make it to the root bridge since the link is down. The affected device will rely on the last known good bpdu. When the affected device has it's designated port down, it will remove the alternate port from discard once it hits the max age table then progress through the listening, learning, forwarding, at this time the new tcn is sent through the spanning tree topology. Once the TCN reached the root bridge, the root bridge will send a configuration bpdu then the whole spanning tree topology will update.
  It can take up to 52 seconds to have the topology update in the entirety depending on spanning tree mode and size of topology.
  -Tom
  Please rate helpful posts

• Rapid Spanning Tree Problem

  Hi all,
  I am experiencing an RSTP problem. I have two swtitches connected via wireless link, the port is in trunk mode, the native vlan is vlan 1 the problem is that bpdu's are exchanged for other vlan's but not for vlan 1, when i connect a second backup wireless link it causes the loop, it seems that there are no bpdu exchanges between switches for vlan 1, also in trunk ports i see that BPDU's for vlan 1 are sent by both switches but they do not receive any BPDU's from each other. Any explanation about thiss issue ?
  Thanks in advance

  I would need to know some things to troubleshoot this:
  1. Is VLAN 1 the native VLAN of the trunk, on both sides?
  2. I presume VLAN 1 is in the allowed VLANs list on both sides of the link?
  3. If the native VLAN is not 1, is the native VLAN allowed on the trunk, on both sides?
  4. What model of switch is it, and what version of the software?
  5. Can you do a show run int for each end of each trunk link?
  6. Can you do a show int xxx trunk for each end of each trunk link?
  7. Can you do a show spanning-tree vlan 1 on each side of each trunk?
  Kevin Dorrell
  Luxembourg