Switching Best Practice - Spanning Tree andEtherchannel

Similar Messages

• Windows 2012 Hyper-V Virtual SAN Switch Best Practice

   I have a four node cluster running W2012 Datacenter edition on each.  All systems have Emulex HBA compatible with Hyper-V and Virtual SAN technology. The hosts are connected to a Brocade SAN Switch with NPIV Enabled. I've
  created a Virtual SAN on each host. The vSAN is connected to 2 physical HBA. Each HBA is connected to a different physical SAN Switch.
  I have some questions about the best practice of the whole system.
  1. Do I have to create a vSAN per physical HBA ? Or create one vSAN that include 2 HBA ?
  2. Add 2 virtual HBA per VM to have fault tolerance ? Or one virtual HBA that is connected to a vSAN with 2 HBAs ?
  3.  Do I have to create a virtual port for each VM on the HBA Gui (OCManager) ?
  Any best pratice or advice ?
  Thanks

  Hi,
  first you will do almost the same as you do on a physical SAN, normally you build 2 Fabrics right ?
  In Case you have that in place you will configure also 2 vSANs to build up your 2 seperate ways/pathes.
  Here my top links for that Topic
  Hyper-V Virtual Fibre Channel Design Guide
  http://blogs.technet.com/b/privatecloud/archive/2013/07/23/hyper-v-virtual-fibre-channel-design-guide.aspx
  Very Good Blog with all the Scenarios you can have, sinlge Fabric to Multi ......
  Here the TechNet Info around "Hyper-V Virtual Fibre Channel Overview"
  http://technet.microsoft.com/en-us/library/hh831413.aspx
  and the "Implement Hyper-V Virtual Fibre Channel"
  http://technet.microsoft.com/en-us/library/dn551169.aspx
  A good Advice is also to install this Hotfix -
  http://support.microsoft.com/kb/2894032/en-us
  It is a sexy feature but if one point in the chain is doing wrong things with your NPIV Packets you are lost, so in my personal view you miss the for me most inportant point why i do Hyper-V, the Separation of HW and Software :-)
  One Problem i had once was after live Migration of a VM with configured vFC the Destination Host lost there FC Connection, but only if the Host have been one SAN Hop away from the HP Storage , was a HP Driver Problem, used the original Qlogic Driver and
  everything was fine, so same as with some HP Networking Driver for Broadcom, do not trust every update, test it before puting it in production.
  Hope that helps ?
  Udo

• Blocked Stack Ports on 2960X-48FPD-L Stack (Unstable Switch Stack!) Spanning Tree?

  I am having an issue where 2 2960X-48FPD-L Switches in a redundant flexstack (stack port 1 SW1 to port  2 SW2 and port 2 SW1 to port 1 SW2) ring. 
  At first running the 15.0(2).EX5 (and earlier EX3, and EX4) version IOS yielded all the ports on the stack master switch refusing to run spanning tree and would only link in amber and not pass any traffic other than CDP information (the slave switch linked in fine). 
  I upgraded to 15.2(3)E and this solved the problem of the ports not linking in green and participating in spanning tree. 
  Now, however, about every week or two I lose connectivity to the switch stack and I was able to go to the switch stack locally and found that for some reason the switch stack is blocking and unblocking VLANs on StackPort1 frequently (see below).  When I was at the site, I sometimes had connectivity, sometimes not.  A stack hard reboot brought everything back up, but this is the second time this has occurred and I would expect the same problem in the next week or so. 
  Has anyone else run into these issues, and have you found a solution?
  I'm guessing that if I either get rid of the redundancy on the switch stack or stack using Ethernet cables between switches the problem will go away, but then what is the point of using stackable switches in a non redundant low speed stack.  It seems to me that Spanning tree thinks that I have a spanning tree loop going on with the stack ports which I didn't even think was possible.   
  What do you think?
  Jim
  _BAD_TLV: Received SSTP BPDU with bad TLV on StackPort1 VLAN1.
  Mar 11 09:02:59: %SPANTREE-2-UNBLOCK_CONSIST_PORT: Unblocking StackPort1 on VLAN0307. Port consistency restored.
  Mar 11 09:03:16: %SPANTREE-2-RECV_BAD_TLV: Received SSTP BPDU with bad TLV on StackPort1 VLAN1.
  Mar 11 09:03:27: %SPANTREE-2-BLOCK_PVID_PEER: Blocking StackPort1 on VLAN0307. Inconsistent peer vlan.
  Mar 11 09:03:42: %SPANTREE-2-UNBLOCK_CONSIST_PORT: Unblocking StackPort1 on VLAN0307. Port consistency restored.
  Mar 11 09:03:46: %SPANTREE-2-RECV_BAD_TLV: Received SSTP BPDU with bad TLV on StackPort1 VLAN1.
  Mar 11 09:03:47: %SPANTREE-2-BLOCK_PVID_PEER: Blocking StackPort1 on VLAN0307. Inconsistent peer vlan.
  Mar 11 09:04:12: %SPANTREE-2-UNBLOCK_CONSIST_PORT: Unblocking StackPort1 on VLAN0307. Port consistency restored.
  Mar 11 09:04:22: %SPANTREE-2-RECV_BAD_TLV: Received SSTP BPDU with bad TLV on StackPort1 VLAN1.
  Mar 11 09:04:56: %SPANTREE-2-RECV_BAD_TLV: Received SSTP BPDU with bad TLV on StackPort1 VLAN1.
  Mar 11 09:05:13: %SPANTREE-2-RECV_PVID_ERR: Received BPDU with inconsistent peer vlan id 207 on StackPort1 VLAN307.
  Mar 11 09:05:13: %SPANTREE-2-BLOCK_PVID_LOCAL: Blocking StackPort1 on VLAN0307. Inconsistent local vlan.
  Mar 11 09:05:30: %SPANTREE-2-RECV_BAD_TLV: Received SSTP BPDU with bad TLV on StackPort1 VLAN1.
  Mar 11 09:06:00: %SPANTREE-2-RECV_BAD_TLV: Received SSTP BPDU with bad TLV on StackPort1 VLAN1.
  Mar 11 09:06:04: %SPANTREE-2-UNBLOCK_CONSIST_PORT: Unblocking StackPort1 on VLAN0307. Port consistency restored.
  Mar 11 09:06:32: %SPANTREE-2-RECV_BAD_TLV: Received SSTP BPDU with bad TLV on StackPort1 VLAN1.
  Mar 11 09:07:02: %SPANTREE-2-RECV_BAD_TLV: Received SSTP BPDU with bad TLV on StackPort1 VLAN1.
  Mar 11 09:07:03: %SPANTREE-2-RECV_PVID_ERR: Received BPDU with inconsistent peer vlan id 207 on StackPort1 VLAN307.
  Mar 11 09:07:03: %SPANTREE-2-BLOCK_PVID_LOCAL: Blocking StackPort1 on VLAN0307. Inconsistent local vlan.
  Mar 11 09:07:34: %SPANTREE-2-RECV_BAD_TLV: Received SSTP BPDU with bad TLV on StackPort1 VLAN1.
  Mar 11 09:07:45: %SPANTREE-2-UNBLOCK_CONSIST_PORT: Unblocking StackPort1 on VLAN0307. Port consistency restored.

  Jim,
  We have also the same problem with our 2960-X switches (access) connecting to a pair of 4500x (VSS) except our issue is with Portchannel with 2 physical links connecting the 2960xs to the 4500.
  If we disconnect one of the physical links from the portchannel everything works fine, but when we connect the same physical link back all users lose connectivity and the physical link starts flapping. Here are some of the messages we see in the logs when both physical links are in the portchannel:
  Mar 10 18:00:43 EST: %SPANTREE-2-RECV_PVID_ERR: Received BPDU with inconsistent peer vlan id 1 on Port-channel5 VLAN90.
  Mar 10 18:00:43 EST: %SPANTREE-2-BLOCK_PVID_PEER: Blocking Port-channel5 on VLAN0001. Inconsistent peer vlan.
  Mar 10 18:00:43 EST: %SPANTREE-2-BLOCK_PVID_LOCAL: Blocking Port-channel5 on VLAN0090. Inconsistent local vlan.
  Mar 10 18:00:58 EST: %SPANTREE-2-UNBLOCK_CONSIST_PORT: Unblocking Port-channel5 on VLAN0001. Port consistency restored.
  Mar 10 18:00:58 EST: %SPANTREE-2-UNBLOCK_CONSIST_PORT: Unblocking Port-channel5 on VLAN0090. Port consistency restored.
  Mar 10 18:01:29 EST: %LINEPROTO-5-UPDOWN: Line protocol on Interface TenGigabitEthernet1/0/1, changed state to down
  Mar 10 18:01:37 EST: %LINEPROTO-5-UPDOWN: Line protocol on Interface TenGigabitEthernet1/0/1, changed state to up
  Mar 10 18:01:48 EST: %LINEPROTO-5-UPDOWN: Line protocol on Interface TenGigabitEthernet1/0/1, changed state to down
  Mar 10 18:01:51 EST: %LINEPROTO-5-UPDOWN: Line protocol on Interface TenGigabitEthernet1/0/1, changed state to up
  We have upgraded to 15.0(2a).EX5 and still have the same issue.
  We have a ticket open with Cisco and have sent them all the logs and debugs and waiting to hear back from IOS developers.
  HTH

• Spanning tree STG from switch to switch

  Does the STG need to match on all linked switches for VLANs to function properly using PVRST? It seems like whenever I notice they are not the same the VLANs that are not the same are not working as they should be.  

  Hello,
  A couple of comments on this topic. As noted, the STP instance to VLAN number is locally significant and generally does not need to match between switches. One exception to this is for switches in a vLAG pair (similar to Cisco vPC). For a pair of switches sharing a common vLAG tier ID, the STP-instance-to-VLAN-number must match exactly, or unexpected blocking/discarding will occur (I have never seen this cause a loop, just unexpected blocking, and one way to see if this is the case is to use the command “show span block” and look for any interfaces blocking that should not be).  Lenovo switches use an algorithm to assign an instance to a VLAN, and if you add VLANs in the same order on a pair of switches, those VLANs will get the same STP instance. But if you add VLANs in different order on each switch, then they might get a different instance assigned, and then would require manually adjustment on a vLAG pair.  Again, this does not matter on non-vLAGed switches, and can be any instance, but as noted in a previous response, it is always a good idea to have them in sync between switches, just to prevent user confusion.
  There is also a draft paper out for Lenovo switching best practices at the following link that covers a lot of such topics:
  http://www.redbooks.ibm.com/abstracts/sg248245.html?Open
  Thanks, Matt

• Spanning tree Stability

  Folks,
  I have recently placed 2 6500 at the core. I am running PVST. I have made one switch as the root primary and the other one is root secondary. My question is what steps can i take to make sure no spanning tree issues arise if some by mistake introduces a switch to the network??? i know i can use the root guard command per interface, but, i was looking for other best practices.
  Also, can someone exlain to me how can i switch modify the spanning tree topology if i have already configured a root bridge with a priority of 1?
  I will surely rate this post.
  Thanks

  Well, you can set the priority to 0;-)
  Except rootguard you mentioned, there is no real way of preventing someone else to become root because even if you set your root priority to 0, a bridge with a lower mac address could beat you.
  STP still assume some kind of cooperation between the switches. If you are in an environment where you absolutely cannot trust the neighbors, you should try avoiding running STP with them. Rootguard is a good safeguard but it will disrupt connectivity when a violation is detected. Plus rootguard will fail to detect problems if the neighbor is hostile and not sending BPDUs at all (bpdufilter).
  If you are operating in a kind of service provider model, you could use l2pt instead (waiting for 802.1ad). In that case, you would just run STP with the bridges you control and trust, and let others tunnel their STPs through you (note that in this case, the untrusted devices can create bridging loops through you, but you can rate limit the bandwidth they are wasting to what they pay for).
  Regards,
  Francois

• Spanning-tree cost

  I'm practicing spanning-tree with two 2950 switches (Ver 12.1). I have 3 trunks and 3 vlans. I try to change the cost of the interface (for the 3 vlans) and only 2 vlans change the value after I apply the command. The command is "spanning-tree cost 1" in interface mode. Is there any explanation as why only two of the vlans change the cost? I hope to be clear on the scenario.

  Hello Francisco,
  as Toshi has explained STP calculstes the cost to the root bridge but it does it by adding the local port cost that receives the BPDU to the path cost in the BPDU.
  A switch advertises out its ports not in STP blocking state a BPDU modified in the following manner:
  the sender bridge id is that of the local switch
  the port id is that of the outgoing port
  the total cost to reach the root bridge is:
  cost received on root port + cost of root port
  notice that only port-id changes from port to port.
  This is different from what happens with routing protocols where the cost is added on the outgoing interface.
  So as Toshi notes if one device is the root bridge for one vlan the cost (actually 0) doesn't change if you change the cost of one of its ports.
  Hope to help
  Giuseppe

• When is it appropriate to use "spanning-tree bpdufilter enable"

  What exactly does enabling bpdu filter do?  I see some examples where bpdu filtering is enabled on access ports?  Is this correct or are there dangers in this approach? 

  Hi John,
  Simple way of saying would that it would disable the STP on that port.
  BPDU filter filters the BPDU's coming in both directions. which means it effectively disable the STP on the port.
  Detailed explanation:
  ===============
  BPDUfilter on the other hand just filters BPDUs in both directions, which effectively disables STP on the port.Bpdu filter will prevent inbound and outbound bpdu but will remove portfast state on a port if a bpdu is received.Enabling BPDU filtering on an interface is the same as disabling spanning tree on it and can result in spanning-tree loops.
  Following are the method to configure BPDU Filter in switches
  Interface mode:
  spanning-tree bpdufilter enable                        (Results port to not participate in STP, loops may occur).
  Global mode:                                                
  spanning-tree portfast bpdufilter default             (It enables bpdufiltering on ports that have port-fast configuration, so it sends a few bpdu while enabling port then it filters bdpu unless receives a bpdu, after that itchanges from port-fast mode and disables filtering for port to operate like a normal port cause it has received bpdu).
  You always should allow STP to run on a switch to prevent loops. However, in special cases when you need to prevent BPDUs from being sent or processed on one or more switch ports, you can use BPDU filtering to effectively disable STP on those ports.you would use bpdufilter when you want a switch plugged into your network but you don't want it participating in spanning tree.
  An example:  In an office environment where someone needs  another network drop under their desk but you don't have time/budget to  run a new line for now.  you are been given a small switch but don't want it to break spanning tree.The switch  you have lying around for this task is a simple unmanaged switch and  will only have one uplink into your network. so you put bpdufilter on your  switch port.
  Ref:https://supportforums.cisco.com/docs/DOC-11825
  HTH
  Regards
  Inayath
  *Plz rate if this info is helpfull and mark as answered if this resolved your query.

• Debug spanning-tree bpdu brought the network down

  I'm troubleshooting a pair of Dell Power-Connect switches in a Dell blade chassis connected to a pair of Cisco 4900M switches. I have my 4900M switches set as spanning-tree root and backup root. The Dell switches are connected via LACP trunks to the 4900M's. Dell switch 1 to 4900 #1 and Dell switch 2 to 4900M #2. Both of the Dell switches are reporting as root switches.
  I was trying to troubleshoot this yesterday and ran 'debug spanning-tree bpdu' on the primary 4900M. There was a masive amount of BPDU events scrolling by. This debug command actually took the network down. The primary 4900M was non-responsive and the secondary unit had it's CPU go to 100%. The fix was to power cycle the primary 4900M.
  Why did this command take my network down?
  --Patrick

  Typically, the device prioritizes console output ahead of other functions. The debug spanning-tree bpdu generates a lot of output. That is what jumped the CPU to 100% and ultimately caused the device to crash.
  You should be very careful with debug commands and log to the internal buffer, instead of the console.
  See: http://www.cisco.com/c/en/us/support/docs/dial-access/integrated-services-digital-networks-isdn-channel-associated-signaling-cas/10374-debug.html.

• The spanning-tree add strange value when I create new Vlans

  Hi,
  On all switchs access, the spanning-tree add strange value when I create new Vlans from Distrib Layer,
  and no association is created with any interface with spanning-tree vlan 700, see below in this exemple,
  until I reboot the switch.
  somebody already saw this values ?
  DSFDS112#sh span sum
  Switch is in rapid-pvst mode
  Root bridge for: none
  EtherChannel misconfig guard is enabled
  Extended system ID           is enabled
  Portfast Default             is disabled
  PortFast BPDU Guard Default  is disabled
  Portfast BPDU Filter Default is disabled
  Loopguard Default            is enabled
  UplinkFast                   is disabled
  Stack port is StackPort1
  BackboneFast                 is disabled
  Configured Pathcost method used is long
  Name                   Blocking Listening Learning Forwarding STP Active
  VLAN0001                     0         0        0          3          3
  VLAN0002                     0         0        0         22         22
  VLAN0006                     0         0        0          3          3
  VLAN0007                     0         0        0          8          8
  VLAN0009                     0         0        0          4          4
  VLAN0010                     0         0        0          3          3
  VLAN0011                     0         0        0          3          3
  VLAN0012                     0         0        0          3          3
  VLAN0013                     0         0        0          3          3
  VLAN0090                     0         0        0         15         15
  VLAN0109                     0         0        0          3          3
  VLAN0200                     0         0        0          4          4
  VLAN0300                     0         0        0         26         26
  VLAN0302                     0         0        0          4          4
  VLAN0700               -   253  -1872756560  2087191206  -1872756549  2080375982
  VLAN0702               -   253  -1872756560  2087191206  -1872756549  2080375982
  VLAN0704                     0         0        0          4          4
  VLAN0710               -   253  -1872756560  2087191206  -1872756549  2080375982
  VLAN0816                     0         0        0          3          3
  VLAN0820                     0         0        0          3          3
  20 vlans               -   759  -1323302384  1966606322  -1323302237  1946160764
  DSFDS112#sh span vlan 700
  VLAN0700
    Spanning tree enabled protocol rstp
    Root ID    Priority    4796
               Address     0008.e3ff.fcbc
               Cost        10000
               Port        608 (Port-channel1)
               Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
    Bridge ID  Priority    62140  (priority 61440 sys-id-ext 700)
               Address     885a.9213.6880
               Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
               Aging Time  300 sec
  Interface           Role Sts Cost      Prio.Nbr Type
  Po1                Root FWD 10000     128.608  P2p
  DSFDS112#sh run int Gi1/0/25
  Building configuration...
  Current configuration : 194 bytes
  interface GigabitEthernet1/0/25
   description Station12
   switchport access vlan 700
   switchport mode access
  end
  DSFDS112#sh span interface Gi1/0/25
  no spanning tree info available for GigabitEthernet1/0/25
  DSFDS112#sh int status interface Gi1/0/25
  Port      Name               Status       Vlan       Duplex  Speed Type
  Gi1/0/25  Station12          connected    700          full    100 10/100/1000BaseTX
  Thanks for your help,
  Regards.

  Venki,
  The ORA-00942 is okay because there is no existing object. But what stuck me is the ORA-01921 error which may indicate that this might not be a new database.
  CREATE ROLE exp_full_database
  ERROR at line 1:
  ORA-01921: role name 'EXP_FULL_DATABASE' conflicts with another user or role name
  CREATE ROLE imp_full_database
  ERROR at line 1:
  ORA-01921: role name 'IMP_FULL_DATABASE' conflicts with another user or role name
  Are there any existing databases on this server? Have you tried to create it on other machine?I searched on Metalink too and found Doc ID: 237486.1 ORA-29807 Signalled While Creating Database using DBCA which say that eroror could be ignored. You may want to review that as well.
  Ittichai

• Spanning tree guard root

                    Hi,
  We have 45xx switch & we enabled spanning tree root guard on ports connected with access switch via fiber uplink
  & we enable spanning tree loop guard on access switch side
  One of my core switch port connected to Juniper Netscreen Firewall
  Whether I need to enable spanning tree guard root on the same port on core switch side ? or not
  In case of yes, any config changes required on JUniper Netscreen box
  Br/Subhojit

  Hi, Pls find the output
  Port 130 (GigabitEthernet3/2) of VLAN0054 is designated forwarding
     Port path cost 4, Port priority 128, Port Identifier 128.130.
     Designated root has priority 8246, address 001b.d474.8a40
     Designated bridge has priority 16438, address 001b.0cee.0440
     Designated port id is 128.130, designated path cost 3
     Timers: message age 0, forward delay 0, hold 0
     Number of transitions to forwarding state: 1
     Link type is point-to-point by default
    Bpdu filter is enabled
     Root guard is enabled on the port
     BPDU: sent 5847158, received 0
  Present the bold config enabled on the port
  Br/Subhojit

• Rapid Spanning Tree, 802.1w

  Do any SBTG switches support Rapid Spanning Tree? It appears the 3560x does, but looking for more "cost effective" solution.

  Hi Art,
  The new and improved  300 series  (SRWxxx-K9-NA) which is a refresh for the older SRW series,  shows that it supports STP,   RSTP and    MSTP.
  http://www.cisco.com/en/US/products/ps10898/prod_models_comparison.html
  regards and seasons greetings
  Dave Hornstein

• Spanning Tree VLAN Priority Issue

  We have two 6500E switches and running spanning tree with rapid-pvst.We have also configured per vlan spanning tree priority with 100,200 so odd vlan have one switch hight priority and even vlans have  another switch high priority.
  I have created new vlan 10 and tring to add spanning tree priority to the switches i am getting the following error
  Core-switch(config)#spanning-tree vlan 10  priority 100
  % Bridge Priority must be in increments of 4096.
  % Allowed values are:
    0     4096  8192  12288 16384 20480 24576 28672
    32768 36864 40960 45056 49152 53248 57344 61440
  Can some experts help me why i am getting the above message and how can i add the priority to the same as existing vlans

  Hi ,
   Spanning tree priority can be set in increment of 4096 , any other values will be rejected . if you want to know about priority value of existing vlan execute command show spanning-tree vlan X / show spanning-tree command which will show you switch priority value 
  Step 2 
  spanning-tree vlan vlan-idpriority priority
  Configure the switch priority of a VLAN.
  •For vlan-id, you can specify a single VLAN identified by VLAN ID number, a range of VLANs separated by a hyphen, or a series of VLANs separated by a comma. The range is 1 to 4094.
  •For priority, the range is 0 to 61440 in increments of 4096; the default is 32768. The lower the number, the more likely the switch will be chosen as the root switch.
  Valid priority values are 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, and 61440. All other values are rejected.
  HTH
  Sandy

• Spanning Tree MST per Vlan, best practice

  Hi Community.
  I did the following MST Spanning Tree Config
  spanning-tree mst configuration
    name xxxxxxx
    revision1
    instance 1 vlan 1, 10-20, 25, 30
  So I added every Vlan to the config which we use. But every time when I add one more vlan to the config the whole network get a little outage.
  I see lots of MAC Flaps on ports with two Server links and the outage is for some seconds.
  Is it a better practice to add all possible Vlans to the config. So I do the config like that:
    instance 1 vlan 1-4096
  What you think.
  Best Regards patrick

  Hi,
  So I added every Vlan to the config which we use. But every time when I add one more vlan to the config the whole network get a little outage.
  Correct, that is normal behavior with MST.
  I would just add "instance 1 vlan 1-4094" this way there is no outage when you bring up a new vlan.
  HTH

• Best Practice for VPC Domain failover with One M2 per N7K switch and 2 sups

  I Have been testing some failover scenarios with 4 nexus 7000 switches with an M2 and an F2 card in each. Each Nexus has two supervisor modules.
  I have 3 VDC's Admin, F2 and M2
  all ports in the M2 are in the M2 VDC and all ports on the F2 are in the F2 VDC.
  All vPC's are connected on the M2 cards, configured in the M2 VDC
  We have 2 Nexus representing each "site"
  In one site we have a vPC domain "100"
  The vPC Peer link is connected on ports E1/3 and E1/4 in Port channel 100
  The peer-keepalive is configured to use the management ports. This is patched in both Sups into our 3750s. (this is will eventually be on a management out of band switch)
  Please see the diagram.
  There are 2 vPC's 1&2 connected at each site which represent the virtual port channels that connect back to a pair of 3750X's (the layer 2 switch icons in the diagram.)
  There is also the third vPC that connects the 4 Nexus's together. (po172)
  We are stretching vlan 900 across the "sites" and would like to keep spanning tree out of this as much as we can, and minimise outages based on link failures, module failures, switch failures, sup failures etc..
  ONLY the management vlan (100,101) is allowed on the port-channel between the 3750's, so vlan 900 spanning tree shouldnt have to make this decision.
  We are only concerned about layer two for this part of the testing.
  As we are connecting the vPC peer link to only one module in each switch (a sinlge) M2 we have configured object tracking as follows:
  n7k-1(config)#track 1 interface ethernet 1/1 line-protocol
  n7k-1(config)#track 2 interface ethernet 1/2 line-protocol
  n7k-1(config)#track 5 interface ethernet 1/5 line-protocol
  track 101 list boolean OR
  n7k-1(config-track)# object 1
  n7k-1(config-track)# object 2
  n7k-1(config-track)# object 5
  n7k-1(config-track)# end
  n7k-1(config)# vpc domain 101
  n7k-1(config-vpc-domain)# track 101
  The other site is the same, just 100 instead of 101.
  We are not tracking port channel 101, not the member interfaces of this port channel as this is the peer link and apparently tracking upstream interfaces and the peer link is only necessary when you have ONE link and one module per switch.
  As the interfaces we are tracking are member ports of a vPC, is this a chicken and egg scenario when seeing if these 3 interfaces are up? or is line-protocol purely layer 1 - so that the vPC isnt downing these member ports at layer 2 when it sees a local vPC domain failure, so that the track fails?
  I see most people are monitoring upstream layer3 ports that connect back to a core? what about what we are doing monitoring upstream(the 3750's) & downstream layer2 (the other site) - that are part of the very vPC we are trying to protect?
  We wanted all 3 of these to be down, for example if the local M2 card failed, the keepalive would send the message to the remote peer to take over.
  What are the best practices here? Which objects should we be tracking? Should we also track the perr-link Port channel101?
  We saw minimal outages using this design. when reloading the M2 modules, usually 1 -3 pings lost between the laptops in the diff sites across the stretched vlan. Obviously no outages when breaking any link in a vPC
  Any wisdom would be greatly appreciated.
  Nick

  Nick,
  I was not talking about the mgmt0 interface. The vlan that you are testing will have a link blocked between the two 3750 port-channel if the root is on the nexus vPC pair.
  Logically your topology is like this:
      |                             |
      |   Nexus Pair          |
  3750-1-----------------------3750-2
  Since you have this triangle setup one of the links will be in blocking state for any vlan configured on these devices.
  When you are talking about vPC and L3 are you talking about L3 routing protocols or just intervaln routing.
  Intervlan routing is fine. Running L3 routing protocols over the peer-link and forming an adjaceny with an router upstream using L2 links is not recommended. Teh following link should give you an idea about what I am talking here:
  http://bradhedlund.com/2010/12/16/routing-over-nexus-7000-vpc-peer-link-yes-and-no/
  HSRP is fine.
  As mentioned tracking feature purpose is to avoid block hole of traffic. It completely depends on your network setup. Don't think you would be needing to track all the interfaces.
  JayaKrishna

• Template(best practice) for Switch ports

  Hi,
  Looking for best practice advice on switchport config for client facing ports.
  We recently had an incident where an access port turned into a trunk(trunk mode desirable), which we obviously do not want to happen again!
  For Access Ports(First two should stop DTP I'm hoping?):
  switchport mode access
  switchport nonegotiate
  storm-control broadcast level 20.00
  storm-control action trap
  no cdp enable
  spanning-tree portfast
  spanning-tree bpdufilter enable
  spanning-tree guard root
  switchport port-security maximum 10
  switchport port-security
  switchport port-security aging time 10
  And for trunk ports to clients:
  switchport trunk encapsulation dot1q
  switchport mode trunk
  switchport trunk allowed vlan xxx,xxx
  switchport nonegotiate
  storm-control broadcast level 20.00
  storm-control action trap
  no cdp enable
  spanning-tree bpdufilter enable
  spanning-tree guard root
  Thanks in advance.

  Look here: http://www.cisco.com/en/US/docs/solutions/Enterprise/Branch/E_B_SDC1.html#wp68930
  That's Cisco's branch design doc from Design Zone.
  For those that want a fast answer:
  For VoIP phones and PC:
  interface GigabitEthernet1/0/6 - interface GigabitEthernet1/0/23
  description phone with PC connected to phone
  switchport access vlan 102
  switchport mode access
  switchport voice vlan 101
  switchport port-security maximum 2
  switchport port-security
  switchport port-security aging time 2
  switchport port-security violation restrict
  switchport port-security aging type inactivity
  ip arp inspection limit rate 100
  load-interval 30
  srr-queue bandwidth share 1 70 25 5
  srr-queue bandwidth shape 3 0 0 0
  priority-queue out
  mls qos trust device cisco-phone
  spanning-tree portfast
  spanning-tree bpduguard enable
  ip verify source
  ip dhcp snooping limit rate 100
  For data only:
  interface GigabitEthernet1/0/24- interface GigabitEthernet1/0/28
  description DATA only ports
  switchport access vlan 102
  switchport mode access
  switchport port-security maximum 3
  switchport port-security
  switchport port-security aging time 2
  switchport port-security violation restrict
  switchport port-security aging type inactivity
  ip arp inspection limit rate 100
  load-interval 30
  srr-queue bandwidth share 1 70 25 5
  srr-queue bandwidth shape 3 0 0 0
  priority-queue out
  spanning-tree portfast
  spanning-tree bpduguard enable
  ip verify source
  ip dhcp snooping limit rate 100
  That's Cisco's recommendation.
  And just my opinion is that I'd much rather shut a port down that receives a BPDU than just filter it. Reason being that you can't trust users not to do something stupid, like hook two switch ports to the same switch they're using at their desk in an effort to "make the network faster". For two, if someone malicious plugs in a switch into your environment, shut the port down. . .that makes it hard for them to do anything malicious.