Is there any real documentation for BPDU handling in ACI?

RedNectar · ‎03-15-2022

Hello ACI aficionados,

My question is more specifically about the purpose of the ACI Spanning Tree Interface Policy - and in particular, the BPDU filter enabled option. A quick internet search of Cisco ACI "BPDU Filter" reveals that someone must have thought it important enough to include on some exam somewhere, but not important enough to document fully - although the acknowledgement that it didn't work at least in some versions (bug CSCve58137) means that someone has at least tried to use it and it didn't work in the way it was expected. Whatever that is. Wherever it is defined.

So let me lay it our clearly.

Where is the expected action of applying a BPDU filter to an interface via the ACI Spanning Tree Interface Policy EXPECTED to have defined?

Although I'd be happy enough if any one could answer What is the expected action of applying a BPDU filter to an interface via the ACI Spanning Tree Interface Policy EXPECTED to have?

But first let's ask for help...

The totally inadequate help on this topic says:

The interface level control that enables the BPDU filter or guard for extended chassis ports. The control can be:

BPDU filter enabled
BPDU Guard enabled

Oh please. Stating the bleeding obvious is NOT a help topic! But is gets worse...

The help on this Interface Policy also states:

STP prevents loops from being formed when the interfaces are interconnected via multiple paths. Spanning-Tree Protocol implements the 802.1D IEEE algorithm by exchanging BPDU messages with other switches to detect loops, and then removes the loop by shutting down selected bridge interfaces. This algorithm guarantees that there is one and only one active path between two network devices.

That is Soooooooo irrelevant to how ACI handles Spanning tree BPDUs!

ACI has been around for long enough for the Help files to be written in a way that is, you know, HELPFUL!

Sorry. I got carried away whinging about the pathetic ACI help. I've waited patently for 5 years for it to improve...

OK. Help is a big failure. What else?

Well, I've passed enough exams to remember that in Catalyst/Nexus environments, BPDU Filters apply only to spanning tree edge ports (or portfast ports) when applied globally (to the switch) or to any port when applied on a per port basis.

And when applied, ports configured neither produces nor accept BPDUs.

So that's the first hurdle. ACI doesn't ever produces BPDUs anyway, although it will flood received BPDUs - as explained very well in the design guide.

Which gets to the crux of my question. If ACI never creates BPDUs in the sense that a normal switch creates new BPDUs (adding 1 to the hop count) as BPDUs are received, then what is the expected behaviour of a port that is configured with a Spanning Tree Interface Policy with the BPDU filter enabled option set?

Or more precisely, what public document defines this? The afore mentioned bug CSCve58137 seems to indicate that at least one customer expected both incoming and outgoing BPDUs to be dropped.

But no ACI document I can find states this clearly.

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

Sergiu.Daniluk · ‎03-15-2022

Hi Chris,

This is from AVE config guide, but to me it seems it describes the expected behavior for general leaf ports, not only for AVE:

Understanding Bridge Protocol Data Unit Features

The following sections describe supported bridge protocol data unit (BPDU) features on the Cisco ACI Virtual
Edge with the Cisco APIC. BPDU Guard and BPDU filtering are switch-wide features, and they are applicable
only for VM virtual Ethernet (vEth) ports.

BPDU Guard
BPDU Guard prevents loops by moving a nontrunking port into an errdisable state when a BPDU is received
on that port. When you enable BPDU Guard on the switch, the interface is moved to blocking state on receiving
a BPDU.
BPDU Guard provides a secure response to invalid configurations because the administrator must manually
put the interface back in service. To put the interface back in service, disconnect the VM port and then reconnect
it to the Cisco ACI Virtual Edge or an EPG port group through vCenter.

BPDU Filtering
BPDU filtering prevents sending and receiving of BPDUs on ports. Any BPDU that is received is dropped
when filtering is enabled. BPDU filtering is enabled on VM vEth ports by default. When you enable this
feature, Cisco ACI Virtual Edge drops all BPDUs received on uplink ports.

Note:

We recommend that you configure BPDU policy in a single policy interface group. Configuring BPDU in
multiple policy interface groups leads to inconsistent behavior.

Note:

In an L2 switch extended topology, we recommend that you configure BPDU policy through an attached
entity profile vSwitch policy override. If the interface policy group is used for configuration, then BPDU
Guard or filter is enabled on the Leaf ports. This causes those ports to become error-disabled when they receive
BPDU packets from an L2 switch.

For information about configuring BPDU policy through an override policy, see the section "Modifying the
Interface Policy Group to Override the vSwitch-Side Policies" in the Cisco Application Virtual Edge Installation
Guide.

Source:

https://www.cisco.com/c/en/us/td/docs/dcn/aci/aci-virtual-edge/3x/Configuration/cisco-aci-virtual-edge-configuration-guide-32x/Cisco-ACI-Virtual-Edge-Configuration-Guide-32x_chapter_bpdu_features.html

I know the documentation can be improved, but I guess that it's difficult to explain everything every time a new platform comes up, especially for commands/features which are old and available on other platforms for so long, and didn't changed in functionality.

Take care,

Sergiu

RedNectar · ‎03-15-2022

Hi @Sergiu.Daniluk ,

Yes - I saw and read that document when looking for an answer. But it specifically says

BPDU filtering prevents sending and receiving of BPDUs on ports. Any BPDU that is received is dropped
when filtering is enabled. BPDU filtering is enabled on VM vEth ports by default. When you enable this
feature, Cisco ACI Virtual Edge drops all BPDUs received on uplink ports.

So that's a great definition for vEth ports on AVE.

But AVE is a very different beast to LSE and ACI hardware. I want an official ACI doc that describes precisely what is expected, ideally with some guidelines for usage, without reference to PortFast or other definitions that have no relevance in ACI

It's coming up to seven years since ACI was released, and for many of those years I've kept fooling myself that ACI is new, Cisco will get the documentation up to date soon

And, there have been some fantastic white papers published, like the Endpoint Learning white paper, the PBR white paper, and even the ACI Design Guide is a great paper, but unfortunately does not give any guidance on BPDU handling.

There used to be an ACI Best Practices guide - but for some reason my bookmark for that page has now gone to 404-heaven, and my cached copy (dated 2019) only mentions BPDUs in relation to MCP and VLAN Pools. There is an ACI Best Practices Summary, but again, totally devoid of any BPDU treatment best practices.

So after seven years of waiting, I'm becoming a grumpy old man. I've also been waiting as long for the Help system in ACI to be written properly.

How long do we have to wait?

How much money do Cisco customers pay in maintenance every year? Enough to EXPECT the documentation to be completed I believe.

And I think seven years is enough time to make the GUI consistent and implement my earlier suggestions that I documented here and here.

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.