Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
15213
Views
7
Helpful
1
Replies

Bridge Assurance questions

Go to solution
Craddockc
Level 3
Level 3

‎05-18-2020 06:58 AM - edited ‎05-18-2020 07:10 AM

Dear Community,

I had a recent issue where BA had blocked on a few VLANs on a PC between our core 7ks and our 9k's which are currently acting as agg switches. The blocking only happened for about a second but that was enough to cause some issues. When researching I found the following explanation for BA

 

"BA is a feature that provides additional protection in environments running the Spanning Tree Protocol (STP). BA works by forcing a bridge to send BPDUs on a “network” port, even if that port is not a designated port. Consequently, a bridge expects to receive BPDUs on a “network” port, even if it is the designated bridge.
If a Bridge Assurance-enabled network port does not receive any BPDU for a configurable period of time, the interface moves into the blocking state. After the network port receives a BPDU again, the port begins its normal spanning tree transitions.
Bridge Assurance is similar in many ways to the Loop Guard feature, which has been available for many years on other platforms. The main weakness of Loop Guard is that it needs to receive at least one BPDU to detect a peer. Bridge Assurance does not suffer from this issue as the existence of the peer is identified by configuration.
Bridge Assurance is enabled by default on all ports of type ‘Network’. Bridge Assurance requires both ends to be enabled for the feature – the port will not function if one end only supports it. "

 

I had a few questions regarding this:

 

1) "BA is a feature that provides additional protection in environments running the Spanning Tree Protocol (STP). BA works by forcing a bridge to send BPDUs on a “network” port, even if that port is not a designated port. Consequently, a bridge expects to receive BPDUs on a “network” port, even if it is the designated bridge." Does this mean that BA will force a "network type" port to send BPDU on the port even if RSTP fails to send a BPDU? Is BA designed to keep a VLAN in forwarding when STP "Fails"?

 

2) "If a Bridge Assurance-enabled network port does not receive any BPDU for a configurable period of time, the interface moves into the blocking state. After the network port receives a BPDU again, the port begins its normal spanning tree transitions." Is there a difference between a BA generated BPDU and an STP generated BPDU? If youre running RPVST+ then BPDU's shoud be flowing between non-edge interswitch links yes? So if you have a BA issue does this mean that both BA and STP failed to send a BPDU for that vlan?

 

3) "Bridge Assurance is enabled by default on all ports of type ‘Network’. Bridge Assurance requires both ends to be enabled for the feature – the port will not function if one end only supports it. " Can the BA enabled port discern between a BA generated BPDU and an RPVST+ generated BPDU? I ask because even if one end of the link isnt capable of BA, RPVST+ should still be sending BPDU's every 2 seconds, will BA still consider this as positive feedback from its peer?

 

Below is the error messages I was receiving:

2020 May 17 06:00:33 9396L3SW003 %STP-2-BRIDGE_ASSURANCE_BLOCK: Bridge Assurance blocking port port-channel200 VLAN2292.
2020 May 17 06:00:33 9396L3SW003 %STP-2-BRIDGE_ASSURANCE_UNBLOCK: Bridge Assurance unblocking
port port-channel200 VLAN2292.
2020 May 17 06:00:34 9396L3SW003 %STP-2-BRIDGE_ASSURANCE_BLOCK: Bridge Assurance blocking port port-channel200 VLAN0029.
2020 May 17 06:00:34 9396L3SW003 %STP-2-BRIDGE_ASSURANCE_UNBLOCK: Bridge Assurance unblocking
port port-channel200 VLAN0029.
2020 May 17 06:00:34 9396L3SW003 %STP-2-BRIDGE_ASSURANCE_BLOCK: Bridge Assurance blocking port port-channel200 VLAN2202.
2020 May 17 06:00:34 9396L3SW003 %STP-2-BRIDGE_ASSURANCE_UNBLOCK: Bridge Assurance unblocking
port port-channel200 VLAN2202.
2020 May 17 06:00:34 9396L3SW003 %STP-2-BRIDGE_ASSURANCE_BLOCK: Bridge Assurance blocking port port-channel200 VLAN2203.
2020 May 17 06:00:34 9396L3SW003 %STP-2-BRIDGE_ASSURANCE_UNBLOCK: Bridge Assurance unblocking
port port-channel200 VLAN2203.

 

 

The Po200 interface on the 7k is NOT explicitly configured as "spanning-tree port type network" but the po200 interface on the 9k it is uplinked to is. Does this mean that BA is NOT enabled on the Po200 interface on the 7k? Any way to verify this? Unfortunately we are having logging issues on our 7k (which we just found out) so the logs on the 7k couldnt tell us anything about what happened at the time. The 9k logged it though as you can see. 

 

Thanks so much for any feedback you can provide!

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Sergiu.Daniluk
VIP Alumni
VIP Alumni

‎05-18-2020 07:33 AM - edited ‎05-18-2020 07:49 AM

Hi @Craddockc 

Allow me to answer your queries:

1. Does this mean that BA will force a "network type" port to send BPDU on the port even if RSTP fails to send a BPDU? Is BA designed to keep a VLAN in forwarding when STP "Fails"?

To avoid making confusion, you need to look at BA as a feature of STP. BA is a feature which force STP to send BPDUs. So STP is the one who sends BPDUs, not BA. Which means, if STP 'fails' BPDUs are not sent out of the port, because there is no process which can generate the BPDUs.

 

2. Is there a difference between a BA generated BPDU and an STP generated BPDU?

No. They are STP BPDUs. Reason explained at #1

 

3. if one end of the link isnt capable of BA, RPVST+ should still be sending BPDU's every 2 seconds, will BA still consider this as positive feedback from its peer?

RSTP will send BPDUs out of Designated ports only, which means that even if in your initial setup, as an example Sw1 [root port] ----- [designated port] Sw2, you have BA enabled on SW1/root port, and you do receive BPDUs on it, it can happen that after a time a topology changes will be experienced in the network, and the root port to not receive any more BPDUs. if this happends, the switch will put the interface in BA_Inc state.

This is why is important that both ports to be configured as network ports or enabled with BA.

 

Hope it helps,

Sergiu

 

View solution in original post

1 Reply 1

Go to solution
Sergiu.Daniluk
VIP Alumni
VIP Alumni

‎05-18-2020 07:33 AM - edited ‎05-18-2020 07:49 AM

Hi @Craddockc 

Allow me to answer your queries:

1. Does this mean that BA will force a "network type" port to send BPDU on the port even if RSTP fails to send a BPDU? Is BA designed to keep a VLAN in forwarding when STP "Fails"?

To avoid making confusion, you need to look at BA as a feature of STP. BA is a feature which force STP to send BPDUs. So STP is the one who sends BPDUs, not BA. Which means, if STP 'fails' BPDUs are not sent out of the port, because there is no process which can generate the BPDUs.

 

2. Is there a difference between a BA generated BPDU and an STP generated BPDU?

No. They are STP BPDUs. Reason explained at #1

 

3. if one end of the link isnt capable of BA, RPVST+ should still be sending BPDU's every 2 seconds, will BA still consider this as positive feedback from its peer?

RSTP will send BPDUs out of Designated ports only, which means that even if in your initial setup, as an example Sw1 [root port] ----- [designated port] Sw2, you have BA enabled on SW1/root port, and you do receive BPDUs on it, it can happen that after a time a topology changes will be experienced in the network, and the root port to not receive any more BPDUs. if this happends, the switch will put the interface in BA_Inc state.

This is why is important that both ports to be configured as network ports or enabled with BA.

 

Hope it helps,

Sergiu

 

Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card