cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
958
Views
10
Helpful
2
Replies

STP on Nexus VPC

from88
Level 4
Level 4

Hello,

 

We're using VPC topology with FEX'es (straight through design). As I know - the STP should always sent own BPDU and see if's doesnt start to receive it.

But when im checking my Nexus VPC port i see just a few BPDU's sent:

 

LA2# show spanning-tree interface port-channel 1210 detail 

 Port 5305 (port-channel1210, vPC) of VLAN1570 is designated forwarding 
   Port path cost 1, Port priority 128, Port Identifier 128.5305
   Designated root has priority 34338, address 8c60.4f45.bc81
   Designated bridge has priority 34338, address 8c60.4f45.bc81
   Designated port id is 128.5305, designated path cost 0
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   The port type is edge by port type edge trunk configuration
   Link type is point-to-point by default
   Bpdu guard is enabled
   Bpdu filter is not enabled by default
   BPDU: sent 11, received 0

 Port 5305 (port-channel1210, vPC) of VLAN1580 is designated forwarding 
   Port path cost 1, Port priority 128, Port Identifier 128.5305
   Designated root has priority 34348, address 8c60.4f45.bc81
   Designated bridge has priority 34348, address 8c60.4f45.bc81
   Designated port id is 128.5305, designated path cost 0
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   The port type is edge by port type edge trunk configuration
   Link type is point-to-point by default
   Bpdu guard is enabled
   Bpdu filter is not enabled by default
   BPDU: sent 11, received 0

 Port 5305 (port-channel1210, vPC) of VLAN1903 is designated forwarding 
   Port path cost 1, Port priority 128, Port Identifier 128.5305
   Designated root has priority 34671, address 8c60.4f45.bc81
   Designated bridge has priority 34671, address 8c60.4f45.bc81
   Designated port id is 128.5305, designated path cost 0
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   The port type is edge by port type edge trunk configuration
   Link type is point-to-point by default
   Bpdu guard is enabled
   Bpdu filter is not enabled by default
   BPDU: sent 11, received 0

And as u see the BPDU filter is not enabled. So as i'm understand - the STP doesnt work on this interface ? But why ? If the server for some reason would start to loop packets - this box would not catch it, right ?

 

Thanks

 

P.S switch model is: N5K-C5672UP 

2 Replies 2

Christopher Hart
Cisco Employee
Cisco Employee

Hello!

By default, FEX host interfaces are Spanning Tree Edge ports. For example, if you had a FEX designated "101" and were to run show running-config interface Ethernet101/1/1 all, you would see spanning-tree port type edge configured under the interface by default. In fact, the output you provided in your post shows that the FEX host interface is operating as a Spanning Tree Edge port - see the highlighted output below:

LA2# show spanning-tree interface port-channel 1210 detail 
<snip>
 Port 5305 (port-channel1210, vPC) of VLAN1570 is designated forwarding 
   Port path cost 1, Port priority 128, Port Identifier 128.5305
   Designated root has priority 34338, address 8c60.4f45.bc81
   Designated bridge has priority 34338, address 8c60.4f45.bc81
   Designated port id is 128.5305, designated path cost 0
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   The port type is edge by port type edge trunk configuration
   Link type is point-to-point by default
   Bpdu guard is enabled
   Bpdu filter is not enabled by default
   BPDU: sent 11, received 0

This is intentional and expected behavior, as FEXs are intended to be connected to hosts (computers, servers, management interfaces, etc.) and not other network devices (routers, switches, firewalls, etc.). Similarly, if you were to run show spanning-tree interface Ethernet101/1/1, you would see that the interface is designated as an "Edge" port.

With respect to your second question surrounding a misbehaving host that is looping packets - Below, I've highlighted a key piece of information from the output you provided in your post:

LA2# show spanning-tree interface port-channel 1210 detail 
<snip>
 Port 5305 (port-channel1210, vPC) of VLAN1570 is designated forwarding 
   Port path cost 1, Port priority 128, Port Identifier 128.5305
   Designated root has priority 34338, address 8c60.4f45.bc81
   Designated bridge has priority 34338, address 8c60.4f45.bc81
   Designated port id is 128.5305, designated path cost 0
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   The port type is edge by port type edge trunk configuration
   Link type is point-to-point by default
   Bpdu guard is enabled
   Bpdu filter is not enabled by default
   BPDU: sent 11, received 0

As the above output shows, FEX host interfaces are also configured so that BDPU Guard is enabled by default. Therefore, if a switch receives a Spanning Tree BPDU (either from itself because a malfunctioning host is looping packets, or because the connected host is actually a network device) on a FEX host interface, it will error-disable the interface thanks to BPDU Guard.

It is worth noting that in the case of a malfunctioning host that is looping packets, if the host is not originating Spanning Tree BPDUs itself, then BPDU Guard would only take effect when the switch sends its own BPDUs soon after the interface comes up for the first time. If the link remains up/up and the host suddenly begins looping packets, then BPDU Guard would not stop a loop in the network. However, this issue is not specific to FEXs - you would encounter this same behavior with any access switch that has Spanning Tree Edge interfaces connected to hosts. Spanning Tree Protocol was not necessarily designed to detect loops in the network caused by malfunctioning hosts connected to the edge of the network; Spanning Tree Protocol was originally designed to prevent loops in the network caused by redundant links connected between bridges/switches. Other technologies and methodologies (for example, using an NMS [Network Monitoring System] to detect and alarming on switch syslogs generated by excessive MAC moves, which can be symptomatic of a network loop) should be used to detect and remediate this particular failure scenario.

I hope this helps - thank you!

-Christopher

from88
Level 4
Level 4

Thanks for such an input. So as I understand if i would want to detect a loop when the port doesn't make any state changes i would need to set the port mode from edge to 'stp normal' ?

 

Anyway, the original issue was - that we started to receive the logs like this: 

2020 Dec 9 19:11:13 LA2 %ARP-3-DUP_VADDR_SRC_IP: arp [4014] Source address of packet received from 0000.5e00.01aa on Vlan1570(port-channel21) is duplicate of local virtual ip, 10.
34.70.1
2020 Dec 9 19:11:44 LA2 %ARP-3-DUP_VADDR_SRC_IP: arp [4014] Source address of packet received from 0000.5e00.017e on Vlan1526(port-channel21) is duplicate of local virtual ip, 10.
34.26.1
2020 Dec 9 19:12:14 LA2 %ARP-3-DUP_VADDR_SRC_IP: arp [4014] Source address of packet received from 0000.5e00.0188 on Vlan1536(port-channel21) is duplicate of local virtual ip, 10.
34.36.1
2020 Dec 9 19:12:44 LA2 %ARP-3-DUP_VADDR_SRC_IP: arp [4014] Source address of packet received from 0000.5e00.01b4 on Vlan1580(port-channel21) is duplicate of local virtual ip, 10.
34.80.1

 

Both Nexuses CPU utilization was very high, lots of VPC keep alive and other messages came up. We're suspecting one host which was suddenly erroneously became a bridge and started to loop the packets. And the messages above was a consequence. Even after shutting down that host interfaces the CPU normalized only in about 30mins. Seems like the mgmt and control planes were impacted by the utilization of CPU. So as I understand there's no way to detect loops in the situation when the host suddenly (without interface status change) starts to loop packets.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: