Problem between Routers ASR 920 with Rapid PVST and switch with RSTP

AmilcarDD · ‎10-12-2024

Dear Sirs,

We have encountered an issue whan connecting a switch with RSTP redundancy to a redundant Cisco ASR 920 arrangement.

Each router is connected to the adjacent router, by a *tp cable in each site and by fiber optic to other sites.

The routers are configured for Rapid PVST.

Based on the behaviour, it seems the Cisco Routers are unaware of the second ring that exists locally through the switch, and are constantly shuting down the ports, probably due to storm detection or the likes.

Can you advise on how we should change the configuration of the router ports that are connected to the switch, in order to obtain stable operation ?

Both routers have the identical configurations:

(...)
spanning-tree mode rapid-pvst
spanning-tree extend system-id
no spanning-tree vlan 90-95,410-415
spanning-tree vlan 190-195 priority 4096
sdm prefer default
diagnostic bootup level minimal
(...)
interface GigabitEthernet0/0/5
description [GSEXT] SCADA LAN
no ip address
no ip proxy-arp
load-interval 30
shutdown
media-type auto-select
negotiation auto
storm-control broadcast level 10.00
storm-control action shutdown
service-policy input PM_IN
service instance 194 ethernet
description LAN SCADA
encapsulation untagged , dot1q 194
l2protocol peer stp
bridge-domain 194
!
!
(...)
interface GigabitEthernet0/0/10
description == Link Router 1 to Router 2 Gi0/0/10 ==
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
load-interval 30
media-type auto-select
negotiation auto
cdp enable
service-policy output PM_OUT
service instance 90 ethernet
description P2P 1
encapsulation dot1q 90
rewrite ingress tag pop 1 symmetric
bridge-domain 90
!
service instance 92 ethernet
description P2P 2
encapsulation dot1q 92
rewrite ingress tag pop 1 symmetric
bridge-domain 92
!
service instance 93 ethernet
description P2P 3
encapsulation dot1q 93
rewrite ingress tag pop 1 symmetric
bridge-domain 93
!
service instance 94 ethernet
description P2P 4
encapsulation dot1q 94
rewrite ingress tag pop 1 symmetric
bridge-domain 94
!
service instance 95 ethernet
description P2P 5
encapsulation dot1q 95
rewrite ingress tag pop 1 symmetric
bridge-domain 95
!
service instance 190 ethernet
description LAN 6
encapsulation dot1q 190
rewrite ingress tag pop 1 symmetric
l2protocol peer stp
bridge-domain 190
!
service instance 192 ethernet
description LAN 7
encapsulation dot1q 192
rewrite ingress tag pop 1 symmetric
l2protocol peer stp
bridge-domain 192
!
service instance 193 ethernet
description LAN 8
encapsulation dot1q 193
rewrite ingress tag pop 1 symmetric
l2protocol peer stp
bridge-domain 193
!
service instance 194 ethernet
description LAN 9
encapsulation dot1q 194
rewrite ingress tag pop 1 symmetric
l2protocol peer stp
bridge-domain 194
!
service instance 195 ethernet
description LAN 10
encapsulation dot1q 195
rewrite ingress tag pop 1 symmetric
l2protocol peer cdp stp
bridge-domain 195
!
service instance 1024 ethernet
encapsulation untagged
l2protocol peer cdp stp
bridge-domain 1024
!
!

balaji.bandi · ‎10-13-2024

Based on the behaviour, it seems the Cisco Routers are unaware of the second ring that exists locally through the switch, and are constantly shuting down the ports, probably due to storm detection or the likes

is the ODF mentioned here is switch or just patch panel - it was not clear, if this is switch, can you post switch configuration to look.

when the ports shutdown, what the logs show can you post the logs, from Router and Switch same time (when the ports gone shutdown)

when you connect to switch, as this required all the VLAN to go via switch, or each trunk have different VLAN set (as i request send the config)

what IOS XE code running on both router and switch.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

AmilcarDD · ‎10-14-2024

Hello balaji.bandi,

The ODF is just a patch panel.

We are trying to get the logs from thr routers, but they are under the scope of another supplier.

For the remaining questions we are collecting the information requested.

MHM Cisco World · ‎10-13-2024

Try use encap defualt

MHM

AmilcarDD · ‎10-14-2024

Thanks MHM,

Can you clarify why this could be helpfull ?

MHM Cisco World · ‎10-14-2024

encapsulation untagged , dot1q 194 <<- the issue is the control traffic pass and tag so use instead of that encap default and check

MHM

AmilcarDD · ‎10-14-2024

Understood. We will pass the information to the router's supplier.

MHM Cisco World · ‎10-14-2024

I will send you link' pleaee read it before do change.

Thanks

MHM

paul driver · ‎10-13-2024

Hello
Can you elaborate on your topology a little as to why your disabling stp and performing BDI bridging on what looks like those ODF devices ?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

AmilcarDD · ‎10-14-2024

Hello Paul,

The ODF are just passive patch panels.

The routers are under the scope of another supplier. The diagram we attached is just a simplified version of the WAN arachitecture.

Our issue to solve is just the communication between the routers and the SCADA equipment inside each "Local Site"

paul driver · ‎10-14-2024

Hello

@AmilcarDD wrote:

Cisco Routers are unaware of the second ring that exists locally through the switch,

Apologies - trying to understand
Where are these switches you mention in that topology?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

AmilcarDD · ‎10-14-2024

The switches are shown inside the yellow baloon, in the picture included in the initial post.

On the switch we have connected:

- One uplink port to each of the Cisco routers, for redundancy.

- One local port to the plant PLC.

- One local port to the plant HMI workstation;

I am attaching the diagram in PDF format for easier view.

paul driver · ‎10-14-2024

Hello
Okay thank you for the clarification?
So why do you have spanning disabled for vlans 90-95,410-415, if those switches now have dual connected links instead of a single link and they are trunking then you do not want to be disabling spanning tree as you have a potential for a loop.

What logging do you see on those switches , do you see any errors, ports disabling etc...?.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

AmilcarDD · ‎10-14-2024

Good point.

The router configuration is done by others.

So you mean that they should activate spanning at least on the router ports that are connected to our switch, correct ?

I believe the Cisco ASR 920 routers that are installed do not have RSTP as an option.

To be compatible with our switch's RSTP redundancy, which option should they use on their router ports: Rapid PVST or MSTP ?

I know that MSTP should be directly compatible with RSTP, but I am unsure on if Rapid PVST is also compatible, or if it can be configured to be compatible.

AmilcarDD · ‎10-14-2024

I have been going through the switch configuration and found the parameters in the picture attached. Could these be used to implement compatibility with the routers redundancy protocol, either Rapid PVST or MSTP.