Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
3643
Views
5
Helpful
3
Replies

BPDU guard and vPC

Go to solution
Feds
Level 1
Level 1

ā€Ž11-21-2017 08:49 PM - edited ā€Ž03-08-2019 12:49 PM

Hi everyone,
Does anybody know what happens to existing servers connected via vPC or to the vPC domain itself when configuring BPDU guard globally on a pair of Nexus 5548 vPC peers, assuming inter-switch links are configured as type network or default (no type edge/edge trunk)?

Is it better to configure BPDU guard at an interface level instead, and what is the impact to servers in this case?

Thanks

Fed

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mark Malone
VIP Alumni
VIP Alumni
In response to Feds

ā€Ž11-23-2017 03:50 AM

But you can easily check if its effecting it , if its up/up it should be fine and check the traffic counters make sure its processing through the interface, I would not think a bpduguard on one end and not the other would take a interface down as its an optional parameter for the vpc and not a requirement for it to work but I have not tested it to be sure , if your concerned about causing further issues when updating the config you could follow the below procedure to limit the impact

 

 

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/operations/n5k_vpc_ops.html#pgfId-424990

 

Virtual Port Channel Operations

Configuring Changes in vPC Topologies

One of the challenges with vPC topologies is how to make configuration changes with minimum traffic disruption. Due to the consistency check, the configuration made on one vPC switch could potentially lead to consistency check failure and traffic disruption.

Beginning with Cisco NX-OS Release 5.0(2)N2(1), you can use the following procedure to make configuration changes for Type 1 consistency check parameters on a Cisco Nexus 5000 Series switch. We recommend that you perform the following procedure during a maintenance window because it might reduce the vPC bandwidth by half for a short duration.

Note A graceful consistency-check does not apply to dual-homed FEX ports. As a result, both switches keep the port down for the duration of an inconsistency. Using the configuration synchronization feature reduces the duration of the inconsistency.

 

To make configuration changes for Type 1 consistency-check parameters, follow these steps:

Step 1 Enable graceful consistency-check in a vPC domain.

switch# config term
switch(config)# vpc domain 10
switch(config-vpc-domain)# graceful consistency-check
 

Step 2 Enable the configuration synchronization feature on both vPC peer switches.

For details on using the configuration synchronization feature, see the ā€œConfiguration Synchronization Operationsā€ chapter.

Step 3 Perform all configuration changes in the switch profile.

switch# config sync
switch(config-sync)# switch-profile abc
switch(config-sync-sp)# interface Port-channel 100
switch(config-sync-sp-if)# switchport mode trunk
switch(config-sync-sp-if)# commit

 

 

When you commit switch profile configurations on the local switch, the configuration is also sent to the vPC peer switch to reduce misconfigurations when changes are made on only one vPC switch and to reduce the downtime because the configuration is applied rapidly. When there is a short mismatch duration, a graceful consistency-check keeps the primary side forwarding traffic.

Note When you are making a configuration change for a Type 2 consistency check parameter, such as Allowed VLAN for trunk ports, you do not need to follow this procedure

View solution in original post

3 Replies 3

Go to solution
Mark Malone
VIP Alumni
VIP Alumni

ā€Ž11-22-2017 01:36 AM

It wont impact edge servers or your domain and you should use portfast with it , personally we do it by interface for risk reasons but it should not cause an issue globally either

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli/CLIConfigurationGuide/SpanningEnhanced.html#pgfId-1129722

Enabling BPDU Guard Globally

You can enable BPDU Guard globally by default. In this condition, the system shuts down an edge port that receives a BPDU.




Note We recommend that you enable BPDU Guard on all edge ports.




Before you configure this feature, you should do the following:
ā€¢ Ensure that STP is configured.
ā€¢ Ensure that you have configured some spanning tree edge ports.

To enable BPDU Guard globally, perform this task:







Command


Purpose


Step 1

switch# configure terminal

Enters configuration mode.


Step 2

switch(config)# spanning-tree port type edge bpduguard default

Enables BPDU Guard by default on all spanning tree edge ports. By default, global BPDU Guard is disabled.

0 Helpful

Go to solution
Feds
Level 1
Level 1
In response to Mark Malone

ā€Ž11-22-2017 08:48 PM

Thanks Mark, again this is related to my previous post, however I was more interested in knowing what happens when the server is already connected to a vPC port-channel being port type edge or edge trunk, and you enable BPDU guard on the Po interface (not globally) on one of the vPC peers.

Is the difference in configuration between the two vPC peers going to create issues? In other words, does the vPC consistency type-2 check bring the port-channel interface on the secondary vPC down (or anyway put it into an inconsistent state) because BPDU guard is configured on one vPC peer only?

What's the expected behaviour for these vPC peer switches and their ports in this case?

0 Helpful

Go to solution
Mark Malone
VIP Alumni
VIP Alumni
In response to Feds

ā€Ž11-23-2017 03:50 AM

But you can easily check if its effecting it , if its up/up it should be fine and check the traffic counters make sure its processing through the interface, I would not think a bpduguard on one end and not the other would take a interface down as its an optional parameter for the vpc and not a requirement for it to work but I have not tested it to be sure , if your concerned about causing further issues when updating the config you could follow the below procedure to limit the impact

 

 

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/operations/n5k_vpc_ops.html#pgfId-424990

 

Virtual Port Channel Operations

Configuring Changes in vPC Topologies

One of the challenges with vPC topologies is how to make configuration changes with minimum traffic disruption. Due to the consistency check, the configuration made on one vPC switch could potentially lead to consistency check failure and traffic disruption.

Beginning with Cisco NX-OS Release 5.0(2)N2(1), you can use the following procedure to make configuration changes for Type 1 consistency check parameters on a Cisco Nexus 5000 Series switch. We recommend that you perform the following procedure during a maintenance window because it might reduce the vPC bandwidth by half for a short duration.

Note A graceful consistency-check does not apply to dual-homed FEX ports. As a result, both switches keep the port down for the duration of an inconsistency. Using the configuration synchronization feature reduces the duration of the inconsistency.

 

To make configuration changes for Type 1 consistency-check parameters, follow these steps:

Step 1 Enable graceful consistency-check in a vPC domain.

switch# config term
switch(config)# vpc domain 10
switch(config-vpc-domain)# graceful consistency-check
 

Step 2 Enable the configuration synchronization feature on both vPC peer switches.

For details on using the configuration synchronization feature, see the ā€œConfiguration Synchronization Operationsā€ chapter.

Step 3 Perform all configuration changes in the switch profile.

switch# config sync
switch(config-sync)# switch-profile abc
switch(config-sync-sp)# interface Port-channel 100
switch(config-sync-sp-if)# switchport mode trunk
switch(config-sync-sp-if)# commit

 

 

When you commit switch profile configurations on the local switch, the configuration is also sent to the vPC peer switch to reduce misconfigurations when changes are made on only one vPC switch and to reduce the downtime because the configuration is applied rapidly. When there is a short mismatch duration, a graceful consistency-check keeps the primary side forwarding traffic.

Note When you are making a configuration change for a Type 2 consistency check parameter, such as Allowed VLAN for trunk ports, you do not need to follow this procedure

Customers Also Viewed These Support Documents