Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
17401
Views
1
Helpful
4
Replies

BRIDGE_ASSURANCE_BLOCK on random VLANS on a single etherchannel

kai schoene
Level 1
Level 1

‎08-12-2016 05:36 AM - edited ‎03-08-2019 06:58 AM

Hi!

I'm having serious issues with bridge assurance blocking random vlans at random times on a single etherchannel.

this occurs on the 6500 side of the connection.

the 6500 is connected to a vPC on a couple of nexus 5596's.

I cant for the life of me figure out what is causing this and need a little assistance on what to troubleshoot.

debug spanning-tree all gives 0 results on the 6500.

no logs on the 5596's or any of the other switches in the network shows any signs of root cause.

sample of logs from the 6500 the last few minutes:

Aug 12 2016 14:30:59.835 CEST: %SPANTREE-SP-2-BRIDGE_ASSURANCE_BLOCK: Bridge Assurance blocking port Port-channel1 on VLAN1372.
Aug 12 2016 14:31:05.861 CEST: %SPANTREE-SP-2-BRIDGE_ASSURANCE_UNBLOCK: Bridge Assurance unblocking port Port-channel1 on VLAN1372.
Aug 12 2016 14:33:20.174 CEST: %SPANTREE-SP-2-BRIDGE_ASSURANCE_BLOCK: Bridge Assurance blocking port Port-channel1 on VLAN0061.
Aug 12 2016 14:33:26.174 CEST: %SPANTREE-SP-2-BRIDGE_ASSURANCE_UNBLOCK: Bridge Assurance unblocking port Port-channel1 on VLAN0061.
Aug 12 2016 14:33:45.290 CEST: %SPANTREE-SP-2-BRIDGE_ASSURANCE_BLOCK: Bridge Assurance blocking port Port-channel1 on VLAN0669.
Aug 12 2016 14:33:51.333 CEST: %SPANTREE-SP-2-BRIDGE_ASSURANCE_UNBLOCK: Bridge Assurance unblocking port Port-channel1 on VLAN0669.
Aug 12 2016 14:34:36.519 CEST: %SPANTREE-SP-2-BRIDGE_ASSURANCE_BLOCK: Bridge Assurance blocking port Port-channel1 on VLAN0600.
Aug 12 2016 14:34:42.530 CEST: %SPANTREE-SP-2-BRIDGE_ASSURANCE_UNBLOCK: Bridge Assurance unblocking port Port-channel1 on VLAN0600.

Labels:
0 Helpful
4 Replies 4

kai schoene
Level 1
Level 1

‎08-12-2016 06:29 AM

config etherchannel 6500:

interface Port-channel1
 description UPLINK NEXUS
 switchport
 switchport trunk encapsulation dot1q
 switchport mode trunk
 mtu 9216
 spanning-tree portfast network

interface TenGigabitEthernet5/5
 description N5K-01 Eth 1/32
 switchport
 switchport trunk encapsulation dot1q
 switchport mode trunk
 mtu 9216
 channel-protocol lacp
 channel-group 1 mode active
 spanning-tree portfast network
 spanning-tree link-type point-to-point

interface TenGigabitEthernet5/4
 description N5K-02 Eth 1/32
 switchport
 switchport trunk encapsulation dot1q
 switchport mode trunk
 mtu 9216
 channel-protocol lacp
 channel-group 1 mode active
 spanning-tree portfast network
 spanning-tree link-type point-to-point

0 Helpful

kai schoene
Level 1
Level 1
In response to kai schoene

‎08-12-2016 06:31 AM

config Nexus:

N5K-01:

interface port-channel3079
  description UPLINK 6500
  switchport mode trunk
  vpc 3079

interface Ethernet1/32
  description C6500 Ten5/4
  switchport mode trunk
  spanning-tree port type normal
  channel-group 3079 mode active

N5K-02:

interface port-channel3079
  description UPLINK 6500
  switchport mode trunk
  vpc 3079

interface Ethernet1/32
  description C6500 Ten5/4
  switchport mode trunk
  spanning-tree port type normal
  channel-group 3079 mode active

0 Helpful

ahmedshoaib
Level 4
Level 4

‎08-12-2016 03:19 PM

Hi;

The link between Cat 6500 & Nexus 5596 is block due to bridge assurance due to you enable Bridge assurance on one side (Cat 6500) not on Nexus 5596.

Bridge Assurance is enabled only on spanning tree network ports that are point-to-point links.  And both ends of the link must have Bridge Assurance enabled.

If the device on one side of the link has Bridge Assurance enabled and the device on the other side either does not support Bridge Assurance or does not have this feature enabled, the connecting port will be blocked.

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/stp_enha.html#wp1055344

To fix the issue, you need to enable the Bridge assurance on Nexus 5596 or remove Bridge assurance from Cat 6500.

Nexus 5596: (Enable Bridge assurance)

N5K-01:

interface port-channel3079

 spanning-tree port type network

 

N5K-02:

interface port-channel3079

 spanning-tree port type network

 

Thanks & Best regards;

0 Helpful

Madhukrishnan Gopinathan Nair
Level 7
Level 7
In response to ahmedshoaib

‎08-13-2016 01:36 AM

To add it what Ahmed said, It would be better to disable the BA on 6500 as BA is not recommended for VPC member ports.

For access switches connected to vPC domain, use the following guidelines/best practices: Strong Recommendations:

● Enable STP port type “edge” and port type “edge trunk” on host ports © 2015-2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 67 of 129 ● Enable STP BPDU-guard globally ● Disable STP channel-misconfig guard if supported by access switches ● Do not enable Loopguard on vPC (disabled by default) ● Do not enable Bridge Assurance on vPC

http://www.cisco.com/c/dam/en/us/td/docs/switches/datacenter/sw/design/vpc_design/vpc_best_practices_design_guide.pdf

I think the best solution will be to remove the below from 6500 Port-channel to disable BA on this link.

 spanning-tree portfast network

Also ensure the above removes the same from 5/4 and 5/5 else remove it from there too.

Hope this helps,

Madhu.

Customers Also Viewed These Support Documents