Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5324
Views
0
Helpful
7
Replies

hsrp and spanning tree

Go to solution
Network Pro
Level 1
Level 1

‎11-09-2012 02:36 AM - edited ‎03-07-2019 09:57 AM

Hi,

this is my topology

Nexus 1 ========== Nexus 2

             vPC (PO100)      |

                                      |      

                                Access SW 1

                           

Nexus 1 has a all hsrp vlans active and has highest priority. Nexus 2 has  lower priroity and has all hsrp standby vlans

Now i moved the hsrp to be active for vlan 10 on nexus 2 - this was fine. Then i changed its prioty to 0 while the rest are on 4096 (similarly on nexus 1 for vlan 10 its prioty is 4096 and the rest is 0) ----- now when i did this i cant ping any pc / ip on vlan 10

the logs says on Nexus 1

"Root guard unblocking port port-channel100 on VLAN10."

"STP-2-VPC_PEER_LINK_INCONSIST_UNBLOCK: vPC peer-link inconsistency cleared unblocking port-channel100 VLAN10."

On Nexus 2

STP-2-BRIDGE_ASSURANCE_UNBLOCK: Bridge Assurance unblocking port port-channel100 VLAN10

STP-2-VPC_PEER_LINK_INCONSIST_UNBLOCK: vPC peer-link inconsistency cleared unblocking port-channel110 VLAN10

STP-2-VPC_PEER_LINK_INCONSIST_UNBLOCK: vPC peer-link inconsistency cleared unblocking port-channel120 VLAN10.

Nexus 1 config

spanning-tree vlan 1-26,28-1024 priority 0

spanning-tree vlan 27 priority 4096

interface port-channel100

  description vpc peerlink to Nexus B

  switchport mode trunk

  spanning-tree port type network

  spanning-tree guard root

interface Vlan10

  ip address 10.10.10.2/24

  ip router ospf 1 area 0.0.0.0

  hsrp version 2

  hsrp 10

    preempt

    priority 120    timers msec 250  5

    ip 10.10.10.1

  no shutdown

Nexus 2 config

spanning-tree vlan 1-26,28-1024 priority 4096

spanning-tree vlan 27 priority 0

interface port-channel100

  description vpc peerlink to Nexus A

  switchport mode trunk

  spanning-tree port type network

  spanning-tree guard root

interface Vlan10

  ip address 10.10.10.3/24

  ip router ospf 1 area 0.0.0.0

  hsrp version 2

  hsrp 10

    preempt

    priority 100

    ip 10.10.10.1

  timers msec 250  5

  no shutdown

Also when i did show spanning tree vlan 10 i got the following error

Interface        Role Sts Cost      Prio.Nbr Type

---------------- ---- --- --------- -------- --------------------------------

Po100              Desg BLK 1         128.4097 (vPC peer-link) Network P2p       vpc_pl_INC

I think its because of spanning tree root guard or is the bug CSCty41162 - any thoughs on this please?

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Abzal
Level 7
Level 7
In response to Network Pro

‎11-12-2012 12:44 AM

Hi,

Root guard feature is used to protect root bridge form rogue or by mistake installed switch with priority 0.

In your case root guard is enabled on core switches connected to access or distribution switches not another core.

I think because of this is preventing nexus 2 to be core for vlan 10.

interface port-channel100

  description vpc peerlink to Nexus B

  switchport mode trunk

  spanning-tree port type network

  spanning-tree guard root --> try remove this line

Please rate helpful posts.

Best regards,
Abzal

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame

‎11-09-2012 04:56 AM

Hi,

This will cause an issue since you have priority 100 and preempt on both switches.  Make one side priority 150 and the other default with preempting only on the side with higher priority

Nexus 1 config

spanning-tree vlan 1-26,28-1024 priority 0

spanning-tree vlan 27 priority 4096

interface port-channel100

  description vpc peerlink to Nexus B

  switchport mode trunk

  spanning-tree port type network

  spanning-tree guard root

interface Vlan10

  ip address 10.10.10.2/24

  ip router ospf 1 area 0.0.0.0

  hsrp version 2

  hsrp 10  

    timers msec 250  5

    ip 10.10.10.1

  no shutdown

Nexus 2 config

spanning-tree vlan 1-26,28-1024 priority 4096

spanning-tree vlan 27 priority 0

interface port-channel100

  description vpc peerlink to Nexus A

  switchport mode trunk

  spanning-tree port type network

  spanning-tree guard root

interface Vlan10

  ip address 10.10.10.3/24

  ip router ospf 1 area 0.0.0.0

  hsrp version 2

  hsrp 10

    preempt

    priority 150

    ip 10.10.10.1

  timers msec 250  5

  no shutdown

HTH

0 Helpful

Go to solution
Network Pro
Level 1
Level 1
In response to Reza Sharifi

‎11-09-2012 05:33 AM

sorry my mistake the hsrp priority is correct with nexus 1 being active.

so the spanning tree guard root on both nexus - will this cause and issue - should it only be on one ? or am i hitting the bug ?

0 Helpful

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame
In response to Network Pro

‎11-09-2012 06:10 AM

are you referring to "spanning-tree loopguard default" command?

If yes, you can enable it on both switches;'

Usage Guidelines

Loop Guard provides additional security in the bridge network. Loop  Guard prevents alternate or root ports from becoming the designated port  because of a failure that could lead to a unidirectional link.

Loop Guard operates only on ports that are considered point-to-point  links by the spanning tree, and it does not run on spanning tree edge  ports.

When you enter the Loop Guard command for the specified interface, that spanning-tree guard loop command overrides this command.

This command does not require a license.

Examples

This example shows how to enable Loop Guard: 

switch(config)# spanning-tree loopguard default


switch(config#
0 Helpful

Go to solution
Network Pro
Level 1
Level 1
In response to Reza Sharifi

‎11-09-2012 06:33 AM

hi reza,

i mean spanning guard root command. Should this be just used on links connecting to downstream access switches? here in my case i have got it on the trunk links connecting both cores (on both cores) - so i am thinking will this cause a problem - because when i increase the priority of a vlan on the second nexus it doesnt allow me and goes to blocking and i think the guard root on nexus 1 is preventing nexus 2 to be root for vlan 10 -  but at the same time i am not sure if i am hitting the bug also ?

0 Helpful

Go to solution
Network Pro
Level 1
Level 1
In response to Network Pro

‎11-12-2012 12:29 AM

any thoughts on this pls ?

0 Helpful

Go to solution
Abzal
Level 7
Level 7
In response to Network Pro

‎11-12-2012 12:44 AM

Hi,

Root guard feature is used to protect root bridge form rogue or by mistake installed switch with priority 0.

In your case root guard is enabled on core switches connected to access or distribution switches not another core.

I think because of this is preventing nexus 2 to be core for vlan 10.

interface port-channel100

  description vpc peerlink to Nexus B

  switchport mode trunk

  spanning-tree port type network

  spanning-tree guard root --> try remove this line

Please rate helpful posts.

Best regards,
Abzal
0 Helpful

Go to solution
Network Pro
Level 1
Level 1
In response to Abzal

‎11-27-2012 01:20 AM

as i doubted spanning-tree guard root command was the problem.

spanning-tree guard is generally used on links connecting to access switches to prevent them becoming root. you can use this on the link connecting to a secondary core but only if all vlans are primary on the active core that has the command spanning-tree guard root. In case if you want to load balance hsrp groups (some on 1 core and rest on other) then the command spanning-tree guard root should be present on the links connecting both cores.

Thanks

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card