Solved: Re: Hallo Rokowals

James Smith · ‎05-31-2016

G'day All,

I've got an issue with a new 4321 that is meant to be replacing a 2800 router that is acting as a voice gateway. The 2800 uses a BVI to connect 2 gig interfaces to two 6509 switches and this works a treat at the moment. STP is blocking the vlan on one of the switch interfaces to the router, while the other forwards, as expected.

The new 4321 was built, but the BVI config is not able to be used, so based on the Cisco doco, the Bridge Domain setup was used, which I have posted below. On paper the config looked good and the router was introduced into the network. Cue spanning tree loop and network outage. Luckily this was afterhours so no real harm done.

So my understanding was that in the new IOS XE software, the BDI replaced the BVI, but this didn't work as I had expected. When using the BDI configuration on the router, the downstream switch ports didn't do any blocking of the vlan to the router and both switch ports stayed as forwarding.

Enabling BPDU guard, works as expected with one of the switch ports going err-disable after seeing an unexpected BPDU, but without that, at no point does either switchport block the vlan to prevent the loop. The switch ports configuration didn't change between the old 2800 and the new 4321 going in.

It is a pretty basic setup and it was that was inherited from the previous network guys, so I am wondering if anyone out there has any experience with BDIs and connecting to switches.

I've attached a basic diagram with some config of both the old and new router (the important bits).

Cheers,

JS

rokowals · ‎10-25-2016

Hello James,

Hopefully, you have found your answer by now, but recently I came across similar issue when replacing older ISR router with ISR4321, which did not support BVI feature.

This is an example of configuration, in which I encountered the issue:

                +-----------+
         Gi0/0/0|  ISR4321  |Gi0/0/1
      +---------+           +--------+
      |         +-----------+        |
      |             BDI100           |
      |                              |
      |                              |
      |                              |
Fa0/2 |                              |Fa0/3 <- access ports.
+--------+Fa0/1               Fa0/1+--------+
|CAT2960S+-------------------------+CAT2960S|
+--------+          TRUNK          +--------+

I had to work the BDI configuration in such a way that two switches connected to ISR4321 would form two redundant paths. However, with a configuration in which two switch ports are configured as access ports, I noticed that router is not taking part in STP process at all, which caused MAC flaps. The Mac address associated with flaps was related to BDI interface MAC address.

And I believe, it is expected because router has no idea to what VLAN does a certain frame belong to as switches do not add a dot1q tag to frames sent through the access ports. Because of this, router did not know how to participate in STP process and both of the physical-interfaces were forwarding:

ISR4321(config)#do sh spa

Bridge group 100
  Spanning tree enabled protocol vlan-bridge
  Root ID    Priority    32768
             Address     6412.25a2.f450
             This bridge is the root
             Hello Time   2 sec  Max Age 30 sec  Forward Delay 20 sec

  Bridge ID  Priority    32768
             Address     6412.25a2.f450
             Hello Time   2 sec  Max Age 30 sec  Forward Delay 20 sec
             Aging Time 300

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------

This in turn, caused the mentioned MAC flaps both on the access and trunk ports on the switches. Router will by default send the frames for a specific flow which is reachable on BDI interface through two physical interfaces, thus, which causes a MAC flaps. For example:

2960-2#
*Mar  1 07:02:09.375: %SW_MATM-4-MACFLAP_NOTIF: Host 6412.25a2.f4d3 in vlan 100 is flapping between port Fa0/1 and port Fa0/3
*Mar  1 07:02:25.381: %SW_MATM-4-MACFLAP_NOTIF: Host 6412.25a2.f4d3 in vlan 100 is flapping between port Fa0/3 and port Fa0/1
*Mar  1 07:02:40.464: %SW_MATM-4-MACFLAP_NOTIF: Host 6412.25a2.f4d3 in vlan 100 is flapping between port Fa0/1 and port Fa0/3
*Mar  1 07:02:53.399: %SW_MATM-4-MACFLAP_NOTIF: Host 6412.25a2.f4d3 in vlan 100 is flapping between port Fa0/1 and port Fa0/3
*Mar  1 07:03:09.396: %SW_MATM-4-MACFLAP_NOTIF: Host 6412.25a2.f4d3 in vlan 100 is flapping between port Fa0/3 and port Fa0/1
*Mar  1 07:03:27.381: %SW_MATM-4-MACFLAP_NOTIF: Host 6412.25a2.f4d3 in vlan 100 is flapping between port Fa0/1 and port Fa0/3
*Mar  1 07:03:39.402: %SW_MATM-4-MACFLAP_NOTIF: Host 6412.25a2.f4d3 in vlan 100 is flapping between port Fa0/1 and port Fa0/3
*Mar  1 07:03:55.399: %SW_MATM-4-MACFLAP_NOTIF: Host 6412.25a2.f4d3 in vlan 100 is flapping between port Fa0/1 and port Fa0/3
*Mar  1 07:04:09.408: %SW_MATM-4-MACFLAP_NOTIF: Host 6412.25a2.f4d3 in vlan 100 is flapping between port Fa0/3 and port Fa0/1
*Mar  1 07:04:31.403: %SW_MATM-4-MACFLAP_NOTIF: Host 6412.25a2.f4d3 in vlan 100 is flapping between port Fa0/3 and port Fa0/1
*Mar  1 07:04:41.411: %SW_MATM-4-MACFLAP_NOTIF: Host 6412.25a2.f4d3 in vlan 100 is flapping between port Fa0/3 and port Fa0/1
*Mar  1 07:04:57.408: %SW_MATM-4-MACFLAP_NOTIF: Host 6412.25a2.f4d3 in vlan 100 is flapping between port Fa0/1 and port Fa0/3
*Mar  1 07:05:09.395: %SW_MATM-4-MACFLAP_NOTIF: Host 6412.25a2.f4d3 in vlan 100 is flapping between port Fa0/1 and port Fa0/3
*Mar  1 07:05:23.404: %SW_MATM-4-MACFLAP_NOTIF: Host 6412.25a2.f4d3 in vlan 100 is flapping between port Fa0/3 and port Fa0/1
2960-2#

I found that the best configuration which allows for redundancy and eliminates L2 loops is one, that will make sure router receives frames with dot1q tag, as follows:

1. First of all, switches should have their links connected to the router configured as trunks, on which we allow specific VLANs. In my case, it was one VLAN.

2. On the router, configure a Bridge Domain, and a Service Instance under specific interfaces and make sure, that encapsulated traffic is matched by Service Instance where we are popping one tag, for example, for VLAN 100:

!
interface GigabitEthernet0/0/0
bandwidth 100000
no ip address
negotiation auto
service instance 100 ethernet
  encapsulation dot1q 100
  rewrite ingress tag pop 1 symmetric
  l2protocol peer stp
  bridge-domain 100
!

3. Lastly, make sure that STP is enabled on Router:

ISR4321#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
ISR4321 (config)#spanning-tree mode rapid-pvst
ISR4321 (config)#end

When all of this is configured right, we see that one of the Router's interfaces goes into blocking state due to STP and that prevents an L2 loop:

ISR4321#sh spanning-tree vlan 100

G1:VLAN0100
  Spanning tree enabled protocol rstp
  Root ID    Priority    24676
             Address     001f.274f.f180
             Cost        19
             Port        9 (GigabitEthernet0/0/1)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32868  (priority 32768 sys-id-ext 100)
             Address     6412.25a2.f4d2
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 0

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi0/0/0             Altn BLK 19        128.8    P2p
Gi0/0/1             Root FWD 19        128.9    P2p

Also, it ensures we have redundancy of course.

Hope this helps,

Roman

View solution in original post

James Smith · ‎06-05-2016

Hey All,

Surely someone has something to offer here?

Cheers,

JS

rokowals · ‎10-25-2016

Hello James,

Hopefully, you have found your answer by now, but recently I came across similar issue when replacing older ISR router with ISR4321, which did not support BVI feature.

This is an example of configuration, in which I encountered the issue:

                +-----------+
         Gi0/0/0|  ISR4321  |Gi0/0/1
      +---------+           +--------+
      |         +-----------+        |
      |             BDI100           |
      |                              |
      |                              |
      |                              |
Fa0/2 |                              |Fa0/3 <- access ports.
+--------+Fa0/1               Fa0/1+--------+
|CAT2960S+-------------------------+CAT2960S|
+--------+          TRUNK          +--------+

I had to work the BDI configuration in such a way that two switches connected to ISR4321 would form two redundant paths. However, with a configuration in which two switch ports are configured as access ports, I noticed that router is not taking part in STP process at all, which caused MAC flaps. The Mac address associated with flaps was related to BDI interface MAC address.

And I believe, it is expected because router has no idea to what VLAN does a certain frame belong to as switches do not add a dot1q tag to frames sent through the access ports. Because of this, router did not know how to participate in STP process and both of the physical-interfaces were forwarding:

ISR4321(config)#do sh spa

Bridge group 100
  Spanning tree enabled protocol vlan-bridge
  Root ID    Priority    32768
             Address     6412.25a2.f450
             This bridge is the root
             Hello Time   2 sec  Max Age 30 sec  Forward Delay 20 sec

  Bridge ID  Priority    32768
             Address     6412.25a2.f450
             Hello Time   2 sec  Max Age 30 sec  Forward Delay 20 sec
             Aging Time 300

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------

This in turn, caused the mentioned MAC flaps both on the access and trunk ports on the switches. Router will by default send the frames for a specific flow which is reachable on BDI interface through two physical interfaces, thus, which causes a MAC flaps. For example:

2960-2#
*Mar  1 07:02:09.375: %SW_MATM-4-MACFLAP_NOTIF: Host 6412.25a2.f4d3 in vlan 100 is flapping between port Fa0/1 and port Fa0/3
*Mar  1 07:02:25.381: %SW_MATM-4-MACFLAP_NOTIF: Host 6412.25a2.f4d3 in vlan 100 is flapping between port Fa0/3 and port Fa0/1
*Mar  1 07:02:40.464: %SW_MATM-4-MACFLAP_NOTIF: Host 6412.25a2.f4d3 in vlan 100 is flapping between port Fa0/1 and port Fa0/3
*Mar  1 07:02:53.399: %SW_MATM-4-MACFLAP_NOTIF: Host 6412.25a2.f4d3 in vlan 100 is flapping between port Fa0/1 and port Fa0/3
*Mar  1 07:03:09.396: %SW_MATM-4-MACFLAP_NOTIF: Host 6412.25a2.f4d3 in vlan 100 is flapping between port Fa0/3 and port Fa0/1
*Mar  1 07:03:27.381: %SW_MATM-4-MACFLAP_NOTIF: Host 6412.25a2.f4d3 in vlan 100 is flapping between port Fa0/1 and port Fa0/3
*Mar  1 07:03:39.402: %SW_MATM-4-MACFLAP_NOTIF: Host 6412.25a2.f4d3 in vlan 100 is flapping between port Fa0/1 and port Fa0/3
*Mar  1 07:03:55.399: %SW_MATM-4-MACFLAP_NOTIF: Host 6412.25a2.f4d3 in vlan 100 is flapping between port Fa0/1 and port Fa0/3
*Mar  1 07:04:09.408: %SW_MATM-4-MACFLAP_NOTIF: Host 6412.25a2.f4d3 in vlan 100 is flapping between port Fa0/3 and port Fa0/1
*Mar  1 07:04:31.403: %SW_MATM-4-MACFLAP_NOTIF: Host 6412.25a2.f4d3 in vlan 100 is flapping between port Fa0/3 and port Fa0/1
*Mar  1 07:04:41.411: %SW_MATM-4-MACFLAP_NOTIF: Host 6412.25a2.f4d3 in vlan 100 is flapping between port Fa0/3 and port Fa0/1
*Mar  1 07:04:57.408: %SW_MATM-4-MACFLAP_NOTIF: Host 6412.25a2.f4d3 in vlan 100 is flapping between port Fa0/1 and port Fa0/3
*Mar  1 07:05:09.395: %SW_MATM-4-MACFLAP_NOTIF: Host 6412.25a2.f4d3 in vlan 100 is flapping between port Fa0/1 and port Fa0/3
*Mar  1 07:05:23.404: %SW_MATM-4-MACFLAP_NOTIF: Host 6412.25a2.f4d3 in vlan 100 is flapping between port Fa0/3 and port Fa0/1
2960-2#

I found that the best configuration which allows for redundancy and eliminates L2 loops is one, that will make sure router receives frames with dot1q tag, as follows:

1. First of all, switches should have their links connected to the router configured as trunks, on which we allow specific VLANs. In my case, it was one VLAN.

2. On the router, configure a Bridge Domain, and a Service Instance under specific interfaces and make sure, that encapsulated traffic is matched by Service Instance where we are popping one tag, for example, for VLAN 100:

!
interface GigabitEthernet0/0/0
bandwidth 100000
no ip address
negotiation auto
service instance 100 ethernet
  encapsulation dot1q 100
  rewrite ingress tag pop 1 symmetric
  l2protocol peer stp
  bridge-domain 100
!

3. Lastly, make sure that STP is enabled on Router:

ISR4321#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
ISR4321 (config)#spanning-tree mode rapid-pvst
ISR4321 (config)#end

When all of this is configured right, we see that one of the Router's interfaces goes into blocking state due to STP and that prevents an L2 loop:

ISR4321#sh spanning-tree vlan 100

G1:VLAN0100
  Spanning tree enabled protocol rstp
  Root ID    Priority    24676
             Address     001f.274f.f180
             Cost        19
             Port        9 (GigabitEthernet0/0/1)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32868  (priority 32768 sys-id-ext 100)
             Address     6412.25a2.f4d2
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 0

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi0/0/0             Altn BLK 19        128.8    P2p
Gi0/0/1             Root FWD 19        128.9    P2p

Also, it ensures we have redundancy of course.

Hope this helps,

Roman

dario.mazzi · ‎06-15-2017

Hallo Rokowals

Which is the IOS version to use ?

Because I don't see this (on My Voice Gateway Version):

ISR4321#sh spanning-tree vlan 100

G1:VLAN0100
Spanning tree enabled protocol rstp
Root ID    Priority    24676
             Address     001f.274f.f180
             Cost        19
             Port        9 (GigabitEthernet0/0/1)
             Hello Time   2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority    32868 (priority 32768 sys-id-ext 100)
             Address     6412.25a2.f4d2
             Hello Time   2 sec Max Age 20 sec Forward Delay 15 sec
             Aging Time 0

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi0/0/0             Altn BLK 19        128.8    P2p
Gi0/0/1             Root FWD 19        128.9    P2p

PS:I don't see when use encapsulation untagged

Cheers,
Dario

Ant_ · ‎09-26-2018

Try this:

interface GigabitEthernet0/0/0
description _____
no ip address
negotiation auto
service instance 1 ethernet
description _____
encapsulation untagged , dot1q 1
bridge-domain 1

interface GigabitEthernet0/0/1
description _____
no ip address
negotiation auto
service instance 1 ethernet
description _____
encapsulation untagged , dot1q 1
bridge-domain 1

Guilty · ‎10-18-2023

Thank you for this write up! You were able to resolve the issue that I was seeing with the spanning tree commands. Much appreciated!

New 4321 Router BDI to replace BVI, spanning tree issues...