Re: Nexus-1 %STP-6-ROOT: Root bridge for VLAN3121 changed to 1849.0023

shlomoi · ‎06-14-2022

Hi,

I have 2 Nexus 9Ks. Recently I get a lot of STP messages that cause many disconnections in the network. Such messages
Nexus-1 # show logging | last 50
2022 Jun 14 10:59:43 Nexus-1 %STP-6-ROOT: Root bridge for VLAN3051 changed to 1beb.0023.04ee.be01
2022 Jun 14 10:59:43 Nexus-1 %STP-6-ROOT: Root bridge for VLAN3054 changed to 1bee.0023.04ee.be01
2022 Jun 14 10:59:43 Nexus-1 %STP-6-ROOT: Root bridge for VLAN3052 changed to 1bec.0023.04ee.be01
2022 Jun 14 10:59:43 Nexus-1 %STP-6-ROOT: Root bridge for VLAN3128 changed to 1c38.0023.04ee.be01
2022 Jun 14 10:59:43 Nexus-1 %STP-6-ROOT: Root bridge for VLAN3145 changed to 1c49.0023.04ee.be01
2022 Jun 14 10:59:43 Nexus-1 %STP-6-ROOT: Root bridge for VLAN3140 changed to 1c44.0023.04ee.be01

On the Nexus I have such an STP set
spannig-tree rapid-pvst with priority 0 on all vlans
spanning-tree vlan 1-3169 priority 0.
I do debug on the stp and I get a lot of such messages

2022 Jun 13 16:56:37.323796 stp: vb_vlan_shim_set_vlans_multi_port_state(3105): vlan :0xbf6 flc_vlan: 0xbf6

2022 Jun 13 16:56:37.323813 stp: vb_vlan_shim_set_vlans_multi_port_state(3105): vlan :0xbf7 flc_vlan: 0xbf7

2022 Jun 13 16:56:37.323830 stp: vb_vlan_shim_set_vlans_multi_port_state(3105): vlan :0xbf8 flc_vlan: 0xbf8

2022 Jun 13 16:56:37.323847 stp: vb_vlan_shim_set_vlans_multi_port_state(3105): vlan :0xbf9 flc_vlan: 0xbf9

2022 Jun 13 16:56:37.323864 stp: vb_vlan_shim_set_vlans_multi_port_state(3105): vlan :0xbfa flc_vlan: 0xbfa

2022 Jun 13 16:56:37.323881 stp: vb_vlan_shim_set_vlans_multi_port_state(3105): vlan :0xbfb flc_vlan: 0xbfb

2022 Jun 13 16:56:37.323898 stp: vb_vlan_shim_set_vlans_multi_port_state(3105): vlan :0xbfc flc_vlan: 0xbfc

Does anyone take the root from the Nexus even though there is a 0 priority ?

Someone might have an idea what the problem might be?

THANKS

SHLOMO ITZHAK

balaji.bandi · ‎06-14-2022

Is the nexus deployed in vPC ? if both the switches set as priority then that go in to STP election process here.

check nexus spanning config :

https://www.cisco.com/c/en/us/support/docs/switches/nexus-7000-series-switches/118858-config-nexus7000-00.html

how is your topology Looks like ?

which device hold this MAC Address : 1beb.0023.04ee.be01

The problem may be misconfiguration. or due to Links failures (may be)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

shlomoi · ‎06-14-2022

Hi thanks for your help,

They are in vpc configuration with identical STP settings in 2 Nexus. I do not find this MAC in my MAC table, but I check on the mac-vendor website listed that it is Cisco ,also I checked show interface counter error and the links are correct.

There may be an STP problem between the 2 Nexus and it is worth increase the priority of the STP on Nexus 2 .

Nexus-1# show run | sec spanning
logging level spanning-tree 7
spanning-tree vlan 1-3169 priority 0
spanning-tree port type network
cli alias name ssta show spanning-tree active

Nexus-2# show run | sec spanning
logging level spanning-tree 7
spanning-tree vlan 1-3169 priority 0
spanning-tree port type network
cli alias name ssta show spanning-tree active

THANKS

balaji.bandi · ‎06-14-2022

There may be an STP problem between the 2 Nexus and it is worth increase  the priority of the STP on Nexus 2 .

nexus vPC both will be acting as root bridge (unlike Catalyst different in nexus deployment).

If that is virtual MAC address check where it learning from ? is there any other VLAN in the switch other than mentioned one flapping :

check some troubleeshooting tips :

https://www.cisco.com/c/en/us/support/docs/switches/nexus-5000-series-switches/116199-technote-stp-00.html

also you need more assistance

post show vpc from both side ( show run config major one)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

MHM Cisco World · ‎06-14-2022

do
NSk# show vpc role
see if the mac address appear is same in log message

If it mac address of NSK peers why Root is change from one peer to other? that hard to say why BUT
you can instead of change priority do
root-primary and root-secodanry in primary/secondary of NSK peers.

marce1000 · ‎06-14-2022

- The prefixes , does not seem to belong to any vendor and the second part of the mac address is always the same which is near impossible in normal circumstances !!. Make sure your network is not under attack.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

MHM Cisco World · ‎06-14-2022

can I see output of
show vPc

shlomoi · ‎06-14-2022

Hi

below show vpc and view vpc role.

Nexus-1# show vpc role

vPC Role status
----------------------------------------------------
vPC role : primary
Dual Active Detection Status : 0
vPC system-mac : 00:23:04:ee:be:01
vPC system-priority : 32667
vPC local system-mac : 7c:21:0e:5e:b6:7f
vPC local role-priority : 20
vPC local config role-priority : 20
vPC peer system-mac : 70:61:7b:26:84:e7
vPC peer role-priority : 30
vPC peer config role-priority : 30
Nexus-1#

Nexus-2# show vpc role

vPC Role status
----------------------------------------------------
vPC role : secondary
Dual Active Detection Status : 0
vPC system-mac : 00:23:04:ee:be:01
vPC system-priority : 32667
vPC local system-mac : 70:61:7b:26:84:e7
vPC local role-priority : 30
vPC local config role-priority : 30
vPC peer system-mac : 7c:21:0e:5e:b6:7f
vPC peer role-priority : 20
vPC peer config role-priority : 20
Nexus-2#

Nexus-1# show vpc
Legend:
(*) - local vPC is down, forwarding via vPC peer-link

vPC domain id : 1
Peer status : peer adjacency formed ok
vPC keep-alive status : peer is alive
Configuration consistency status : success
Per-vlan consistency status : success
Type-2 consistency status : success
vPC role : primary
Number of vPCs configured : 37
Peer Gateway : Enabled
Dual-active excluded VLANs : -
Graceful Consistency Check : Enabled
Auto-recovery status : Enabled, timer is off.(timeout = 240s)
Delay-restore status : Timer is off.(timeout = 360s)
Delay-restore SVI status : Timer is off.(timeout = 10s)
Operational Layer3 Peer-router : Disabled
Virtual-peerlink mode : Disabled

vPC Peer-link status
---------------------------------------------------------------------
id Port Status Active vlans
-- ---- ------ -------------------------------------------------
1 Po1000 up 1,4,114,168-172,190,201-250,400,601-799,910-911,
1020-1169,1611-1699,2020-2169,2611-2699,3020-3169

Nexus-2# show vpc
Legend:
(*) - local vPC is down, forwarding via vPC peer-link

vPC domain id : 1
Peer status : peer adjacency formed ok
vPC keep-alive status : peer is alive
Configuration consistency status : success
Per-vlan consistency status : success
Type-2 consistency status : success
vPC role : secondary
Number of vPCs configured : 37
Peer Gateway : Enabled
Dual-active excluded VLANs : -
Graceful Consistency Check : Enabled
Auto-recovery status : Enabled, timer is off.(timeout = 240s)
Delay-restore status : Timer is off.(timeout = 360s)
Delay-restore SVI status : Timer is off.(timeout = 10s)
Operational Layer3 Peer-router : Disabled
Virtual-peerlink mode : Disabled

vPC Peer-link status
---------------------------------------------------------------------
id Port Status Active vlans
-- ---- ------ -------------------------------------------------
1 Po1000 up 1,4,114,168-172,190,201-250,400,601-799,910-911,
1020-1169,1611-1699,2020-2169,2611-2699,3020-3169

I must note that the messages of the STP come from a 1/41 port connected to the Lenovo Flex System Fabric EN4093R 10Gb Scalable Switch.
In Lenovo's test I see 2 root ports maybe this is the problem but I do not know how to deal with it

Spoiler

Thanks

marce1000 · ‎06-15-2022

- Have a look at this document : https://flexsystem.lenovofiles.com/help/topic/com.lenovo.acc.en4093.doc/EN4093R_AG_8-2.pdf . especially set the ports to high bridge priority value , meaning low bridge role and or can not become root bridge in the network :

EN4093R(config)# spanningtree stp <r> bridge priority <0‐65535>

You can search for that command in the document and look for explanations and implications

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

MHM Cisco World · ‎06-15-2022

1beb.0023.04ee.be01 ->> this is not mac this is bridge ID of BPDU
0023.04ee.be01 ->> vPC mac address
1beb ->> is priority + VLAN in your case priority is 0 and VLAN is 3051

NOW we solve Root bridge mac appear in Log.

issue here

both have same vPC mac address and I assume you config peer-switch (or not) under domain and which make worse is you config priority = 0
this make both SW
bridge ID is same and STP is confuse ...
Solution
Root-primary in primary vPC NSK peer
Root-Secondary in Secondary vPC NSK Peer
this config change the priority to be different and STP can detect differs SW bridge ID.
remember for STP always NSK is see as two different SW not one virtual SW.

shlomoi · ‎06-15-2022

Hi thanks for your help.

I check the STP on top of the Lenovo and it appears on some of the ports as priority 128 but on a global level it appears 61440 does that make sense?

MHM Cisco World · ‎06-15-2022

one is bridge priority and other is port priority
bridge priority is use for root elect
port priority is use to elect root port.

the issue is that NSK root bridge is flapping between two NSK peer I don't think that lenovo is issue here.
see my above comment

shlomoi · ‎06-15-2022

Hi thanks for the info.

I have another question about the role priority . Is it necessary to change it to a higher value in the nexus 2, it is not too low between them

?

Nexus-1# show vpc role

vPC Role status
----------------------------------------------------
vPC role : primary
Dual Active Detection Status : 0
vPC system-mac : 00:23:04:ee:be:01
vPC system-priority : 32667
vPC local system-mac : 7c:21:0e:5e:b6:7f
vPC local role-priority : 20
vPC local config role-priority : 20
vPC peer system-mac : 70:61:7b:26:84:e7
vPC peer role-priority : 30
vPC peer config role-priority : 30
Nexus-1#

Nexus-2# show vpc role

vPC Role status
----------------------------------------------------
vPC role : secondary
Dual Active Detection Status : 0
vPC system-mac : 00:23:04:ee:be:01
vPC system-priority : 32667
vPC local system-mac : 70:61:7b:26:84:e7
vPC local role-priority : 30
vPC local config role-priority : 30
vPC peer system-mac : 7c:21:0e:5e:b6:7f
vPC peer role-priority : 20
vPC peer config role-priority : 20
Nexus-2#

Thanks

Nexus-1 %STP-6-ROOT: Root bridge for VLAN3121 changed to 1849.0023.04e