Nexus Spanning-tree

shendrickson · ‎10-03-2013

In a Nexus environment while using VPC connections, what benefits does spanning-tree Bridge Assurance provide? Does anyone have this feature turned on? We had a situation that our 5K uplink went into a blocking/broke mode (BRK*) after an upgrade. Come to find out this feature was turned on at the 7Ks Po but not at the 5Ks. Once the feature was enabled on all devices, the uplinks went back into forwarding. It was initially under the impression that Nexus VPCs did not need spanning tree, but that spanning-tree still ran in the background.

blulofs · ‎10-03-2013

It comes down to how should STP be configured in the event the vPC config is no longer working. STP IS indeed running in the background with vPC. It is not making packet route decisions when vPC is running in normal operation, but STP does take on path/route decisions if the vPC configuration comes down (switch out of service, or peer link brought down) to assure you don't have loops.

Best Practice - Do not use BA on vPC member ports (i.e. the interfaces that belong to the vPC port channels), it is more likely to create problems than benefits, blocking that you do not want on the links if vPC fails. However, use it on the vPC Peer links between two vPC peer switches. If you are using VPC the recommendation is to not use BA except on the vpc peer link.

How can Bridge Assurance create problems when vPC is not active?

Bridge Assurance is a global command, and BA is ON by default. BUT......all STP ports are configued as type "normal" by default, essentially nullifying BA. BA is only activated on STP ports configured as "network". End result: BA is turned on by default but will not be activated unless your port is defined as a network port.

For BA to work, both ends have to have BA configured, and both must be configured as STP "network" ports. Otherwise, BA will go into blocking mode due to inconsistent config between point to point links. We know when in STP mode, we want the STP config to be predictable, which is why many define the STP Root and the Secondary root specifically.

An added measure of predictability can be used to prevent unwanted changes to the STP topology; spanning-tree port type network default can be configured in order to provide added protection against rogue devices being plugged in and changing the spanning tree topology. Unless devices are Bridge Assurance capable devices AND have their ports configured as network ports, the connections to the rogue devices will not come up.

To be predictive, it is recommended to configure vPC member ports (port channel interfaces) with the command spanning-tree port type normal. This is due to the possibility of Bridge Assurance disabling ports at the access layer when a failure of the STP root occurs. Since they are not configured as "network" ports, BA is deactivated.

STP Recommendations with vPC configured networks are listed below:

Global configuration...... spanning-tree port type network default

VPC Peer-Link .............................................. spanning-tree port type network

VPC connections to access switches .......... spanning-tree port type normal; - and - spanning-tree guard root

Access switch connected to 7K in VPC........ spanning-tree port type normal

Host facing ports............................................... spanning-tree port type edge

Regards,

Bill Lulofs

Cisco Data Center CSE

marce1000 · ‎03-15-2018

- Great post.

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !