Solved: Re: OSPF issues on ASR920 and C2960L

sjewhurst · ‎02-02-2018

Hi folks,

Long time reader, first time asker, so lets dive straight in.

We're migrating our core from ME3600X to ASR920. We've two acting as our core and two C2960s hanging off for LAN usees. I've configured a couple of BDIs as gateways for our firewalls and "trunked" them (as best you can) across to the second ASR920 and down to the switches. When the Cores are connected via just the TenGigE link, OSPF and LDP come up and adjacencies form, but when I connect the Port-Channel down to the Switches, OSPF and LDP go down. L3 across the point-to-point link works but everything else is only sporadically reposnding to ping (??? weird..).

If I disconnect the Port-Channel, everything comes back with no issues.

I have a feeling something is looping in L2, or I'm missing something when it comes to the bridge-domain configuration but I'm not used to troubleshooting service-instances. Config as follows:

core1 (& core2)

spanning-tree mode mst
spanning-tree mst configuration
 instance 1 vlan 1-2024
 instance 2 vlan 2025-4094
spanning-tree mst 1 root pri
spanning-tree mst 2 root sec
!
bridge-domain 900
bridge-domain 3850
!
interface bdi 900
 description Core: core1 <-> core2 vlan 900 Routing
 ip address 10.10.10.2 255.255.255.254
 ip ospf 41678 area 0
 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 authme
 ip ospf network point-to-point
 ip ospf hello-interval 3
 ip ospf dead-interval 10
 mpls ip
 bfd interval 250 min_rx 250 multiplier 4
!
interface bdi 3850
 description Core: core1 <-> fw-1 Po1.3850
 vrf forwarding MGMT_VPN
 ip address 172.19.15.242 255.255.255.240
 standby bfd
 standby 1 ip 172.19.15.241
 standby 1 preempt
 ip ospf 100 area 0
 ip ospf hello-interval 3
 ip ospf dead-interval 10
 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 authme
!
interface Port-channel 1
 description Port-channel to access1
 service instance 900 ethernet
  encapsulation dot1q 900
  rewrite ingress tag pop 1 symmetric
  bridge-domain 900
 !
 service instance 3850 ethernet
  encapsulation dot1q 3850
  rewrite ingress tag pop 1 symmetric
  bridge-domain 3850
 !
interface GigabitEthernet0/0/10
 description Core: core1 <-> access1
 channel-group 1 mode active
!
interface GigabitEthernet0/0/11
 description Core: core1 <-> access1
 channel-group 1 mode active
!
interface TenGigabitEthernet0/0/24
 description Core: core1 <-> core2 Te0/0/24
 service instance 900 ethernet
  encapsulation dot1q 900
  rewrite ingress tag pop 1 symmetric
  bridge-domain 900
 !
 service instance 3850 ethernet
  encapsulation dot1q 3850
  rewrite ingress tag pop 1 symmetric
  bridge-domain 3850
!
router ospf 100 vrf MGMT_VPN
 router-id 172.19.15.241
 nsf cisco
 passive-interface default
 no passive-interface bdi3850
!
router ospf 200
 nsf cisco
 router-id 10.10.10.2
 max-metric router-lsa on-startup 30
 auto-cost reference-bandwidth 100000
 passive-interface default
 no passive-interface bd900
!

access1 (& access2)

spanning-tree mode mst
spanning-tree mst configuration
 instance 1 vlan 1-2024
 instance 2 vlan 2025-4094
!
interface GigabitEthernet0/51
 description access1 <-> access2 g0/51
 switchport mode trunk
 channel-group 2 mode active
!
interface GigabitEthernet0/52
 description access1 <-> access2 g0/52
 switchport mode trunk
 channel-group 2 mode active
!
interface Port-channel 1
 description Port-channel to core1
 switchport mode trunk
 switchport trunk allowed vlan 666,900,3850
 switchport trunk native vlan 666
!
interface Port-channel 2
 description Port-channel to access2
 switchport mode trunk
 switchport trunk allowed vlan 666,900,3850
 switchport trunk native vlan 666
!

Topology

--------------                --------------
|    core1   |----te0/0/24---|    core2    |          
--------------    <-OSPF->    --------------
      || Po1      <-HSRP->          ||
      ||                        Po1 ||
--------------                --------------
|   access1  | =====Po2======|   access2   |          
--------------                --------------

Any thoughts on this? Thanks!

sjewhurst · ‎02-05-2018

I located the issue while attending site.

It seemed that access2 had not taken the mst configuration and was still running PVST. Given that PVST maps to MST0 it was causing a bunch of issues.

Once I reconfigured spanning-tree, everything came back to life and stablised, ports began to block.

Giveaway was the output below:

access1-r1-cq2#sh span vlan 900

MST1
  Spanning tree enabled protocol mstp
  Root ID    Priority    24577
             Address     00f8.2c44.bf80
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    24577  (priority 24576 sys-id-ext 1)
             Address     00f8.2c44.bf80
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Po1                 Desg FWD 10000     128.56   P2p
Po2                 Desg FWD 10000     128.64   P2p Bound(PVST)

vs access2

access2-r2-cq2#sh span vlan 900

VLAN0900
  Spanning tree enabled protocol rstp
  Root ID    Priority    32768
             Address     00f8.2c44.bf80
             Cost        3
             Port        64 (Port-channel2)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    33668  (priority 32768 sys-id-ext 900)
             Address     00f8.2c77.8780
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Po1                 Desg FWD 3         128.56   P2p
Po2                 Root FWD 3         128.64   P2p Peer(STP)

Even though it says quite clearly rstp, I somehow missed this everytime and caught it on the P2p Peer protocol. Lesson in observation for me.

Note also that I moved the MST root off the ASR920 and onto the C2960, as it will be handling the most vlans.

View solution in original post

Francesco Molino · ‎02-04-2018

Hi

Can you share show spanning-tree vlan 900 and 3850 output from all equiments?

Can you shutdown Po1 between Core2 and Access2 and do the same output as before?

Thanks

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

sjewhurst · ‎02-05-2018

Francesco,
I should be on-site with the devices later today and I will capture this at that point. However from my testing last week, I did note that none of the devices adopted a Blocking port state which I'd exptected to see on the Port-channel on one of the 2960s

sjewhurst · ‎02-05-2018

One thing has just occured to me. Under the service-instance I am using:

rewrite ingress tag pop 1 symmetric

~~This pops the vlan tag on ingress - so surely this would break MST? In my head it puts the packet on the bridge domain, but it essentially has no vlan?~~

EDIT: For completeness as written here

Layer 2 forwarding is based on the bridge domain ID and the destination MAC address. The frame is forwarded to an EFP if the binding between the bridge domain, destination MAC address, and EFP is known. Otherwise, the frame is flooded to all the EFPs or ports in the bridge domain

sjewhurst · ‎02-05-2018