02-02-2018 08:46 AM - edited 03-08-2019 01:41 PM
Hi folks,
Long time reader, first time asker, so lets dive straight in.
We're migrating our core from ME3600X to ASR920. We've two acting as our core and two C2960s hanging off for LAN usees. I've configured a couple of BDIs as gateways for our firewalls and "trunked" them (as best you can) across to the second ASR920 and down to the switches. When the Cores are connected via just the TenGigE link, OSPF and LDP come up and adjacencies form, but when I connect the Port-Channel down to the Switches, OSPF and LDP go down. L3 across the point-to-point link works but everything else is only sporadically reposnding to ping (??? weird..).
If I disconnect the Port-Channel, everything comes back with no issues.
I have a feeling something is looping in L2, or I'm missing something when it comes to the bridge-domain configuration but I'm not used to troubleshooting service-instances. Config as follows:
core1 (& core2)
spanning-tree mode mst spanning-tree mst configuration instance 1 vlan 1-2024 instance 2 vlan 2025-4094 spanning-tree mst 1 root pri spanning-tree mst 2 root sec ! bridge-domain 900 bridge-domain 3850 ! interface bdi 900 description Core: core1 <-> core2 vlan 900 Routing ip address 10.10.10.2 255.255.255.254 ip ospf 41678 area 0 ip ospf authentication message-digest ip ospf message-digest-key 1 md5 authme ip ospf network point-to-point ip ospf hello-interval 3 ip ospf dead-interval 10 mpls ip bfd interval 250 min_rx 250 multiplier 4 ! interface bdi 3850 description Core: core1 <-> fw-1 Po1.3850 vrf forwarding MGMT_VPN ip address 172.19.15.242 255.255.255.240 standby bfd standby 1 ip 172.19.15.241 standby 1 preempt ip ospf 100 area 0 ip ospf hello-interval 3 ip ospf dead-interval 10 ip ospf authentication message-digest ip ospf message-digest-key 1 md5 authme ! interface Port-channel 1 description Port-channel to access1 service instance 900 ethernet encapsulation dot1q 900 rewrite ingress tag pop 1 symmetric bridge-domain 900 ! service instance 3850 ethernet encapsulation dot1q 3850 rewrite ingress tag pop 1 symmetric bridge-domain 3850 ! interface GigabitEthernet0/0/10 description Core: core1 <-> access1 channel-group 1 mode active ! interface GigabitEthernet0/0/11 description Core: core1 <-> access1 channel-group 1 mode active ! interface TenGigabitEthernet0/0/24 description Core: core1 <-> core2 Te0/0/24 service instance 900 ethernet encapsulation dot1q 900 rewrite ingress tag pop 1 symmetric bridge-domain 900 ! service instance 3850 ethernet encapsulation dot1q 3850 rewrite ingress tag pop 1 symmetric bridge-domain 3850 ! router ospf 100 vrf MGMT_VPN router-id 172.19.15.241 nsf cisco passive-interface default no passive-interface bdi3850 ! router ospf 200 nsf cisco router-id 10.10.10.2 max-metric router-lsa on-startup 30 auto-cost reference-bandwidth 100000 passive-interface default no passive-interface bd900 !
access1 (& access2)
spanning-tree mode mst spanning-tree mst configuration instance 1 vlan 1-2024 instance 2 vlan 2025-4094
!
interface GigabitEthernet0/51
description access1 <-> access2 g0/51
switchport mode trunk
channel-group 2 mode active
!
interface GigabitEthernet0/52
description access1 <-> access2 g0/52
switchport mode trunk
channel-group 2 mode active
!
interface Port-channel 1
description Port-channel to core1
switchport mode trunk
switchport trunk allowed vlan 666,900,3850
switchport trunk native vlan 666
!
interface Port-channel 2
description Port-channel to access2
switchport mode trunk
switchport trunk allowed vlan 666,900,3850
switchport trunk native vlan 666
!
Topology
-------------- -------------- | core1 |----te0/0/24---| core2 | -------------- <-OSPF-> -------------- || Po1 <-HSRP-> || || Po1 || -------------- -------------- | access1 | =====Po2======| access2 | -------------- --------------
Any thoughts on this? Thanks!
Solved! Go to Solution.
02-05-2018 04:48 AM
I located the issue while attending site.
It seemed that access2 had not taken the mst configuration and was still running PVST. Given that PVST maps to MST0 it was causing a bunch of issues.
Once I reconfigured spanning-tree, everything came back to life and stablised, ports began to block.
Giveaway was the output below:
access1-r1-cq2#sh span vlan 900 MST1 Spanning tree enabled protocol mstp Root ID Priority 24577 Address 00f8.2c44.bf80 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 24577 (priority 24576 sys-id-ext 1) Address 00f8.2c44.bf80 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Interface Role Sts Cost Prio.Nbr Type ------------------- ---- --- --------- -------- -------------------------------- Po1 Desg FWD 10000 128.56 P2p Po2 Desg FWD 10000 128.64 P2p Bound(PVST)
vs access2
access2-r2-cq2#sh span vlan 900 VLAN0900 Spanning tree enabled protocol rstp Root ID Priority 32768 Address 00f8.2c44.bf80 Cost 3 Port 64 (Port-channel2) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 33668 (priority 32768 sys-id-ext 900) Address 00f8.2c77.8780 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 sec Interface Role Sts Cost Prio.Nbr Type ------------------- ---- --- --------- -------- -------------------------------- Po1 Desg FWD 3 128.56 P2p Po2 Root FWD 3 128.64 P2p Peer(STP)
Even though it says quite clearly rstp, I somehow missed this everytime and caught it on the P2p Peer protocol. Lesson in observation for me.
Note also that I moved the MST root off the ASR920 and onto the C2960, as it will be handling the most vlans.
02-04-2018 04:33 PM
Hi
Can you share show spanning-tree vlan 900 and 3850 output from all equiments?
Can you shutdown Po1 between Core2 and Access2 and do the same output as before?
Thanks
02-05-2018 01:17 AM
02-05-2018 01:38 AM - edited 02-05-2018 04:51 AM
One thing has just occured to me. Under the service-instance I am using:
rewrite ingress tag pop 1 symmetric
This pops the vlan tag on ingress - so surely this would break MST? In my head it puts the packet on the bridge domain, but it essentially has no vlan?
EDIT: For completeness as written here
Layer 2 forwarding is based on the bridge domain ID and the destination MAC address. The frame is forwarded to an EFP if the binding between the bridge domain, destination MAC address, and EFP is known. Otherwise, the frame is flooded to all the EFPs or ports in the bridge domain
02-05-2018 04:48 AM
I located the issue while attending site.
It seemed that access2 had not taken the mst configuration and was still running PVST. Given that PVST maps to MST0 it was causing a bunch of issues.
Once I reconfigured spanning-tree, everything came back to life and stablised, ports began to block.
Giveaway was the output below:
access1-r1-cq2#sh span vlan 900 MST1 Spanning tree enabled protocol mstp Root ID Priority 24577 Address 00f8.2c44.bf80 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 24577 (priority 24576 sys-id-ext 1) Address 00f8.2c44.bf80 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Interface Role Sts Cost Prio.Nbr Type ------------------- ---- --- --------- -------- -------------------------------- Po1 Desg FWD 10000 128.56 P2p Po2 Desg FWD 10000 128.64 P2p Bound(PVST)
vs access2
access2-r2-cq2#sh span vlan 900 VLAN0900 Spanning tree enabled protocol rstp Root ID Priority 32768 Address 00f8.2c44.bf80 Cost 3 Port 64 (Port-channel2) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 33668 (priority 32768 sys-id-ext 900) Address 00f8.2c77.8780 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 sec Interface Role Sts Cost Prio.Nbr Type ------------------- ---- --- --------- -------- -------------------------------- Po1 Desg FWD 3 128.56 P2p Po2 Root FWD 3 128.64 P2p Peer(STP)
Even though it says quite clearly rstp, I somehow missed this everytime and caught it on the P2p Peer protocol. Lesson in observation for me.
Note also that I moved the MST root off the ASR920 and onto the C2960, as it will be handling the most vlans.
02-05-2018 04:55 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: