10-04-2011 10:25 AM - edited 03-07-2019 02:36 AM
We have a fairly standard RPVST+ spanning tree topology over a number of Catalyst switches (3560 and 2960 mainly). We have some behaviour that we consider strange on only one VLAN. All VLANs have the same root apart from two (504 & 505). These connect a pair of ports on two switches that are not directly connected (switches 32 & 45 on this diagram):
We have set switch 45 to be the the root of these VLANs
Switch_45#show span root
Root Hello Max Fwd
Vlan Root ID Cost Time Age Dly Root Port
---------------- -------------------- --------- ----- --- --- ------------
VLAN0503 25079 0019.xxxx.8400 8 2 20 15 Gi0/24
VLAN0504 25080 001b.yyyy.c600 0 2 20 15
VLAN0505 25080 001b.yyyy.c600 65 2 20 15 Gi0/23
The switch identifies itself as the root but the VLANs do not appear the same way: VLAN 505 has a root port and a root cost of 65. I would expect no root port and a root cost of zero (as per VLAN 504).
Switch_45#show span vlan 504-505
VLAN0504
Spanning tree enabled protocol rstp
Root ID Priority 25080
Address 001b.yyyy.c600
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 25080 (priority 24576 sys-id-ext 504)
Address 001b.yyyy.c600
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi0/13 Desg FWD 19 128.13 P2p
Gi0/22 Desg FWD 4 128.22 P2p
Gi0/23 Desg FWD 4 128.23 P2p
Gi0/24 Desg FWD 4 128.24 P2p
VLAN0505
Spanning tree enabled protocol rstp
Root ID Priority 25080
Address 001b.yyyy.c600
Cost 65
Port 23 (GigabitEthernet0/23)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 25081 (priority 24576 sys-id-ext 505)
Address 001b.yyyy.c600
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi0/15 Desg FWD 19 128.15 P2p
Gi0/22 Desg FWD 4 128.22 P2p
Gi0/23 Root FWD 4 128.23 P2p
Gi0/24 Altn BLK 4 128.24 P2p
In this output again the switch is identified as the root for VLAN 504 ("This switch is the root") but not for VLAN 505 (the MAC address of itself is listed instead). In addition, a port is blocked on VLAN 505 which is not the desired behaviour.
Can anyone comment on this outcome? We are running software version 12.2(52)SE .
Daniel
10-04-2011 11:08 AM
Hi,
your first output clearly demonstrates what the second does, that is that this switch is not the root for vlan 505 and 503.
How did you set the root bridge?
Can you post output of sh run | begin spann
Regards.
Alain.
10-04-2011 11:35 AM
I set the root bridge by altering the priority of switch 45 as follows:
sh run | begin spann
spanning-tree mode rapid-pvst
spanning-tree logging
spanning-tree etherchannel guard misconfig
spanning-tree extend system-id
spanning-tree vlan 504-505 priority 24576
No other bridge has a priority setting for these VLANs.
Output from a neighbouring switch:
VLAN0503 25079 0019.xxxx.8400 16 2 20 15 Gi0/1
VLAN0504 25080 001b.yyyy.c600 23 2 20 15 Fa0/24
VLAN0505 25080 001b.yyyy.c600 42 2 20 15 Fa0/15
10-04-2011 11:43 AM
Vlan 505 is reporting gi0/23 as the way to the root bridge. Can you post "sh spanning-tree vlan 505" from switch 35 and switch 32 ?
Jon
10-04-2011 12:19 PM
Certainly:
Switch_32#sh spanning-tree vlan 505
VLAN0505
Spanning tree enabled protocol rstp
Root ID Priority 25080
Address 001b.yyyy.c600
Cost 42
Port 17 (FastEthernet0/15)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 33273 (priority 32768 sys-id-ext 505)
Address 0019.3232.6780
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi0/1 Desg FWD 4 128.1 P2p
Fa0/15 Root FWD 19 128.17 P2p
Fa0/24 Desg FWD 19 128.26 P2p
Switch_35#sh spanning-tree vlan 505
VLAN0505
Spanning tree enabled protocol rstp
Root ID Priority 25080
Address 001b.yyyy.c600
Cost 61
Port 23 (GigabitEthernet0/23)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 33273 (priority 32768 sys-id-ext 505)
Address 001b.3535.5f00
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi0/23 Root FWD 19 128.23 P2p
Gi0/24 Desg FWD 4 128.24 P2p
10-04-2011 12:23 PM
Okay switch 32 is reporting fa0/15 as the root port which is not covered in your diagram. Can you keep tracing the links to the switch that actually thinks it is the root bridge ie. the one that doesn't include a port in the root bridge output from the "sh spanning-tree vlan 505" command.
Jon
10-04-2011 12:36 PM
Port fa0/15 on switch 32 is an edge port that contains one of the end stations using the VLAN (the other one is on switch 45). Config of this port is:
interface FastEthernet0/15
switchport access vlan 505
switchport mode access
speed auto 100
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
mls qos trust cos
auto qos voip trust
storm-control broadcast level 50.00 35.00
storm-control multicast level 2.00 1.00
no cdp enable
10-04-2011 12:38 PM
Perhaps our client has a STP-capable switch on this port? I will investigate.
Daniel
10-04-2011 01:32 PM
Yes, we are receiving BPDUs from a foreign system on this port. I guess that is leading to the unexpected behaviour.
Thank you everyone for their very helpful contributions.
Daniel
10-05-2011 10:39 AM
It turns out the our two ports have been bridged by our client in the following way:
The BBDUs we are seeing on the ports are coming from ourselves.
I am rather horrified that this is happening and I am rather surprised that something terrible has not occurred as a result. Can anyone explain why there are not bad effect from this setup? Is it because our two ports are access ports on different VLANs?
10-05-2011 10:52 AM
Basically yes, you got a bit lucky.
If the customer is not meant to attaching switches to these ports you should at a minimum enable BPDUGuard on these ports.
Jon
10-05-2011 10:56 AM
Hi bridgepartners,
I would recommend Layer 2 hardening on the network to prevent this kind of issues from happening in the future. Try using STP Toolbox. It's highly recommended. I'm attaching a JPEG to help you out in the placement of each feature.
Hope this Helps,
//Elyinn.-
11-06-2011 02:35 AM
The loop would occure if someone sends a packet to an unknown IP address or MAC address for VLAN 505 or 504.
Each VLAN will try to send lookup to all the ports in the respective VLAN 504 or 505 (and the loop starts, since VLAN 504 will flood to all ports including VLAN 505 and vice versa)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide