Re: Problem with spanning tree on one VLAN only

bridgepartners · ‎10-04-2011

We have a fairly standard RPVST+ spanning tree topology over a number of Catalyst switches (3560 and 2960 mainly). We have some behaviour that we consider strange on only one VLAN. All VLANs have the same root apart from two (504 & 505). These connect a pair of ports on two switches that are not directly connected (switches 32 & 45 on this diagram):

We have set switch 45 to be the the root of these VLANs

Switch_45#show span root

Root Hello Max Fwd

Vlan Root ID Cost Time Age Dly Root Port

---------------- -------------------- --------- ----- --- --- ------------

VLAN0503 25079 0019.xxxx.8400 8 2 20 15 Gi0/24

VLAN0504 25080 001b.yyyy.c600 0 2 20 15

VLAN0505 25080 001b.yyyy.c600 65 2 20 15 Gi0/23

The switch identifies itself as the root but the VLANs do not appear the same way: VLAN 505 has a root port and a root cost of 65. I would expect no root port and a root cost of zero (as per VLAN 504).

Switch_45#show span vlan 504-505

VLAN0504

Spanning tree enabled protocol rstp

Root ID Priority 25080

Address 001b.yyyy.c600

This bridge is the root

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 25080 (priority 24576 sys-id-ext 504)

Address 001b.yyyy.c600

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Aging Time 300 sec

Interface Role Sts Cost Prio.Nbr Type

------------------- ---- --- --------- -------- --------------------------------

Gi0/13 Desg FWD 19 128.13 P2p

Gi0/22 Desg FWD 4 128.22 P2p

Gi0/23 Desg FWD 4 128.23 P2p

Gi0/24 Desg FWD 4 128.24 P2p

VLAN0505

Spanning tree enabled protocol rstp

Root ID Priority 25080

Address 001b.yyyy.c600

Cost 65

Port 23 (GigabitEthernet0/23)

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 25081 (priority 24576 sys-id-ext 505)

Address 001b.yyyy.c600

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Aging Time 300 sec

Interface Role Sts Cost Prio.Nbr Type

------------------- ---- --- --------- -------- --------------------------------

Gi0/15 Desg FWD 19 128.15 P2p

Gi0/22 Desg FWD 4 128.22 P2p

Gi0/23 Root FWD 4 128.23 P2p

Gi0/24 Altn BLK 4 128.24 P2p

In this output again the switch is identified as the root for VLAN 504 ("This switch is the root") but not for VLAN 505 (the MAC address of itself is listed instead). In addition, a port is blocked on VLAN 505 which is not the desired behaviour.

Can anyone comment on this outcome? We are running software version 12.2(52)SE .

Daniel

cadet alain · ‎10-04-2011

Hi,

your first output clearly demonstrates what the second does, that is that this switch is not the root for vlan 505 and 503.

How did you set the root bridge?

Can you post output of sh run | begin spann

Regards.

Alain.

Don't forget to rate helpful posts.

bridgepartners · ‎10-04-2011

I set the root bridge by altering the priority of switch 45 as follows:

sh run | begin spann

spanning-tree mode rapid-pvst

spanning-tree logging

spanning-tree etherchannel guard misconfig

spanning-tree extend system-id

spanning-tree vlan 504-505 priority 24576

No other bridge has a priority setting for these VLANs.

Output from a neighbouring switch:

VLAN0503 25079 0019.xxxx.8400 16 2 20 15 Gi0/1

VLAN0504 25080 001b.yyyy.c600 23 2 20 15 Fa0/24

VLAN0505 25080 001b.yyyy.c600 42 2 20 15 Fa0/15

Jon Marshall · ‎10-04-2011

Vlan 505 is reporting gi0/23 as the way to the root bridge. Can you post "sh spanning-tree vlan 505" from switch 35 and switch 32 ?

Jon

bridgepartners · ‎10-04-2011

Certainly:

Switch_32#sh spanning-tree vlan 505

VLAN0505

Spanning tree enabled protocol rstp

Root ID Priority 25080

Address 001b.yyyy.c600

Cost 42

Port 17 (FastEthernet0/15)

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 33273 (priority 32768 sys-id-ext 505)

Address 0019.3232.6780

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Aging Time 300 sec

Interface Role Sts Cost Prio.Nbr Type

------------------- ---- --- --------- -------- --------------------------------

Gi0/1 Desg FWD 4 128.1 P2p

Fa0/15 Root FWD 19 128.17 P2p

Fa0/24 Desg FWD 19 128.26 P2p

Switch_35#sh spanning-tree vlan 505

VLAN0505

Spanning tree enabled protocol rstp

Root ID Priority 25080

Address 001b.yyyy.c600

Cost 61

Port 23 (GigabitEthernet0/23)

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 33273 (priority 32768 sys-id-ext 505)

Address 001b.3535.5f00

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Aging Time 300 sec

Interface Role Sts Cost Prio.Nbr Type

------------------- ---- --- --------- -------- --------------------------------

Gi0/23 Root FWD 19 128.23 P2p

Gi0/24 Desg FWD 4 128.24 P2p

Jon Marshall · ‎10-04-2011

Okay switch 32 is reporting fa0/15 as the root port which is not covered in your diagram. Can you keep tracing the links to the switch that actually thinks it is the root bridge ie. the one that doesn't include a port in the root bridge output from the "sh spanning-tree vlan 505" command.

Jon

bridgepartners · ‎10-04-2011

Port fa0/15 on switch 32 is an edge port that contains one of the end stations using the VLAN (the other one is on switch 45). Config of this port is:

interface FastEthernet0/15

switchport access vlan 505

switchport mode access

speed auto 100

srr-queue bandwidth share 10 10 60 20

srr-queue bandwidth shape 10 0 0 0

mls qos trust cos

auto qos voip trust

storm-control broadcast level 50.00 35.00

storm-control multicast level 2.00 1.00

no cdp enable

bridgepartners · ‎10-04-2011

Perhaps our client has a STP-capable switch on this port? I will investigate.

Daniel

bridgepartners · ‎10-04-2011

Yes, we are receiving BPDUs from a foreign system on this port. I guess that is leading to the unexpected behaviour.

Thank you everyone for their very helpful contributions.

Daniel

bridgepartners · ‎10-05-2011

It turns out the our two ports have been bridged by our client in the following way:

The BBDUs we are seeing on the ports are coming from ourselves.

I am rather horrified that this is happening and I am rather surprised that something terrible has not occurred as a result. Can anyone explain why there are not bad effect from this setup? Is it because our two ports are access ports on different VLANs?

Jon Marshall · ‎10-05-2011

Basically yes, you got a bit lucky.

If the customer is not meant to attaching switches to these ports you should at a minimum enable BPDUGuard on these ports.

Jon

esomarriba · ‎10-05-2011

Hi bridgepartners,

I would recommend Layer 2 hardening on the network to prevent this kind of issues from happening in the future. Try using STP Toolbox. It's highly recommended. I'm attaching a JPEG to help you out in the placement of each feature.

Hope this Helps,

//Elyinn.-

Mohammed Khair Khomakho · ‎11-06-2011

The loop would occure if someone sends a packet to an unknown IP address or MAC address for VLAN 505 or 504.

Each VLAN will try to send lookup to all the ports in the respective VLAN 504 or 505 (and the loop starts, since VLAN 504 will flood to all ports including VLAN 505 and vice versa)

Mohammed Khair Khomakho CCIE Routing and Switching #26682