Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1831
Views
0
Helpful
7
Replies

PVST+ Rapid Spanning Tree Convergence Issue

Go to solution
jfraasch
Level 3
Level 3

‎12-10-2018 05:45 PM - edited ‎03-08-2019 04:47 PM

I am having a hard time getting my PVST+ Rapid Spanning Tree to converge in less than 15 or 20 seconds.

 

I am using a Cisco IE-5000 as the root bridge and there are loops and subloops involved so I am not saying this is a simple mesh.

 

The way it goes is:

IE5000A<------------------->IE5000B<----------------------->IE5000C

      |                                              |       |                                                |       |

     \/                                            \/       \/                                              \/      \/

  IE4000A<->IE4000B<->IE4000C        IE4000D<->IE4000E<->IE4000F       IE4000G<->IE4000H---end

 

So you can see the loops.


I just configured normal PVST+ Rapid spanning tree.  The ports between all the switches are trunked.

 

The root is the IE5000A.  I unplug between IE5000A and IE5000B and I lose packets between a laptop plugged into 5000A and 5000C for 20 seconds. And then I plug the fiber back in and I drop packets again for 20 seconds.

 

Is there a standard config I should look at or am I missing something.  Do I have to play with timers> I thought Rapid would have 2 seconds failover.

 

James

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to jfraasch

‎12-10-2018 11:43 PM

Hi James,

In addition to the suggestions of other friends here, RSTP absolutely requires you to properly configure edge ports using spanning-tree portfast [ trunk ] command. This is because one of the RSTP mechanisms for fast convergence, the Proposal/Agreement, leads to temporary blocking of links to prevent loops, and the unblocking of the links is based on receiving an Agreement BPDU from the downstream switch. However, non-switching devices, such as PCs, laptops, servers, routers, firewalls etc. do not speak RSTP and cannot send back an Agreement - and so, when the temporary blocking hits a port to such a device, this port needs to go through Discarding -> Learning -> Forwarding sequence that takes 30 seconds by default.

I cannot emphasize this enough: In RSTP, all ports that are connected to "end hosts" (or better said, Layer2-terminating device) must be configured with spanning-tree portfast [ trunk ] command (use trunk if the port is a trunk, such as for ports toward servers with VMs, firewalls, or routers on stick). Otherwise, during topology changes, these ports will be blocked and cause outage for 2x forward_delay seconds.

Best regards,
Peter

View solution in original post

0 Helpful
7 Replies 7

Go to solution
johnd2310
Level 8
Level 8

‎12-10-2018 06:31 PM

Hi

 

Have you checked that all the switches are running rapid-pvst?  What is the output of "show spanning-tree vlan x" for each switch where vlan x is the vlan the PC is connected to?

 

Thanks

John

 

 

**Please rate posts you find helpful**
0 Helpful

Go to solution
jfraasch
Level 3
Level 3
In response to johnd2310

‎12-10-2018 06:51 PM

Sure thing. Configs of IE5000A and IE4000A are below. All the switches are configured the same. But, good point about double checking that Rapid is enable on all switches. There are a total of 40...so that design keeps going just a little longer with the backbone loop and subloop.

version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname MSHFSW02001
!
boot-start-marker
boot-end-marker
!
!
no logging console
enable secret 5 $1$Z8du$1RW/jsjgQG6Pm5gDMRNjj1
!
username cisco password 7 030752180500
aaa new-model
!
!
aaa group server radius MSH
server name MSHSVRNSS01
server name MSHSVRNSS02
ip radius source-interface Vlan290
!
aaa authentication login userAuthentication group MSH local
aaa authentication dot1x default group MSH
aaa authorization exec userAuthorization group MSH local if-authenticated
aaa authorization exec MSH group MSH
aaa authorization network default group MSH
aaa accounting dot1x default start-stop group MSH
aaa accounting exec default start-stop group MSH
aaa accounting system default start-stop group MSH
!
!
!
!
!
!
aaa session-id common
system mtu routing 1500
!
!
!
ip domain-name ASTS-MSH.com
vtp mode transparent
!
!
!
!
!
ptp mode e2etransparent
!
!
crypto pki trustpoint TP-self-signed-3411298176
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3411298176
revocation-check none
rsakeypair TP-self-signed-3411298176
!
!
crypto pki certificate chain TP-self-signed-3411298176
license boot level ipservices
dot1x system-auth-control
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
alarm profile defaultPort
alarm not-operating
syslog not-operating
notifies not-operating
!
alarm profile MLK
alarm link-fault
relay-major link-fault
!
alarm contact 2 description MLK
alarm contact 2 severity major
alarm relay-mode negative
no alarm facility temperature primary notifies
!
!
vlan internal allocation policy ascending
!
vlan 201,250,260,270,290,301
!
lldp run
!
!
!
!
!
interface GigabitEthernet1/1
description Terminal Server
switchport access vlan 201
switchport mode access
alarm profile MLK
spanning-tree portfast
!
interface GigabitEthernet1/2
description MANAGEMENT
switchport access vlan 270
switchport mode access
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
mab
dot1x pae authenticator
spanning-tree portfast
!
interface GigabitEthernet1/3
description MLK VMISA
switchport access vlan 201
switchport mode access
alarm profile MLK
spanning-tree portfast
!
interface GigabitEthernet1/4
shutdown
!
interface GigabitEthernet1/5
description AXLE COUNTER
switchport access vlan 301
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/6
switchport mode access
shutdown
!
interface GigabitEthernet1/7
description MLK VMISB
switchport access vlan 201
switchport mode access
alarm profile MLK
spanning-tree portfast
!
interface GigabitEthernet1/8
description Management VLAN TEST
switchport access vlan 270
switchport mode access
!
interface GigabitEthernet1/9
description RADIO
switchport trunk native vlan 260
switchport trunk allowed vlan 260
switchport mode trunk
!
interface GigabitEthernet1/10
description ZONE CONTROLLER
switchport access vlan 250
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/11
description ZONE CONTROLLER
switchport access vlan 250
!
interface GigabitEthernet1/12
shutdown
!
interface GigabitEthernet1/13
shutdown
!
interface GigabitEthernet1/14
shutdown
!
interface GigabitEthernet1/15
shutdown
!
interface GigabitEthernet1/16
shutdown
!
interface GigabitEthernet1/17
shutdown
!
interface GigabitEthernet1/18
shutdown
!
interface GigabitEthernet1/19
shutdown
!
interface GigabitEthernet1/20
shutdown
!
interface GigabitEthernet1/21
switchport mode trunk
shutdown
!
interface GigabitEthernet1/22
shutdown
!
interface GigabitEthernet1/23
shutdown
!
interface GigabitEthernet1/24
shutdown
!
interface GigabitEthernet1/25
description To Test Track
!
interface GigabitEthernet1/26
description To OCC
switchport mode trunk
!
interface GigabitEthernet1/27
description To Bywood Trunk
switchport mode trunk
!
interface GigabitEthernet1/28
description to Fairfield Subloop
switchport mode trunk
!
interface Vlan1
no ip address
no ip route-cache
shutdown
!
interface Vlan270
description MANAGEMENT
ip address 10.20.14.21 255.255.255.0
!
ip forward-protocol nd
ip http server
ip http secure-server
!
!
!
!
snmp-server group admin v3 auth
snmp-server community MSHL RW
snmp-server enable traps syslog
snmp-server enable traps vlan-membership
snmp-server host 10.20.22.23 version 3 auth admin
!
!
radius server MSHSVRNSS01
!
!
!
line con 0
line vty 0 4
password 7 104D000A0618
authorization exec MSH
login authentication userAuthentication
transport input ssh
line vty 5 15
!
ntp server 10.20.22.130
!
end
_____________________________________-

And the IE4000 is
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname MSHFSW03001
!
boot-start-marker
boot-end-marker
!
!
no logging console
enable secret 5 $1$lbiU$K6LyUq1LtCvmLy8O0WYsE.
!
username cisco password 7 104D000A0618
aaa new-model
!
!
aaa group server radius MSH
server name MSHSVRNSS01
server name MSHSVRNSS02
ip radius source-interface Vlan270
!
aaa authentication login userAuthentication group MSH local
aaa authentication dot1x default group MSH
aaa authorization exec userAuthorization group MSH local if-authenticated
aaa authorization exec MSH group MSH
aaa authorization network default group msh
aaa accounting dot1x default start-stop group MSH
aaa accounting exec default start-stop group MSH
aaa accounting system default start-stop group MSH
!
!
!
!
!
!
aaa session-id common
system mtu routing 1500
!
!
!
ip domain-name ASTS-MSH.com
vtp mode transparent
!
!
!
!
!
ptp mode e2etransparent
!
!
crypto pki trustpoint TP-self-signed-272986752
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-272986752
revocation-check none
rsakeypair TP-self-signed-272986752
!
!
crypto pki certificate chain TP-self-signed-272986752
dot1x system-auth-control
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
alarm profile defaultPort
alarm not-operating
syslog not-operating
notifies not-operating
!
alarm profile MLK
alarm link-fault
relay-major link-fault
!
alarm contact 2 description MLK
alarm contact 2 severity major
alarm relay-mode negative
!
!
vlan internal allocation policy ascending
!
vlan 201,260,270,301
!
lldp run
!
!
!
!
!
interface GigabitEthernet1/1
description To Subloop West Yard G1/26
switchport mode trunk
!
interface GigabitEthernet1/2
description To Subloop Walnut G1/1
switchport mode trunk
!
interface GigabitEthernet1/3
!
interface GigabitEthernet1/4
!
interface FastEthernet1/5
description Terminal Server
switchport access vlan 201
switchport mode access
alarm profile MLK
spanning-tree portfast edge
!
interface FastEthernet1/6
description Radio
switchport trunk allowed vlan 260
switchport trunk native vlan 260
switchport mode trunk
!
interface FastEthernet1/7
shutdown
!
interface FastEthernet1/8
switchport access vlan 270
switchport mode access
spanning-tree portfast edge
!
interface FastEthernet1/9
description Axle Counter
switchport access vlan 301
switchport mode access
alarm profile MLK
spanning-tree portfast edge
!
interface FastEthernet1/10
shutdown
!
interface FastEthernet1/11
shutdown
!
interface FastEthernet1/12
switchport access vlan 270
switchport mode access
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
mab
dot1x pae authenticator
spanning-tree portfast edge
!
interface Vlan1
no ip address
no ip route-cache
shutdown
!
interface Vlan270
ip address 10.20.14.22 255.255.255.0
no ip route-cache
!
ip default-gateway 10.20.14.254
ip forward-protocol nd
ip http server
ip http secure-server
!
!
!
!
snmp-server group MSH v3 auth
snmp-server group admin v3 auth
snmp-server community MSHL RW
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps transceiver all
snmp-server enable traps call-home message-send-fail server-fail
snmp-server enable traps tty
snmp-server enable traps license
snmp-server enable traps bfd
snmp-server enable traps ethernet cfm cc mep-up mep-down cross-connect loop config
snmp-server enable traps ethernet cfm crosscheck mep-missing mep-unknown service-up
snmp-server enable traps auth-framework sec-violation
snmp-server enable traps ether-oam
snmp-server enable traps cluster
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps config-ctid
snmp-server enable traps energywise
snmp-server enable traps fru-ctrl
snmp-server enable traps entity
snmp-server enable traps event-manager
snmp-server enable traps power-ethernet police
snmp-server enable traps cpu threshold
snmp-server enable traps rep
snmp-server enable traps vstack
snmp-server enable traps bridge newroot topologychange
snmp-server enable traps stpx inconsistency root-inconsistency loop-inconsistency
snmp-server enable traps syslog
snmp-server enable traps vtp
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps flash insertion removal
snmp-server enable traps port-security
snmp-server enable traps envmon fan shutdown supply temperature status
snmp-server enable traps stackwise
snmp-server enable traps ethernet cfm alarm
snmp-server enable traps alarms informational
snmp-server enable traps bulkstat collection transfer
snmp-server enable traps errdisable
snmp-server enable traps mac-notification change move threshold
snmp-server enable traps vlan-membership
snmp-server host 10.20.22.23 version 3 auth admin
!
!
radius server MSHSVRNSS01
address ipv4 10.20.22.21 auth-port 1645 acct-port 1646
key 7 0812495E1D18544E445B4D
!
radius server MSHSVRNSS02
address ipv4 10.20.22.150 auth-port 1812 acct-port 1813
key 7 0235014B1F075E781A1E48
!
!
banner login CCCWARNING - PRIVATE ELECTRONIC DEVICE - ACCESS PROHIBITED

This is a private network device. Access to this device is

not authorized. Any attempt for unauthorized access will be logged

and appropriate legal action will be taken.
!
line con 0
line vty 0 4
password 7 01100F175804
authorization exec MSH
login authentication userAuthentication
transport input ssh
line vty 5 15
!
ntp server 10.20.22.130
ntp server 10.20.22.15
!
end

0 Helpful

Go to solution
jfraasch
Level 3
Level 3
In response to jfraasch

‎12-10-2018 06:58 PM

I'll get the output of the command tomorrow when I get back to those babies.
0 Helpful

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to jfraasch

‎12-10-2018 11:43 PM

Hi James,

In addition to the suggestions of other friends here, RSTP absolutely requires you to properly configure edge ports using spanning-tree portfast [ trunk ] command. This is because one of the RSTP mechanisms for fast convergence, the Proposal/Agreement, leads to temporary blocking of links to prevent loops, and the unblocking of the links is based on receiving an Agreement BPDU from the downstream switch. However, non-switching devices, such as PCs, laptops, servers, routers, firewalls etc. do not speak RSTP and cannot send back an Agreement - and so, when the temporary blocking hits a port to such a device, this port needs to go through Discarding -> Learning -> Forwarding sequence that takes 30 seconds by default.

I cannot emphasize this enough: In RSTP, all ports that are connected to "end hosts" (or better said, Layer2-terminating device) must be configured with spanning-tree portfast [ trunk ] command (use trunk if the port is a trunk, such as for ports toward servers with VMs, firewalls, or routers on stick). Otherwise, during topology changes, these ports will be blocked and cause outage for 2x forward_delay seconds.

Best regards,
Peter

0 Helpful

Go to solution
jfraasch
Level 3
Level 3
In response to Peter Paluch

‎12-11-2018 03:00 AM

Thanks Peter. In this case. I haven't deployed the system yet so literally the only things connected are the fiber ports between all switches and the two laptops in question. Which, I just noticed is in port 8 of IE5000A. I will change that to portfast.
0 Helpful

Go to solution
jfraasch
Level 3
Level 3
In response to Peter Paluch

‎12-11-2018 05:34 AM

Peter, that did the trick. I had to enable two new ports since I don't have the Authentication Server up and running. So when I enabled and configured ports G1/8 on the two IE5000s, I only put them in access mode but did not put Portfast on. I just ran the test again and BOOM, no dropped packets. Holy crap my heart was in my stomach all night.

Thanks for the suggestion and quick review! Much appreciated!

James
0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎12-10-2018 06:44 PM

Hi

as @johnd2310 said, please check all your switches are configured with rpvst and also share your config/ spanning-tree vlan output.

Thanks

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card