Solved: Removing per-interface bpdufilter on a vPC pair of Nexus 5548

Feds · ‎11-16-2017

Hello everyone,

I have a pair of Nexus 5548 which are vPC peers connecting a few single-homed FEX's (2232 and 2248). Many servers are single- or dual-homed to either FEX or N5k's interfaces and this is a production network.

Per-interface BPDU filter has been configured on the majority of physical and portchannel interfaces and now I have been tasked to remove it, as we have had a broadcast storm already caused by a misconfigured dual-homed server.

I was thinking of enabling BPDU filter at a global level and then removing it interface by interface. However since BPDU filter is checked for vPC consistency (as type 1 for global and perhaps as type 2 when configured per-interface) I need your advice in order to find the less disruptive way to achieve the goal. Unfortunately I don't have a way to lab this up.

Thanks for your input! :)

F.

Mark Malone · ‎11-22-2017

Sorry Fed slow reply been travelling
basically turning off STP like that globally is not recommended , bpdufilter should only be used on ports connected to switches that do not understand bpdu traffic , your disabling stp globally , you could end up looping the network with filter enabled globally its risky
bpduguartd works alongside portfast edge best , bpduguard is safe but again its for access ports only and it will shut down a port it sees an issue on rather than filter which will just allow it to loop , I use bpdugaurd globally in campus switches but bot DC I'm a bit more cautious and enable it manually on all my edge ports

View solution in original post

Mark Malone · ‎11-17-2017

Hi
That should not really have been enabled on a po in 5k setup as can cause loop , just end host , I would take your time and manually remove each one , I would still plan a window to do this production or not , I would not globally enable it , use spanning-tree port type network between switches and just spanning-tree port type edge or spanning-tree port type edge trunk

Be careful when you enter the spanning-tree bpdufilter enable command on specified interfaces. Explicitly configuring BPDU Filtering on a port this is not connected to a host can cause a bridging loop because the port will ignore any BPDU that it receives, and the port moves to the STP forwarding state.

Feds · ‎11-19-2017

Hi Mark, thanks for taking the time to answer, I should have specified that inter-switch links don't have bpdufilter enabled. Only Eth/Po interfaces configured as "spanning-tree port type edge" or "spanning-tree port type edge trunk" have "spanning-tree bpdufilter enable" configured.

Why wouldn't you configure bpdufilter globally? I thought it should have effect on edge or edge trunk ports only. Would you configure BPDU guard globally instead (not configured anywhere ATM)?

Thanks

F

Mark Malone · ‎11-22-2017

Sorry Fed slow reply been travelling
basically turning off STP like that globally is not recommended , bpdufilter should only be used on ports connected to switches that do not understand bpdu traffic , your disabling stp globally , you could end up looping the network with filter enabled globally its risky
bpduguartd works alongside portfast edge best , bpduguard is safe but again its for access ports only and it will shut down a port it sees an issue on rather than filter which will just allow it to loop , I use bpdugaurd globally in campus switches but bot DC I'm a bit more cautious and enable it manually on all my edge ports

Feds · ‎11-22-2017

Thanks Mark, I didn't mention disabling STP though.. I would be crazy to do that! Thanks for the suggestion of enabling BPDU guard per-interface on type edge ports and not globally. The intention is to take advantage of portfast but also protect the network from wrongly configured dual-homed servers or patching mistakes.