Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1838
Views
0
Helpful
4
Replies

Removing per-interface bpdufilter on a vPC pair of Nexus 5548

Go to solution
Feds
Level 1
Level 1

‎11-16-2017 10:25 PM - edited ‎03-08-2019 12:46 PM

Hello everyone,

I have a pair of Nexus 5548 which are vPC peers connecting a few single-homed FEX's (2232 and 2248). Many servers are single- or dual-homed to either FEX or N5k's interfaces and this is a production network.

Per-interface BPDU filter has been configured on the majority of physical and portchannel interfaces and now I have been tasked to remove it, as we have had a broadcast storm already caused by a misconfigured dual-homed server.

I was thinking of enabling BPDU filter at a global level and then removing it interface by interface. However since BPDU filter is checked for vPC consistency (as type 1 for global and perhaps as type 2 when configured per-interface) I need your advice in order to find the less disruptive way to achieve the goal. Unfortunately I don't have a way to lab this up.

 

Thanks for your input! :)

F.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mark Malone
VIP Alumni
VIP Alumni
In response to Feds

‎11-22-2017 01:31 AM

Sorry Fed slow reply been travelling
basically turning off STP like that globally is not recommended , bpdufilter should only be used on ports connected to switches that do not understand bpdu traffic , your disabling stp globally , you could end up looping the network with filter enabled globally its risky
bpduguartd works alongside portfast edge best , bpduguard is safe but again its for access ports only and it will shut down a port it sees an issue on rather than filter which will just allow it to loop , I use bpdugaurd globally in campus switches but bot DC I'm a bit more cautious and enable it manually on all my edge ports

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Mark Malone
VIP Alumni
VIP Alumni

‎11-17-2017 01:18 AM

Hi
That should not really have been enabled on a po in 5k setup as can cause loop , just end host , I would take your time and manually remove each one , I would still plan a window to do this production or not , I would not globally enable it , use spanning-tree port type network between switches and just spanning-tree port type edge or spanning-tree port type edge trunk




Be careful when you enter the spanning-tree bpdufilter enable command on specified interfaces. Explicitly configuring BPDU Filtering on a port this is not connected to a host can cause a bridging loop because the port will ignore any BPDU that it receives, and the port moves to the STP forwarding state.
0 Helpful

Go to solution
Feds
Level 1
Level 1
In response to Mark Malone

‎11-19-2017 05:40 PM

Hi Mark, thanks for taking the time to answer, I should have specified that inter-switch links don't have bpdufilter enabled. Only Eth/Po interfaces configured as "spanning-tree port type edge" or "spanning-tree port type edge trunk" have "spanning-tree bpdufilter enable" configured.

 

Why wouldn't you configure bpdufilter globally? I thought it should have effect on edge or edge trunk ports only. Would you configure BPDU guard globally instead (not configured anywhere ATM)?

 

Thanks

F

0 Helpful

Go to solution
Mark Malone
VIP Alumni
VIP Alumni
In response to Feds

‎11-22-2017 01:31 AM

Sorry Fed slow reply been travelling
basically turning off STP like that globally is not recommended , bpdufilter should only be used on ports connected to switches that do not understand bpdu traffic , your disabling stp globally , you could end up looping the network with filter enabled globally its risky
bpduguartd works alongside portfast edge best , bpduguard is safe but again its for access ports only and it will shut down a port it sees an issue on rather than filter which will just allow it to loop , I use bpdugaurd globally in campus switches but bot DC I'm a bit more cautious and enable it manually on all my edge ports
0 Helpful

Go to solution
Feds
Level 1
Level 1
In response to Mark Malone

‎11-22-2017 08:35 PM

Thanks Mark, I didn't mention disabling STP though.. I would be crazy to do that! Thanks for the suggestion of enabling BPDU guard per-interface on type edge ports and not globally. The intention is to take advantage of portfast but also protect the network from wrongly configured dual-homed servers or patching mistakes.

0 Helpful
Related community topics
Top