Spanning-tree Configuration

TOM FRANCHINA · ‎05-10-2013

We have a core 6509 routers and 3750 edge switches. We are getting this error of the 3750 occasional:

%SPANTREE-2-LOOPGUARD_BLOCK: Loop guard blocking port Port-channel2 on VLAN0007

%SPANTREE-2-LOOPGUARD_UNBLOCK: Loop guard unblocking port Port-channel2 on VLAN0007

In researching the problem I have seen where the modes should be the same for the core as with the user switches. Here is the show spanning-tree summary for each unit:

6509

Switch is in pvst mode

Root bridge for: none

EtherChannel misconfig guard is enabled

Extended system ID is disabled

Portfast Default is disabled

PortFast BPDU Guard Default is disabled

Portfast BPDU Filter Default is disabled

Loopguard Default is disabled

UplinkFast is disabled

BackboneFast is disabled

Pathcost method used is short

3750

Switch is in rapid-pvst mode

Root bridge for: none

Extended system ID is enabled

Portfast Default is disabled

PortFast BPDU Guard Default is enabled

Portfast BPDU Filter Default is disabled

Loopguard Default is enabled

EtherChannel misconfig guard is enabled

UplinkFast is disabled

Stack port is StackPort1

BackboneFast is disabled

Configured Pathcost method used is short

Should both be configured in Rapid-pvst Mode or Pvst Mode. Or is this configuration standard practice.

Also none of the interfaces are showing any errors

Thanks,

Tom

3750 interface information

Wilson-Place-3750#sho ether sum

Flags: D - down P - bundled in port-channel

I - stand-alone s - suspended

H - Hot-standby (LACP only)

R - Layer3 S - Layer2

U - in use f - failed to allocate aggregator

M - not in use, minimum links not met

u - unsuitable for bundling

w - waiting to be aggregated

d - default port

Number of channel-groups in use: 1

Number of aggregators: 1

Group Port-channel Protocol Ports

------+-------------+-----------+-----------------------------------------------

1 Po1(SU) PAgP Gi1/0/1(D) Gi1/0/2(D) Gi1/0/3(P)

Gi1/0/4(P)

Wilson-Place-3750#sho int g1/0/3

GigabitEthernet1/0/3 is up, line protocol is up (connected)

Hardware is Gigabit Ethernet, address is 0015.63a2.4f9b (bia 0015.63a2.4f9b)

Description: 2gig to ComputerRoom EtherRing

MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation ARPA, loopback not set

Keepalive not set

Full-duplex, 1000Mb/s, link type is auto, media type is 1000BaseLX SFP

input flow-control is off, output flow-control is unsupported

ARP type: ARPA, ARP Timeout 04:00:00

Last input 00:00:10, output 00:00:05, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: fifo

Output queue: 0/40 (size/max)

5 minute input rate 2501000 bits/sec, 590 packets/sec

5 minute output rate 743000 bits/sec, 328 packets/sec

23881154622 packets input, 16929727578445 bytes, 0 no buffer

Received 3270318983 broadcasts (678904938 multicasts)

0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

0 watchdog, 678904938 multicast, 0 pause input

0 input packets with dribble condition detected

10826680035 packets output, 2681933801461 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collision, 0 deferred

0 lost carrier, 0 no carrier, 0 PAUSE output

0 output buffer failures, 0 output buffers swapped out

Wilson-Place-3750#sho int g1/0/4

GigabitEthernet1/0/4 is up, line protocol is up (connected)

Hardware is Gigabit Ethernet, address is 0015.63a2.4f9c (bia 0015.63a2.4f9c)

Description: 2gig to ComputerRoom EtherRing

MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation ARPA, loopback not set

Keepalive not set

Full-duplex, 1000Mb/s, link type is auto, media type is 1000BaseLX SFP

input flow-control is off, output flow-control is unsupported

ARP type: ARPA, ARP Timeout 04:00:00

Last input 00:00:03, output 00:00:02, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: fifo

Output queue: 0/40 (size/max)

5 minute input rate 5274000 bits/sec, 1055 packets/sec

5 minute output rate 112000 bits/sec, 97 packets/sec

29122557370 packets input, 17278392802072 bytes, 0 no buffer

Received 6242458330 broadcasts (2459628072 multicasts)

0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

0 watchdog, 2459628072 multicast, 0 pause input

0 input packets with dribble condition detected

5143594908 packets output, 825795046511 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collision, 0 deferred

0 lost carrier, 0 no carrier, 0 PAUSE output

0 output buffer failures, 0 output buffers swapped out

Wilson-Place-3750#

paul driver · ‎05-10-2013

Hello,

In an ideal situation - yes both switches should be in RSTP- however as it stands the 3750 will be currently working in pvst mode for the interconnects to the 6500 - I would advise changing the stp mode of the 6500 at this time as you will cause outage to your lan. - their is a very good cco document explaining stp migration from pvst to rstp-( at this time I dont have that url to give you but its easily obtainable.

The loopguard feature is for protection against inconsistent ports - Ie: transitioning from a blocking state to a forwading state because of unseen bpdu's on the block port. This inturn can create a unidirectional connection between these two switches interconnects thus putting both ports into a forwarding state for a potential loop to establish.

I would check what switch is the stp root - it should be your central switch of the estate ( usually the core switch)

Also I believe STP treats etherchannel as one port, so i would start investigating the physical connections of the etherchannels and your other interconnects to switches for errors.

As far i am aware if any ports go down inside the etherchannel I think this affects the port cost of the port-channel its self .(need to verify this or maybe someone else can?)

sh etherchannel summary - this is showing 2 of the 4 ports in a down state - is this correct?
sh spanning-tree summary
sh spanning-tree root
sh int xxx status

Note: The above post is in relation to 12.4T ios not NX-OS

res
Paul

Please don't forget to rate any posts that have been helpful.

Thanks.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

TOM FRANCHINA · ‎05-13-2013

Paul,

Thanks very much for the detailed reply. I will planning to get all the spanning-tree modes on RSTP as you suggested.

The interfaces that are down on P1 are supossed to be down.

All the interfaces that I have looked at show no errors including the ones that are associated with Port Channels.

We are still getting this error on 2 switches:

%SPANTREE-2-LOOPGUARD_BLOCK: Loop guard blocking port Port-channel1 on VLAN0008

On the 6509 I have this Spanning-tree command:

spanning-tree vlan 1,3-7,9-21,23-26,28-30,32,36,51-52,55,64,71,77 priority 8192

If I add vlan 8 I know it will solve the problem... but why is it just this switch that is getting the error and why on only this VLAN 8. If it was hardware wouldn't it be on all VLANs

paul driver · ‎05-13-2013

Hello

can you do on both switches:

sh span vlan 7
sh span vlan 8

tell me what is the root switch is for each vlan

res
paul

Sent from Cisco Technical Support Android App

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

alexclarkesmith · ‎05-13-2013

Hi,

I don't think there is enough info posted. However, from what I can tell from what has been posted...

Presumably the etherchanel is a trunk between two switches and they aren't the only switches in the STP domain? If that is the case it would be weird for only one VLAN to be blocked. There are several things that can cause it. The first I would check is trunk symetry. By that I mean, is the trunk configuration on each side identical. In particular is the allowed VLAN command identical?

If VLAN 7 is permitted in one direction and not the other, then you might find BPDU take too long to traverse the network and time out when the link is congested. You may have created a ring topology of sorts.

Also, look for pruned VLANs. If VLAN 7 is constantly being pruned on a switch you may get this error. Do you always have an active port in VLAN 7 on both switches?

Just a thought, might not be the above, but worth checking.

TOM FRANCHINA · ‎05-13-2013

3750 Switch with errors:

------------------------------------------

VLAN0007

Spanning tree enabled protocol rstp

Root ID Priority 8192

Address 001b.0dc7.dc07

Cost 3

Port 488 (Port-channel1)

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32775 (priority 32768 sys-id-ext 7)

Address 0015.63a2.4f80

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Aging Time 300 sec

Interface Role Sts Cost Prio.Nbr Type

------------------- ---- --- --------- -------- --------------------------------

Po1 Root FWD 3 128.488 P2p Peer(STP)

VLAN0008

Spanning tree enabled protocol rstp

Root ID Priority 32768

Address 0007.8569.5b46

Cost 23

Port 488 (Port-channel1)

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32776 (priority 32768 sys-id-ext 8)

Address 0015.63a2.4f80

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Aging Time 300 sec

Interface Role Sts Cost Prio.Nbr Type

------------------- ---- --- --------- -------- --------------------------------

Po1 Root FWD 3 128.488 P2p Peer(STP)

6509

WMH_6509# sho span vlan 7

VLAN0007

Spanning tree enabled protocol ieee

Root ID Priority 8192

Address 001b.0dc7.dc07

This bridge is the root

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 8192

Address 001b.0dc7.dc07

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Aging Time 300

Interface Role Sts Cost Prio.Nbr Type

------------------- ---- --- --------- -------- --------------------------------

Gi2/13 Desg FWD 4 128.141 P2p

Gi2/16 Desg FWD 4 128.144 P2p

Gi2/17 Desg FWD 4 128.145 P2p

Gi2/18 Desg FWD 4 128.146 P2p

Gi2/20 Desg FWD 4 128.148 P2p

Gi2/22 Desg FWD 4 128.150 P2p

Gi2/24 Desg FWD 4 128.152 P2p

Po3 Desg FWD 3 128.1667 P2p

Po4 Desg FWD 4 128.1668 P2p

Po5 Desg FWD 3 128.1669 P2p

Po6 Desg FWD 3 128.1670 P2p

Po401 Desg FWD 3 128.1671 P2p Edge

Po402 Desg FWD 3 128.1672 P2p Edge

Po417 Desg FWD 2 128.1673 P2p Edge

VLAN0008

Spanning tree enabled protocol ieee

Root ID Priority 32768

Address 0007.8569.5b46

Cost 20

Port 148 (GigabitEthernet2/20)

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32768

Address 001b.0dc7.dc08

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Aging Time 300

Interface Role Sts Cost Prio.Nbr Type

------------------- ---- --- --------- -------- --------------------------------

Gi2/13 Desg FWD 4 128.141 P2p

Gi2/16 Desg FWD 4 128.144 P2p

Gi2/17 Desg FWD 4 128.145 P2p

Gi2/18 Desg FWD 4 128.146 P2p

Gi2/20 Root FWD 4 128.148 P2p

Gi2/22 Desg FWD 4 128.150 P2p

Gi2/24 Desg FWD 4 128.152 P2p

Po3 Desg FWD 3 128.1667 P2p

Po4 Desg FWD 4 128.1668 P2p

Po5 Desg FWD 3 128.1669 P2p

Po6 Desg FWD 3 128.1670 P2p

Po401 Desg FWD 3 128.1671 P2p Edge

Po402 Desg FWD 3 128.1672 P2p Edge

Po417 Desg FWD 2 128.1673 P2p Edge

paul driver · ‎05-13-2013

Hello Tom

Is there a reason why the 6500 is stp root for only specific vlans?
Vlan 8 isn't one of these meaning another switch is primary root for this vlan

gig2/20 on the 6500 is a root port for vlan 8 attached to that other switch ---- (Gi2/20 Root FWD 4 128.148 P2p)

I think this is the reason why when you add vlan 8 to your stp config on the 6500 to be root switch you error is resolved and the above port will become a designated port.

Paul

Sent from Cisco Technical Support iPad App

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

TOM FRANCHINA · ‎05-13-2013

Paul,

It was suggested to us by a local Cisco engineer to add the vlans. It is a pain to remember to add them as we create a new vlan. Is there a simpler way or a global command to make the 6500 the stp root.

Alex,

We are trunking all the 3750 and 6500s using the following commands:

6509

interface GigabitEthernet2/13

description Fiber from NewCompCenterStack

switchport

switchport trunk encapsulation dot1q

switchport mode trunk

3750

interface GigabitEthernet1/0/2

switchport trunk encapsulation dot1q

switchport mode trunk

TOM FRANCHINA · ‎05-13-2013

Guys,

BTW.... we test changing the spanning-tree mode in our test lab and found that when we had everything set to

spanning-tree mode rapid-pvst the spanning-tree re-learn improved significantly. From 45sec to less then 5 secs.

This is a hospital network and that is a meaningfull improvement. Are there any drawbacks to running in rapid mode.

Thanks All Very Much

Broken-Arrow · ‎05-13-2013

The main difference is rapid immediately transitions into the forwarding state. This can rapidly improve convergence as you say, but can create temporary switching loops, though I have never experienced the latter. I assume critical systems are connected, so you have to way up the risks. Personally, I would stick with rapid. Do some testing if you have the opportunity.

paul driver · ‎05-13-2013

Hello Tom

Stp primary core
Spanning-tree vlan 1-4096 priority 0

Stp secondary core
Spanning-tree vlan 1-4096 priority 4096

Or you could split this so half is on primary switch and the other is on the secondary switch

Drawbacks with RSTP - not I can think of as long as the edge ports and interlink are configured correctly convergence is fast and only non designated ports are affected during synchronisation.

https://supportforums.cisco.com/message/3931662#3931662

Res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Broken-Arrow · ‎05-13-2013

If you are going to use rapid, consider using loop guard and bpdu filter on your edge ports.

also, you might want to edit the above config to use the priority root primary and secondary respectively. That way they will maintain appropriate status despite a switch with a lower priority joining the domain.

paul driver · ‎05-13-2013

Hello Broken Arrow

I disagree with bgduffilter

Applied Globally it will trigger the port to stop using portfast and bpdu filtering will stop on that port

Applied interface bpdu's filtering will occur irrespective of portfast enabled or not - basically it's the same as disabling stp on the port. And can result in stp loops

Also using the stp root macro -this is only valid when first applied to the switch after that if another switch comes on line with the same command that will become root

I would prefer to manually apply the stp root with priorities and also use the guard root command to secure my primary / secondary's stp root switches

Res
Paul

Res
Paul

Sent from Cisco Technical Support iPad App

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

TOM FRANCHINA · ‎05-14-2013

Thanks again for the wealth of information. Here are typical configs for edge ports:

3750x with VOiP

interface GigabitEthernet1/0/1

switchport trunk encapsulation dot1q

switchport trunk native vlan 29

switchport trunk allowed vlan 29,209

switchport mode trunk

power inline port 2x-mode

srr-queue bandwidth share 1 30 35 5

queue-set 2

priority-queue out

mls qos trust cos

auto qos trust

spanning-tree portfast

spanning-tree bpduguard enable

3750 no VOIP

interface GigabitEthernet1/0/2

switchport access vlan 12

switchport mode access

switchport port-security

switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

spanning-tree portfast

spanning-tree bpduguard enable

Paul... do you think we are protecting ourselves from loops and spanning-tree issues with these configuations

Thanks again

Tom

paul driver · ‎05-14-2013

Hello Tom

looks good to me,

Do you have errisable recovery enabled? if not I would suggest applying this also.

errdisable recovery cause bpduguard

errdisable recovery cause psecure-violation ( for the port-security violation)

errdisable recovery interval 150

sh errdisable detect

sh errdisable recovery | in En

res

Paul

Please don't forget to rate any posts that have been helpful.

Thanks.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul