STP Topology change causes network outage

accountsdieIT · ‎08-02-2021

Hello community,

we see a complete network outage für about 15s when MSTP Topology change occours. It`s a small network with two core switches, 2960 (copper) and 3850 (fibre), connected to each other with Port-channel. No aggregation switches, fifteen access switches (2960) are connected directly to both core switches, one uplink with copper, on with fibre.

We upgraded all of our switches last week to 15.2(7)E4 (2960) and 16.12.05b (3850). After rebooting a switch, network flaps about 5s. After shutdown and enable a spanning-tree enabled port with a connected device (for example an AP), network flaps about 15s when port goes into forwarding mode. Root bridge is receiving a TC from that port/switch.

It seems CPU of core Switch 3850 is on 100% during recalculation but why? Any other idea?

Spanning-Tree

Core switch 3850:

MST0 is executing the mstp compatible Spanning Tree protocol
Bridge Identifier has priority 4096, sysid 0, address 00b0.e137.8900
Configured hello time 2, max age 20, forward delay 15, transmit hold-count 6
We are the root of the spanning tree
Topology change flag not set, detected flag not set
Number of topology changes 60 last change occurred 2d10h ago
from TenGigabitEthernet1/0/8
Times: hold 1, topology change 35, notification 2
hello 2, max age 20, forward delay 15
Timers: hello 0, topology change 0, notification 0

Core Switch 2960:

MST0 is executing the mstp compatible Spanning Tree protocol
Bridge Identifier has priority 28672, sysid 0, address d42c.44bf.8500
Configured hello time 2, max age 20, forward delay 15, transmit hold-count 6
Current root has priority 4096, address 00b0.e137.8900
Root port is 456 (Port-channel1), cost of root path is 0
Topology change flag not set, detected flag not set
Number of topology changes 104 last change occurred 2d10h ago
from Port-channel1
Times: hold 1, topology change 35, notification 2
hello 2, max age 20, forward delay 15
Timers: hello 0, topology change 0, notification 0

Access Switches 2960:

MST0 is executing the mstp compatible Spanning Tree protocol
Bridge Identifier has priority 32768, sysid 0, address d42c.444b.4780
Configured hello time 2, max age 20, forward delay 15, transmit hold-count 6
Current root has priority 4096, address 00b0.e137.8900
Root port is 49 (GigabitEthernet1/0/49), cost of root path is 0
Topology change flag not set, detected flag not set
Number of topology changes 50 last change occurred 2d10h ago
from GigabitEthernet1/0/49
Times: hold 1, topology change 35, notification 2
hello 2, max age 20, forward delay 15
Timers: hello 0, topology change 0, notification 0

Logs Core 3850:

Jul 29 08:13:53.392: Deleting spanning tree port: Gi1/0/2 (B721200)

Jul 29 08:13:55.314: %LINK-5-CHANGED: Interface GigabitEthernet1/0/2, changed state to administratively down

Jul 29 08:13:56.314: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/2, changed state to down

Jul 29 08:13:57.992: %SYS-5-CONFIG_I: Configured from console by dieit on vty5 (10.98.10.40)

Jul 29 08:13:58.460: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/2, changed state to down

Jul 29 08:13:58.541: Created spanning tree port Gi1/0/2 (B721200) for tree MST0 (DC1A698)

Jul 29 08:13:58.544: Enabling spanning tree port: GigabitEthernet1/0/2 (B721200)

Jul 29 08:14:00.466: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/2, changed state to up

Jul 29 08:14:01.466: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/2, changed state to up

Jul 29 08:14:28.555: STP[0]: Generating TC trap for port GigabitEthernet1/0/2

Jul 29 08:14:46.895: %RADIUS-4-RADIUS_DEAD: RADIUS server x.x.x.x:1645,1646 is not responding.

Jul 29 08:14:46.912: %RADIUS-4-RADIUS_ALIVE: RADIUS server x.x.x.x:1645,1646 is being marked alive.

Port configs:

Access-Port:

interface GigabitEthernet1/0/36
switchport access vlan 240
switchport mode access
switchport port-security maximum 3
switchport port-security violation restrict
switchport port-security aging time 2
switchport port-security aging type inactivity
switchport port-security
authentication control-direction in
authentication event fail action authorize vlan 240
authentication event server dead action authorize vlan 199
authentication event server alive action reinitialize
authentication order mab dot1x
authentication port-control auto
mab
mls qos trust dscp
dot1x pae authenticator
dot1x timeout quiet-period 10
dot1x timeout server-timeout 15
dot1x timeout tx-period 5
dot1x timeout supp-timeout 15
dot1x max-req 1
dot1x max-reauth-req 1
spanning-tree portfast
spanning-tree bpduguard enable
service-policy input XXXXXX

Uplink Trunk-Port (fibre):

interface GigabitEthernet1/0/49
switchport mode trunk
mls qos trust dscp
spanning-tree cost 3

Uplink Trunk-Port (copper):

interface GigabitEthernet1/0/50
switchport mode trunk
mls qos trust dscp

balaji.bandi · ‎08-02-2021

You need to make small network digram for us to understand, is this cause due to loop or due to convergency ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

accountsdieIT · ‎08-02-2021

Here ist the diagram. we dont`t know the cause thanks

balaji.bandi · ‎08-02-2021

Have you setup your Core switch as Root for all the VLAN ?

Also check root gaurd features to protect.

https://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-protocol/10588-74.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

accountsdieIT · ‎08-02-2021

Yes, all VLANs mapped to MST0

I can`t find any log entry that the root bridge changed.

Any other idea? thanks

XXX#sh spanning-tree mst detail

##### MST0 vlans mapped: 1-4094
Bridge address 00b0.e137.8900 priority 4096 (4096 sysid 0)
Root this switch for the CIST
Operational hello time 2 , forward delay 15, max age 20, txholdcount 6
Configured hello time 2 , forward delay 15, max age 20, max hops 20