Bridge Assurance – Bridge Assurance with vPC on Port Type Network

ieee-802.1axspanning treevpc

I'm running two Nexus 3048 switches as network core and I got an issue when linking another switch (specifically a 2960-X) on the vPC links. Consider the scenario:

+-------+   +-------+ 
| NX #1 |===| NX #2 |
+-------+   +-------+
       |     |
      +-------+
      | 2960X |
      +-------+

On the 2960X there's a Port-Channel configured in active mode. When setting the interfaces on nexus as: spanning-tree port type network, Bridge Assurance comes in action and blocks the ports.

At this moment I'm running it on "normal type" so it won't disable the links.

I've read something over the web that I can't use spanning-tree port type network but I don't know if my mind is playing on me or if it's exactly the case. If yes, why I can't do this? Network ports shouldn't be used for inter switch connections?

Thanks,

Additional Configurations for the exemplify the issue:

NX #1

interface port-channel9
  description Downlink TCC6-1
  switchport mode trunk
  switchport trunk native vlan 256
  switchport trunk allowed vlan 146,172,256,666
  spanning-tree port type normal
  spanning-tree guard root
  vpc 9

interface Ethernet1/9
  description Downlink TCC6-1 #1
  switchport mode trunk
  switchport trunk native vlan 256
  switchport trunk allowed vlan 146,172,256,666
  channel-group 9 mode active
  no shutdown

NX #2

interface port-channel9
  description Downlink TCC6-1
  switchport mode trunk
  switchport trunk native vlan 256
  switchport trunk allowed vlan 146,172,256,666
  spanning-tree port type normal
  spanning-tree guard root
  vpc 9

interface Ethernet1/9
  description Downlink TCC6-1 #2
  switchport mode trunk
  switchport trunk native vlan 256
  switchport trunk allowed vlan 146,172,256,666
  channel-group 9 mode active
  no shutdown

2960-X

interface Port-channel1
 description Uplink Core-CC
 switchport trunk native vlan 256
 switchport trunk allowed vlan 146,172,256,666
 switchport mode trunk
 ip arp inspection trust
 ip dhcp snooping trust
end

interface GigabitEthernet1/0/47
 description Uplink Core-CC (Port Channel Interface #1)
 switchport trunk native vlan 256
 switchport trunk allowed vlan 146,172,256,666
 switchport mode trunk
 ip arp inspection trust
 channel-group 1 mode active
 ip dhcp snooping trust
end

interface GigabitEthernet1/0/48
 description Uplink Core-CC (Port Channel Interface #2)
 switchport trunk native vlan 256
 switchport trunk allowed vlan 146,172,256,666
 switchport mode trunk
 ip arp inspection trust
 channel-group 1 mode active
 ip dhcp snooping trust
end

Best Answer

Spanning-tree port type network activates bridge assurance on the link. Since the 2960X doesn't support bridge assurance, you can't run this link as port type network. Just run it in normal mode. About the only place you want to run port type network is on the vPC peer-link where it is enabled by default.

From the best practices design guide:

Bridge Assurance is enabled by default when configuring vPC peer-link. Do not disable it on vPC peer-link
It is not necessary to enable Bridge Assurance on vPC (Bridge Assurance is enabled when the vPC member port is defined as spanning-tree port type network)
Configure vPC member port as spanning-tree port type normal (so not using Bridge Assurance on the link)

Related Solutions

Cisco 2960 – Portfast Ports Generating Spanning Tree TCN

This post is older in age so I'm not sure if you are still experiencing this problem. I would like to see the documentation you are referring too regarding the portfast trunk command. The portfast trunk configuration should be applied to hosts that you are trunking with, for example an ESX host or a Load Balancer. For switch to switch, this configuration should not be there.

There is a lot of information I would need to see to better understand the topology and what spanning-tree mode you are running in (PVST+, RPVST+ or MST). I suspect from what I've read you are running PVST+. I would like to first start with the output of show spanning-tree vlan x detail and a snippet of this TCN you are seeing. I would also like to see show run | i spanning.

I suspect you may have a port(s) that is flapping and the TCN message should lead us directly to the culprit.

So you have a VoIP phone plugged into a switchport that is configured switchport access vlan and computers/hosts plugged into other switchports with switchport access vlan ? Yeah you know you can set it up for switchport voice vlan. However being setup without the switchport voice vlan, I do not see this being an issue with TCN's.

TCN's are generated when a port transitions from one state to another assuming you are not changing the priority values.

Cisco Stacks – Resolving RSTP Blocking on Uplink Ports

First of all you may want to remove the unnecessary spanning-tree configuration on your secondary uplink. STP calculates the cost metric based on the link speed. Your 100Mbit/sec CU uplink has a default cost of 19 and your primary 1Gbit/sec SM Fibre uplink got a cost of 4, so no need to set it manually.

You may also remove the "access vlan configuration" since your trunk configuration with native vlan 666 will be preferred. Also change your allowed vlan configuration to match the primary link. I do not know which vlans you actually use, but inconsistency may become a big pain in case your primary link fails.

 interface GigabitEthernet2/0/28
 description "downlink trunk BldgB 100M-Backup"
 switchport access vlan 666              -> unnecessary
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 666
 switchport trunk allowed vlan 2-99,101-109,111-4094
 switchport mode trunk
 switchport nonegotiate
 shutdown
 speed 100
 duplex full
 spanning-tree vlan 99 port-priority 128 -> unnecessary
 spanning-tree vlan 99 cost 50           -> unnecessary
end

An interesting counter from Gi1/0/28 (Site A) are the input errors on the interface. Might be a layer 1 issue but since you do not have any crc errors and the realibility is 255/255 it may be due to repluging cables.

Since there are no obvious configuration issues I would recommand re-enabling the port and posting the output of:

Site A:

show spanning-tree interface gi1/0/28
show spanning-tree detail

Site B:

show spanning-tree interface gi2/0/1
show spanning-tree detail

Last but not least could you provide the following information:

Which IOS release are you running on the stacks?
Does your Service Provider provide transparent L2 services (BPDUs received on both sides? ... you may check if CDP packets are received on both sites via show cdp neighbors)

Best Answer

Related Solutions

Cisco 2960 – Portfast Ports Generating Spanning Tree TCN

Cisco Stacks – Resolving RSTP Blocking on Uplink Ports

Related Topic