Cisco Nexus VPC – Spanning-Tree Port Type Trunk Question

ciscocisco-nexusport-channelswitchvpc

I have very strange scenario here which you can see in diagram.

enter image description here

SW1/2 is Cisco nexus 3064PQ switch configured in vPC and those switch connected to SW3/4 ( HP 6120XG ) switches on HP c7000 blade center, I have vpc11 configured to create multi-chassis etherchannel.

following is my configuration for vPC connected to c7000

interface port-channel11
  description *** VPC to c7000-sw3 ***
  switchport mode trunk
  switchport trunk allowed vlan 10-11,20-21,28-31,40,50,100,200
  speed 10000
  vpc 11

now can i configure spanning-tree port type edge trunk on port-channel11 interface? ( is it safe? )

that switch is leaf switch and not connected to any other switch, pretty much switch acting like host machine, reason i want to do that because whenever i reboot that switch it generating spanning-tree change and that causing small amount of flood in network, i want to do some testing and possible i reboot that switch couple of time.

Best Answer

SW3 is a switch. By first principle, portfast [trunk] or port type edge [trunk] should not be enabled on ports that connect to switches, lest you risk loops if that other switch connects to some other upstream switch.

There are exceptions to this rule, but they require solid knowledge and understanding by the network admin.

Usually, deployment of edge ports combine portfast [trunk] and bpduguard, and in that case, SW3's BPDUs would put Port-Channel11 err-disabled state.

Remember, that even with full VPC deployments, it is recommended to keep Spanning-Tree running in the background as a safety net, to help if things go wrong. Setting portfast on an inter switch link (or adding bpdufilter, see below) makes this safety net weaker.

So, if you are willing to take some risk, and work with diligence, you may enable portfast or port type edge [trunk] on a switch port that connects to another switch.

Please make sure that

  • you are absolutely certain that this other switch has no other connectivity elsewhere
  • there is only one and exactly one logical path towards the other switch (in extenso: one switchport or one port-channel)

With Multi Chassis LAG setups, this might be tricky to achieve.

In your case, on the Cisco VPC pair, you must make sure that the member interfaces of the port-channel downwards towards SW3 never come up as individual or non-bundled ports.

Forcing LACP mode active together with lacp suspend-individual should accomplish this. Note: Nexus 5500 have this as default with NX-OS >7.2.1 and Nexus 3164Q (and probably many 9300s), too. You'll have to check with your 3064. If that 3064 can't do lacp-suspend-indiviudal, stop right there.

It's definitely not a setup for the faint-hearted. Be certain to include in documentation that SW3 must NEVER be uplinked to any other switch than this VPC pair, as long as this setup prevails.

interface port-channel11
  ... 
  lacp suspend-indivdual            <--- THAT ONE IS _VERY_ IMPORTANT
  spanning-tree port-type edge trunk
  ...
  vpc 11

interface e1/x
  ...
  channel-group 11 mode active

Additionally, you may want to add some protection against SW3 interfering with the spanning-tree instances of the upstream switches, by adding 

interface port-channel11
  ... 
  spanning-tree guard root
  ...


interface e1/x
  ...
  spanning-tree guard root

Or even this:

interface port-channel11
  ... 
  spanning-tree bpdufilter enable
  ...

interface e1/x
  ...
  spanning-tree bpdufilter enable
  ...

Sideline question: Does that HP switch in that Chassis run MST, while the 3064 and its upstreams run Rapid-PVST? If different STP protocols, did you consider the interoperability issues?

Related Topic