Bpdufilter / bpduguard

You are correct, tcnguard would be the way to go.

# spanning-tree tcnguard

Prevent a port from propagating topology change notifications.

You could also use:

# spanning-tree portfast bpdufilter default

Discards BPDUs received on spanningtree ports in portfast mode.

BPDU Protection actually Disables a port in case a new switch tries to enter the already existing topology of

STP. This keeps switches not originally part of an STP from influencing the STP topology.

If set to Enable, when a BPDU is received on an edge port, that port is disabled. Once the port has

been disabled it requires manual-intervention to be re-enabled.

Thanks.

I did try now to enable the tcnguard, though that didn't seem to solve my issues.

Logging shows:

<189> JUL 06 17:13:26 172.16.6.50-1 TRAPMGR[151151120]: traputil.c(611) 4320 %% 3/0/13 is transitioned from the Forwarding state to the Blocking state in instance 0

<189> JUL 06 17:13:26 172.16.6.50-1 TRAPMGR[151151120]: traputil.c(611) 4321 %% 3/0/13 is transitioned from the Forwarding state to the Blocking state in instance 1

<189> JUL 06 17:13:26 172.16.6.50-1 TRAPMGR[151151120]: traputil.c(611) 4322 %% 3/0/13 is transitioned from the Learning state to the Forwarding state in instance 0

<189> JUL 06 17:13:26 172.16.6.50-1 TRAPMGR[124133088]: traputil.c(611) 4323 %% Spanning Tree Topology Change: 0, Unit: 1

<189> JUL 06 17:13:28 172.16.6.50-1 TRAPMGR[151151120]: traputil.c(611) 4324 %% 3/0/13 is transitioned from the Learning state to the Forwarding state in instance 1

<189> JUL 06 17:13:28 172.16.6.50-1 TRAPMGR[124133088]: traputil.c(611) 4325 %% Spanning Tree Topology Change: 1, Unit: 1

<189> JUL 06 17:16:10 172.16.6.50-1 TRAPMGR[151151120]: traputil.c(611) 4326 %% Link Down: 3/0/13

<189> JUL 06 17:16:10 172.16.6.50-1 TRAPMGR[151151120]: traputil.c(611) 4327 %% Link on 3/0/13 is failed

<189> JUL 06 17:16:10 172.16.6.50-1 TRAPMGR[151151120]: traputil.c(611) 4328 %% 3/0/13 is transitioned from the Forwarding state to the Blocking state in instance 0

<189> JUL 06 17:16:10 172.16.6.50-1 TRAPMGR[151151120]: traputil.c(611) 4329 %% 3/0/13 is transitioned from the Forwarding state to the Blocking state in instance 1

<189> JUL 06 17:16:23 172.16.6.50-1 TRAPMGR[124133088]: traputil.c(611) 4330 %% Spanning Tree Topology Change: 0, Unit: 1

<189> JUL 06 17:16:58 172.16.6.50-1 TRAPMGR[104051104]: traputil.c(611) 4331 %% Multiple Users: Unit: 0 Slot: 5 Port: 1

Since this port is our internet-connection its a little tricky to test and change often, given that it should work close to 24/7.

Though trying to enter the portfast bpdufilter I get an error:

companysw-dell01(config-if-3/g13)#spanning-tree portfast bpdufilter default

                                                    ^

% Invalid input detected at '^' marker.

Though we've enable this rule globally. The global config is:

spanning-tree portfast bpdufilter default

spanning-tree bpdu-protection

spanning-tree mode mstp

spanning-tree priority 0

Any more good suggestions? (Other then calling the ISP and tell them to stop sending out spanning-tree packages?)

On the PowerConnect switches A bridge priority of “0” will prevent a switch from participating in the Root election however not all vendors observe this rule. For the switch to be root of your network you would need to change this to 4096. This may help out.

Have you thought about disabling spanning tree on just this one port? You know it is the only connection from your network to the ISP. You can still set the switch as root for your internal networking and leave spanning tree enabled on the rest of the internal network. But that would help ensure the ISP connection stays up.

Dell logg:

<190> OCT 13 22:36:24 172.16.6.50-2 UNITMGR[139145536]: unitmgr.c(6046) 1148 %% Copy of running configuration to backup unit complete

<190> OCT 13 22:36:30 172.16.6.50-2 UNKN[124132528]: dot1s_sm.c(10321) 1149 %% SpanningTree-LoopGuard: LoopGuard blocking port: 117 on MST instance: 0

<189> OCT 13 22:36:30 172.16.6.50-2 TRAPMGR[124132528]: traputil.c(611) 1150 %% Transitioning Into Loop Inconsistent State: MSTID: 0 Unit: 3 Slot: 0 Port: 13

<189> OCT 13 22:36:30 172.16.6.50-2 TRAPMGR[151157232]: traputil.c(611) 1151 %% Link Up: 3/0/13

<189> OCT 13 22:36:30 172.16.6.50-2 TRAPMGR[151157232]: traputil.c(611) 1152 %% 3/0/13 is transitioned from the Forwarding state to the Blocking state in instance 0

<189> OCT 13 22:36:30 172.16.6.50-2 TRAPMGR[151157232]: traputil.c(611) 1153 %% 3/0/13 is transitioned from the Forwarding state to the Blocking state in instance 1

<190> OCT 13 22:36:30 172.16.6.50-2 UNKN[124132528]: dot1s_sm.c(10313) 1154 %% SpanningTree-LoopGuard: LoopGuard Disabled: unblocking interface 117 on MST instance 0

<189> OCT 13 22:36:30 172.16.6.50-2 TRAPMGR[124132528]: traputil.c(611) 1155 %% Transitioning Out Of Loop Inconsistent State: MSTID: 0 Unit: 3 Slot: 0 Port: 13

<189> OCT 13 22:36:30 172.16.6.50-2 TRAPMGR[151157232]: traputil.c(611) 1156 %% 3/0/13 is transitioned from the Learning state to the Forwarding state in instance 0

<189> OCT 13 22:36:30 172.16.6.50-2 TRAPMGR[124132528]: traputil.c(611) 1157 %% Spanning Tree Topology Change: 0, Unit: 1

<189> OCT 13 22:36:32 172.16.6.50-2 TRAPMGR[124132528]: traputil.c(611) 1158 %% Spanning Tree Topology Change: 1, Unit: 1

<189> OCT 13 22:36:32 172.16.6.50-2 TRAPMGR[151157232]: traputil.c(611) 1159 %% 3/0/13 is transitioned from the Learning state to the Forwarding state in instance 1

<189> OCT 13 22:36:39 172.16.6.50-2 TRAPMGR[151157232]: traputil.c(611) 1160 %% Link Down: 3/0/13

<189> OCT 13 22:36:39 172.16.6.50-2 TRAPMGR[151157232]: traputil.c(611) 1161 %% Link on 3/0/13 is failed

<189> OCT 13 22:36:39 172.16.6.50-2 TRAPMGR[151157232]: traputil.c(611) 1162 %% 3/0/13 is transitioned from the Forwarding state to the Blocking state in instance 0

<189> OCT 13 22:36:39 172.16.6.50-2 TRAPMGR[151157232]: traputil.c(611) 1163 %% 3/0/13 is transitioned from the Forwarding state to the Blocking state in instance 1

Hi again.

Tried a couple of different configurations here:

spanning-tree priority 4096

spanning-tree mst-configuration 1 4096

spanning-tree port-priority 240

spanning-tree tcnguard

spanning-tree guard loop

switchport access vlan 3

detail:

switch#show spanning-tree detail

Spanning tree Enabled (BPDU flooding : Disabled) Portfast BPDU filtering  Enabled mode mstp

CST Regional Root:        10:00:D0:67:E5:9C:F9:1C

Regional Root Path Cost:  0

###### MST 0 Vlan Mapped:   1-3, 7, 10, 20, 22, 24-25, 27-29, 31, 34, 100, 110, 200, 205, 300

ROOT ID

             Address         D0:67:E5:9C:F9:1C

             Path Cost       0

             Root Port

             Hello Time 2 Sec Max Age 20 sec Forward Delay 15 sec

Number of topology changes 10 last change occurred 0d0h9m7s ago

message that arrives on the cisco switch that is connected to the core with a lacp link when I connect the ISP to the dell-core:

Oct 13 21:36:32.290: %SPANTREE-2-PVSTSIM_FAIL: Blocking root port Po1: Inconsitent inferior PVST BPDU received on VLAN 3, claiming root 34439:0817.3536.5d00

This switch should never have received any  BPDU's so the dell-switch do forward these BPDU's from the ISP whatever I do.

Any more suggestions?

The working cisco configuration is:

interface GigabitEthernet1/0/48

switchport access vlan 3

switchport mode access

spanning-tree portfast

spanning-tree bpdufilter enable

spanning-tree bpduguard enable

This configurations blocks the BPDU's from the ISP, but I need to move the connection to the DELL switch and not use my Cisco switch anymore.

Looking back through the configuration you initially started with, I think I see why bpdu filter may not have been working. spanning-tree portfast bpdufilter default, discards BPDUs received on spanning-tree ports in portfast mode. The interface has portfast mode set to auto. Meaning the port would transition to portfast mode only if it does not see any BPDUs for 3 seconds. Obviously this port is receiving BPDUs, so the port never transitioned to portfast, which in return never let bpdufiltering kick in. To correct this we can simply enabled portfast on the port.

That would leave us with a config that looks like this:

console(config)# spanning-tree portfast default

console(config)# interface ethernet 3/g13

console(config-if-3/g13)# spanning-tree portfast

console(config-if-3/g13)# spanning-tree tcnguard

Loop guard is what is causing all of the Inconsistent State messages, and can be taken out of the config.

Thanks for helping out.

The result is still the same though. The bpdu packets won't be stopped by this config when I put the ISP connection on the dell with 3/g13. The cisco on 1/0/48 works.

--- non-workiing dell configuration: ----
dellswitch6248#show running-config interface ethernet 3/g13
spanning-tree portfast
spanning-tree tcnguard
switchport access vlan 3

--- global spanning-tree config on dell: ----
spanning-tree
spanning-tree portfast bpdufilter default
spanning-tree bpdu flooding
spanning-tree bpdu-protection
spanning-tree max-age 20
spanning-tree hello-time 2
spanning-tree forward-time 15
no spanning-tree max-hops
spanning-tree mode mstp
spanning-tree priority 4096
spanning-tree transmit hold-count 6
spanning-tree mst 1 priority 4096
spanning-tree mst configuration
name "removed"
exit

spanning-tree mst configuration
revision 0
exit

--- working cisco configuration: ---
cisco2960x#show running-config | sec 1/0/48
interface GigabitEthernet1/0/48
switchport access vlan 3
switchport mode access
spanning-tree portfast
spanning-tree bpdufilter enable
spanning-tree bpduguard enable

---- working global cisco config ---

(cropped and removed)
spanning-tree mode mst
spanning-tree extend system-id
!
spanning-tree mst configuration
name removed
!

Thanks for the update.  Your configuration has some options in it that may be counterproductive. BPDU protection will disable a port that has portfast enabled on it. This would not be desirable since 3/g13 is in portfast mode.  BPDU flooding will take BPDUs received on the disabled ports and flood it out to other disabled ports.

An easier method to achieve the desired results would be to disable spanning tree on this specific interface. What you are trying to do right now is leave spanning tree enabled on the interface, while pruning the ports spanning tree capability. At which point having a port with spanning tree disabled will achieve the same results and be easier to implement

Thanks for hanging in there.

Though, do you have a suggestion for a working config here, since I just cant get this to work whatever I do witch leaves me feeling stupid.

Tried a couple of different options, but the last two options was this (witch none are working).

Also tried:

(global config)
no spanning-tree bpdu flooding
no spanning-tree bpdu-protection

None of these two commands changes the config.

option 1:

dellsw-6248#show running-config interface ethernet 3/g13
spanning-tree disable
switchport access vlan 3

Global:
spanning-tree
spanning-tree portfast bpdufilter default
spanning-tree bpdu flooding
spanning-tree bpdu-protection
spanning-tree max-age 20
spanning-tree hello-time 2
spanning-tree forward-time 15
no spanning-tree max-hops
spanning-tree mode mstp
spanning-tree priority 4096
spanning-tree transmit hold-count 6
spanning-tree mst 1 priority 4096
spanning-tree mst configuration
name "removed"
exit
spanning-tree mst configuration
revision 0
exit

option 2:

akasw-dell01#show running-config interface ethernet 3/g13
spanning-tree portfast
switchport access vlan 3

Global:
spanning-tree
spanning-tree portfast bpdufilter default
spanning-tree bpdu flooding
spanning-tree bpdu-protection
spanning-tree max-age 20
spanning-tree hello-time 2
spanning-tree forward-time 15
no spanning-tree max-hops
spanning-tree mode mstp
spanning-tree priority 4096
spanning-tree transmit hold-count 6
spanning-tree mst 1 priority 4096
spanning-tree mst configuration
name "removed"
exit
spanning-tree mst configuration
revision 0
exit

After disabling spanning tree on the interface you still received topology changes? If so the topology changes must be coming from somewhere else in the network. During these test is the Cisco switch still plugged into the network? If so what is its spanning tree priority set to?

Yesterday I upgradered the switches to 3.3.14.2, and tried to get this to work, still not with success.

I've troubleshooted that the following conf do stop the spanning-tree error:

spanning-tree portfast

spanning-tree tcnguard

switchport access vlan 3

So the tcnguard do actually work the way it should.

However when I connect the ISP to this port I get a complete outage of the whole switch. So there has to be another big issue as well. It doesn't show much in the log. I'm leaning against a vlan issue, but I don't feel sure where to look for what, given that the spanning-tree now seems to do its job.

<189> FEB 15 00:26:58 172.16.6.50-2 TRAPMGR[151607616]: traputil.c(611) 1219 %% Link Up: 3/0/13

<189> FEB 15 00:27:18 172.16.6.50-2 TRAPMGR[151607616]: traputil.c(611) 1220 %% Link Down: 3/0/13

<189> FEB 15 00:27:18 172.16.6.50-2 TRAPMGR[151607616]: traputil.c(611) 1221 %% Link on 3/0/13 is failed

Any hints on what can cause the issue?

Can you provide us more of the logs? Right before and after these events. In your previous testing, with spanning-tree disabled on the interface, what was the behavior of the switch? It may be beneficial to setup a packet capture on this specific interface, allowing you a deeper look at the traffic on the interface.