Bpdufilter / bpduguard

Question

Hi! We're having a mixed swich-environment and the core exists of tree stacked Dell 62xx-switches. We used to have a Cisco switch that has now been replaced by the third stacked 6248 switch. The Cisco switch had the following configuration on the port that connected the switch to our ISP: switchport access vlan 3 switchport mode access spanning-tree portfast  spanning-tree bpdufilter enable spanning-tree bpduguard enable --- We moved the internet access to the Dell switch with the following config Global: spanning-tree portfast bpdufilter default spanning-tree bpdu-protection spanning-tree mode mstp The Port:  spanning-tree auto-portfast switchport access vlan 3 Witch ended in a disaster, since the ISP is clearly sending out a lot of spanning-tree info it probably shouldn't have sent to us (many topology changes happened after the moving of this connection). Reading it looks like the 'spanning-tree tcnguard' could have saved us here. Whats the recommended configuration for this ISP port that that we don't want to be able to participate in our spanning-tree environment.

lhlied · Answer

Thanks.

I did try now to enable the tcnguard, though that didn't seem to solve my issues.

Logging shows:

<189> JUL 06 17:13:26 172.16.6.50-1 TRAPMGR[151151120]: traputil.c(611) 4320 %% 3/0/13 is transitioned from the Forwarding state to the Blocking state in instance 0

<189> JUL 06 17:13:26 172.16.6.50-1 TRAPMGR[151151120]: traputil.c(611) 4321 %% 3/0/13 is transitioned from the Forwarding state to the Blocking state in instance 1

<189> JUL 06 17:13:26 172.16.6.50-1 TRAPMGR[151151120]: traputil.c(611) 4322 %% 3/0/13 is transitioned from the Learning state to the Forwarding state in instance 0

<189> JUL 06 17:13:26 172.16.6.50-1 TRAPMGR[124133088]: traputil.c(611) 4323 %% Spanning Tree Topology Change: 0, Unit: 1

<189> JUL 06 17:13:28 172.16.6.50-1 TRAPMGR[151151120]: traputil.c(611) 4324 %% 3/0/13 is transitioned from the Learning state to the Forwarding state in instance 1

<189> JUL 06 17:13:28 172.16.6.50-1 TRAPMGR[124133088]: traputil.c(611) 4325 %% Spanning Tree Topology Change: 1, Unit: 1

<189> JUL 06 17:16:10 172.16.6.50-1 TRAPMGR[151151120]: traputil.c(611) 4326 %% Link Down: 3/0/13

<189> JUL 06 17:16:10 172.16.6.50-1 TRAPMGR[151151120]: traputil.c(611) 4327 %% Link on 3/0/13 is failed

<189> JUL 06 17:16:10 172.16.6.50-1 TRAPMGR[151151120]: traputil.c(611) 4328 %% 3/0/13 is transitioned from the Forwarding state to the Blocking state in instance 0

<189> JUL 06 17:16:10 172.16.6.50-1 TRAPMGR[151151120]: traputil.c(611) 4329 %% 3/0/13 is transitioned from the Forwarding state to the Blocking state in instance 1

<189> JUL 06 17:16:23 172.16.6.50-1 TRAPMGR[124133088]: traputil.c(611) 4330 %% Spanning Tree Topology Change: 0, Unit: 1

<189> JUL 06 17:16:58 172.16.6.50-1 TRAPMGR[104051104]: traputil.c(611) 4331 %% Multiple Users: Unit: 0 Slot: 5 Port: 1

Since this port is our internet-connection its a little tricky to test and change often, given that it should work close to 24/7.

Though trying to enter the portfast bpdufilter I get an error:

companysw-dell01(config-if-3/g13)#spanning-tree portfast bpdufilter default

^

% Invalid input detected at '^' marker.

Though we've enable this rule globally. The global config is:

spanning-tree portfast bpdufilter default

spanning-tree bpdu-protection

spanning-tree mode mstp

spanning-tree priority 0

Any more good suggestions? (Other then calling the ISP and tell them to stop sending out spanning-tree packages?)

lhlied · Answer

Dell logg:

<190> OCT 13 22:36:24 172.16.6.50-2 UNITMGR[139145536]: unitmgr.c(6046) 1148 %% Copy of running configuration to backup unit complete

<190> OCT 13 22:36:30 172.16.6.50-2 UNKN[124132528]: dot1s_sm.c(10321) 1149 %% SpanningTree-LoopGuard: LoopGuard blocking port: 117 on MST instance: 0

<189> OCT 13 22:36:30 172.16.6.50-2 TRAPMGR[124132528]: traputil.c(611) 1150 %% Transitioning Into Loop Inconsistent State: MSTID: 0 Unit: 3 Slot: 0 Port: 13

<189> OCT 13 22:36:30 172.16.6.50-2 TRAPMGR[151157232]: traputil.c(611) 1151 %% Link Up: 3/0/13

<189> OCT 13 22:36:30 172.16.6.50-2 TRAPMGR[151157232]: traputil.c(611) 1152 %% 3/0/13 is transitioned from the Forwarding state to the Blocking state in instance 0

<189> OCT 13 22:36:30 172.16.6.50-2 TRAPMGR[151157232]: traputil.c(611) 1153 %% 3/0/13 is transitioned from the Forwarding state to the Blocking state in instance 1

<190> OCT 13 22:36:30 172.16.6.50-2 UNKN[124132528]: dot1s_sm.c(10313) 1154 %% SpanningTree-LoopGuard: LoopGuard Disabled: unblocking interface 117 on MST instance 0

<189> OCT 13 22:36:30 172.16.6.50-2 TRAPMGR[124132528]: traputil.c(611) 1155 %% Transitioning Out Of Loop Inconsistent State: MSTID: 0 Unit: 3 Slot: 0 Port: 13

<189> OCT 13 22:36:30 172.16.6.50-2 TRAPMGR[151157232]: traputil.c(611) 1156 %% 3/0/13 is transitioned from the Learning state to the Forwarding state in instance 0

<189> OCT 13 22:36:30 172.16.6.50-2 TRAPMGR[124132528]: traputil.c(611) 1157 %% Spanning Tree Topology Change: 0, Unit: 1

<189> OCT 13 22:36:32 172.16.6.50-2 TRAPMGR[124132528]: traputil.c(611) 1158 %% Spanning Tree Topology Change: 1, Unit: 1

<189> OCT 13 22:36:32 172.16.6.50-2 TRAPMGR[151157232]: traputil.c(611) 1159 %% 3/0/13 is transitioned from the Learning state to the Forwarding state in instance 1

<189> OCT 13 22:36:39 172.16.6.50-2 TRAPMGR[151157232]: traputil.c(611) 1160 %% Link Down: 3/0/13

<189> OCT 13 22:36:39 172.16.6.50-2 TRAPMGR[151157232]: traputil.c(611) 1161 %% Link on 3/0/13 is failed

<189> OCT 13 22:36:39 172.16.6.50-2 TRAPMGR[151157232]: traputil.c(611) 1162 %% 3/0/13 is transitioned from the Forwarding state to the Blocking state in instance 0

<189> OCT 13 22:36:39 172.16.6.50-2 TRAPMGR[151157232]: traputil.c(611) 1163 %% 3/0/13 is transitioned from the Forwarding state to the Blocking state in instance 1

lhlied · Answer

Hi again.

Tried a couple of different configurations here:

spanning-tree priority 4096

spanning-tree mst-configuration 1 4096

spanning-tree port-priority 240

spanning-tree tcnguard

spanning-tree guard loop

switchport access vlan 3

detail:

switch#show spanning-tree detail

Spanning tree Enabled (BPDU flooding : Disabled) Portfast BPDU filtering Enabled mode mstp

CST Regional Root: 10:00:D0:67:E5:9C:F9:1C

Regional Root Path Cost: 0

###### MST 0 Vlan Mapped: 1-3, 7, 10, 20, 22, 24-25, 27-29, 31, 34, 100, 110, 200, 205, 300

ROOT ID

Address D0:67:E5:9C:F9:1C

Path Cost 0

Root Port

Hello Time 2 Sec Max Age 20 sec Forward Delay 15 sec

Number of topology changes 10 last change occurred 0d0h9m7s ago

message that arrives on the cisco switch that is connected to the core with a lacp link when I connect the ISP to the dell-core:

Oct 13 21:36:32.290: %SPANTREE-2-PVSTSIM_FAIL: Blocking root port Po1: Inconsitent inferior PVST BPDU received on VLAN 3, claiming root 34439:0817.3536.5d00

This switch should never have received any BPDU's so the dell-switch do forward these BPDU's from the ISP whatever I do.

Any more suggestions?

The working cisco configuration is:

interface GigabitEthernet1/0/48

switchport access vlan 3

switchport mode access

spanning-tree portfast

spanning-tree bpdufilter enable

spanning-tree bpduguard enable

This configurations blocks the BPDU's from the ISP, but I need to move the connection to the DELL switch and not use my Cisco switch anymore.

lhlied · Answer

Thanks for helping out.

The result is still the same though. The bpdu packets won't be stopped by this config when I put the ISP connection on the dell with 3/g13. The cisco on 1/0/48 works.

--- non-workiing dell configuration: ----
dellswitch6248#show running-config interface ethernet 3/g13
spanning-tree portfast
spanning-tree tcnguard
switchport access vlan 3

--- global spanning-tree config on dell: ----
spanning-tree
spanning-tree portfast bpdufilter default
spanning-tree bpdu flooding
spanning-tree bpdu-protection
spanning-tree max-age 20
spanning-tree hello-time 2
spanning-tree forward-time 15
no spanning-tree max-hops
spanning-tree mode mstp
spanning-tree priority 4096
spanning-tree transmit hold-count 6
spanning-tree mst 1 priority 4096
spanning-tree mst configuration
name "removed"
exit

spanning-tree mst configuration
revision 0
exit

--- working cisco configuration: ---
cisco2960x#show running-config | sec 1/0/48
interface GigabitEthernet1/0/48
switchport access vlan 3
switchport mode access
spanning-tree portfast
spanning-tree bpdufilter enable
spanning-tree bpduguard enable

---- working global cisco config ---

(cropped and removed)
spanning-tree mode mst
spanning-tree extend system-id
!
spanning-tree mst configuration
name removed
!

lhlied · Answer

Thanks for hanging in there.

Though, do you have a suggestion for a working config here, since I just cant get this to work whatever I do witch leaves me feeling stupid.

Tried a couple of different options, but the last two options was this (witch none are working).

Also tried:

(global config)
no spanning-tree bpdu flooding
no spanning-tree bpdu-protection

None of these two commands changes the config.

option 1:

dellsw-6248#show running-config interface ethernet 3/g13
spanning-tree disable
switchport access vlan 3

Global:
spanning-tree
spanning-tree portfast bpdufilter default
spanning-tree bpdu flooding
spanning-tree bpdu-protection
spanning-tree max-age 20
spanning-tree hello-time 2
spanning-tree forward-time 15
no spanning-tree max-hops
spanning-tree mode mstp
spanning-tree priority 4096
spanning-tree transmit hold-count 6
spanning-tree mst 1 priority 4096
spanning-tree mst configuration
name "removed"
exit
spanning-tree mst configuration
revision 0
exit

option 2:

akasw-dell01#show running-config interface ethernet 3/g13
spanning-tree portfast
switchport access vlan 3

Global:
spanning-tree
spanning-tree portfast bpdufilter default
spanning-tree bpdu flooding
spanning-tree bpdu-protection
spanning-tree max-age 20
spanning-tree hello-time 2
spanning-tree forward-time 15
no spanning-tree max-hops
spanning-tree mode mstp
spanning-tree priority 4096
spanning-tree transmit hold-count 6
spanning-tree mst 1 priority 4096
spanning-tree mst configuration
name "removed"
exit
spanning-tree mst configuration
revision 0
exit

lhlied · Answer

Yesterday I upgradered the switches to 3.3.14.2, and tried to get this to work, still not with success.

I've troubleshooted that the following conf do stop the spanning-tree error:

spanning-tree portfast

spanning-tree tcnguard

switchport access vlan 3

So the tcnguard do actually work the way it should.

However when I connect the ISP to this port I get a complete outage of the whole switch. So there has to be another big issue as well. It doesn't show much in the log. I'm leaning against a vlan issue, but I don't feel sure where to look for what, given that the spanning-tree now seems to do its job.

<189> FEB 15 00:26:58 172.16.6.50-2 TRAPMGR[151607616]: traputil.c(611) 1219 %% Link Up: 3/0/13

<189> FEB 15 00:27:18 172.16.6.50-2 TRAPMGR[151607616]: traputil.c(611) 1220 %% Link Down: 3/0/13

<189> FEB 15 00:27:18 172.16.6.50-2 TRAPMGR[151607616]: traputil.c(611) 1221 %% Link on 3/0/13 is failed

Any hints on what can cause the issue?

Networking General

Was this post helpful?