topic Re: BDPU/Spanning Tree issue in General Topics

BDPU/Spanning Tree issue

Bill_Ng — Thu, 27 Aug 2020 14:10:10 GMT

All,

We are running into an issue where our Cisco switch port goes into err-disable due to BPDU guard. It only happens on this one port which is a trunk. This is a VSX FW cluster running multiple VSs. It only happens to one particular VS instance. We also are running VMACs as well on the cluster. This seems to occur at random times and between the active and standby nodes. eth1-04 is the interface in questions. It is a 10gb connection.

Sync UP sync(secured), broadcast
eth1-03 UP non sync(non secured), multicast
eth2-08 UP non sync(non secured), multicast
eth1-04 UP non sync(non secured), multicast (eth1-04.112)

Any ideas/help on trying to troubleshoot this from a FW perspective?

Thanks,

Bill

Re: BDPU/Spanning Tree issue

John_Fleming — Thu, 27 Aug 2020 22:21:22 GMT

Is there a virtual switch between the VS and the cisco switch or is it just a virtual firewall connected to that vlan interface? I'm a bit rusty on VSX FYI.

Re: BDPU/Spanning Tree issue

Bill_Ng — Fri, 28 Aug 2020 12:21:24 GMT

There is no virtual switch involved. This is just a single 10gb connection assigned to the VS setup as a trunk. It is directly hooked up to a Cisco 9K.

Re: BDPU/Spanning Tree issue

Gertjan — Fri, 13 Aug 2021 06:30:11 GMT

Hi Bill,

Did you manage to solve this issue, i was wondering if you did because we have this problem also and are a bit in the dark why this is happening. :S

Re: BDPU/Spanning Tree issue

Daniel_Cimpeanu — Thu, 30 May 2024 11:49:10 GMT

I'm running into the same issue as well, haven't yet found a concludent solution.

Re: BDPU/Spanning Tree issue

Duane_Toler — Sat, 01 Jun 2024 15:57:15 GMT

Not to be trite, but BPDU guard means the switch is seeing a spanning-tree BPDU come in on a port where none is expected. Your switch is likely configured with "spanning-tree portfast bpduguard default". For trunk ports, you may also have "spanning-tree portfast trunk", unless you have bpduguard per-port.

Are you seeing BPDUguard on ALL VLANs of the trunk port, or just certain VLANs? This would help you determine the exact cause:

show spann int TeX/Y/Z

Are you running VS in active-active bridge mode? This will emit 802.1d frames. VMACs won't cause BPDUguard, tho.

You can see details of spanning-tree on the port with "show spann int TeX/Y/Z details" to get some idea of what's coming into the port. If you have a port-channel, and you're only seeing BPDUguard on a single port of the bundle, then you have a port configuration mismatch.

If, for some reason you NEED to have BPDUs through this port, you can still allow them but not allow a lower priority BPDU:

int TeX/Y/Z spanning-tree bpduguard disable spanning-tree guard root

If you are using Active/Active Bridge mode VS, then this is the config you on your port. Root guard will prevent your spanning tree topology from pivoting towards a new lower priority, or lower bridge ID, root bridge. Which would be terrible

You *DO* want to take care of your spanning tree topology, however. I presume you understand STP enough to set your preferred primary and secondary root bridges on your network. Make sure your root is where you think it is.

Lemme know if you have any questions with it.

Good luck!