Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Bill_Ng
Collaborator

BDPU/Spanning Tree issue

All,

We are running into an issue where our Cisco switch port goes into err-disable due to BPDU guard.  It only happens on this one port which is a trunk.  This is a VSX FW cluster running multiple VSs.  It only happens to one particular VS instance.  We also are running VMACs as well on the cluster.  This seems to occur at random times and between the active and standby nodes.    eth1-04 is the interface in questions.  It is a 10gb connection.

Sync UP sync(secured), broadcast
eth1-03 UP non sync(non secured), multicast
eth2-08 UP non sync(non secured), multicast
eth1-04 UP non sync(non secured), multicast (eth1-04.112)

Any ideas/help on trying to troubleshoot this from a FW perspective?

Thanks,

Bill

0 Kudos
5 Replies
John_Fleming
Advisor

Is there a virtual switch between the VS and the cisco switch or is it just a virtual firewall connected to that vlan interface? I'm a bit rusty on VSX FYI.

Bill_Ng
Collaborator

There is no virtual switch involved.  This is just a single 10gb connection assigned to the VS setup as a trunk.  It is directly hooked up to a Cisco 9K.

0 Kudos
Gertjan
Explorer

Hi Bill,

Did you manage to solve this issue, i was wondering if you did because we have this problem also and are a bit in the dark why this is happening. :S

Daniel_Cimpeanu
Collaborator

I'm running into the same issue as well, haven't yet found a concludent solution.

0 Kudos
Duane_Toler
Advisor

Not to be trite, but BPDU guard  means the switch is seeing a spanning-tree BPDU come in on a port where none is expected.  Your switch is likely configured with "spanning-tree portfast bpduguard default".  For trunk ports, you may also have "spanning-tree portfast trunk", unless you have bpduguard per-port.

Are you seeing BPDUguard on ALL VLANs of the trunk port, or just certain VLANs?  This would help you determine the exact cause:

show spann int TeX/Y/Z

Are you running VS in active-active bridge mode?   This will emit 802.1d frames.  VMACs won't cause BPDUguard, tho.

You can see details of spanning-tree on the port with "show spann int TeX/Y/Z details" to get some idea of what's coming into the port.  If you have a port-channel, and you're only seeing BPDUguard on a single port of the bundle, then you have a port configuration mismatch.

If, for some reason you NEED to have BPDUs through this port, you can still allow them but not allow a lower priority BPDU:

int TeX/Y/Z
spanning-tree bpduguard disable
spanning-tree guard root

If you are using Active/Active Bridge mode VS, then this is the config you on your port.   Root guard will prevent your spanning tree topology from pivoting towards a new lower priority, or lower bridge ID, root bridge.  Which would be terrible

You *DO* want to take care of your spanning tree topology, however.  I presume you understand STP enough to set your preferred primary and secondary root bridges on your network.   Make sure your root is where you think it is.

Lemme know if you have any questions with it.

Good luck!

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events