7-DC/Spanning Tree Protocol (STP) on NX-OS.

In this post i will talk about Spanning Tree Protocol configuration and verification commands from NX-OS CLI point of view.

Spanning Tree Protocol on NX-OS:

As we already know, the STP is a mechanism used in the Layer 2 switched network, at which it is used to provide Layer 2 loop-free topology, hence it is used as loop avoidance mechanism in the Layer 2 switched network because of the redundant links that are connecting the devices and are operational at Layer 2 and can result in Layer 2 loop, so the STP will make one link to be active (i.e it will carry the traffic between those two devices) and make all the other redundant links to be blocked, and in case the current active link failed for any possible reason, the STP will choose one of the blocked links to become the new active link. For more details about the STP protocols and modes, thanks to check the following links:
1-R&S/Virtual LAN (VLAN) and Spanning Tree Protocol (STP).
2-R&S/Spanning Tree Protocol (STP) Part 2.
3-R&S/Spanning Tree Protocol (STP), RSTP Part 3.
4-R&S/Multiple Spanning Tree Protocol (MST).

NX-OS supports only two modes of STP:

  1. Rapid Per-VLAN Spanning Tree Protocol (RPVST) – IEEE 802.1w: RPVST is the default STP mode configured on the NX-OS because of its pros, as it is considered the enhancement version of the PVST+, at which it provided more enhancements in STP convergence time, so if failure happened, the time taken by RPVST to converge is too small because of its enhanced operation (as long as all the switches are running RPVST and links are configured as point-to-point not shared).
  2. Multiple Spanning Tree (MST) – IEEE 802.1s: MST is the second STP mode supported by NX-OS because of its pros regarding the large Layer 2 switched network that has large number of VLANs, at which it is used to map more than one VLAN to the same STP instance as those VLANs share the same loop-free Layer 2 topology, so no need to run native RPVST that results in creating STP instance for each VLAN, and it is recommended to run MST as its operation is based on the RSTP operation and as well provide the concept of mapping more than one VLAN to single STP instance.

Now let’s see the simple Layer 2 topology that we will use for configuring the STP on NX-OS:

stp1

In this topology we have the following:
1-Two Distribution/Aggregation switches: NX-OS-SW1 and NX-OS-SW2 running NX-OS.
2-Three Access switches: SW3, SW4 and SW5 running Classic IOS.
3-Each Access switch has two uplinks, one uplink connected to NX-OS-SW1 and the other one connected to NX-OS-SW2.
4-There are 20 VLANs (from VLAN 1 to VLAN 20) configured on all the switches.

BASIC RPVST CONFIGURATION COMMANDS:

We can configure RPVST as the STP mode on NX-OS using the following command:

stp-config1

We can configure the link type to be either “shared”, “point-to-point” or “auto” using the following commands:

stp-config3

stp-config4

stp-config5

“Auto” option is used when you need the NX-OS automatically choose the link-type either “shared” or “point-to-point” based on the duplex mode on the switchport itself, so if the duplex is “half”, NX-OS will set the link-type “shared”, and if the duplex is “Full”, it will set the link-type “point-to-point”, this means that the link-type “shared” is used to indicate that this switchport is connected to shared segment (i.e there is Hub connecting multiple devices to this shared segment), while the link-type “point-to-point” is used to indicate that this switchport is connected to only one device and it is not shared segment. “Auto” is the default link-type on NX-OS

We can configure the port to be either “Edge” , “network” or “Normal” port using the following commands:

stp-config6

stp-config7

stp-config8

“Edge” port is the switchport where non-STP-running device is connected to, this means that the “Edge” port is connected to Router, PC, Server, … and it is providing the same functionality as STP PortFast feature, at which configuring the switchport to be “Edge” port, this means that the STP process will immediately put this switchport in “Forwarding” state and as well will not consider the changes in this port (i.e port flaps from up to down and vice versa) as STP change, hence no actions from STP process point of view will be taken if that Edge port flapped.

“Network” port is the switchport where normal STP-running device should be connected to, this means that “Network”port should be connected to Switch and any STP-running device, as well this connected device should be running “Bridge Assurance” feature, as by default NX-OS enable the Bridge Assurance feature on the switchports configured as “Network” port.

“Normal” port is as well the switchport where normal STP-running device should be connected to, this means that “Normal”port should be connected to Switch and any STP-running device, while it is not required for this connected device to run “Bridge Assurance” feature, as it is supposed to be connected to normal STP-running device as it support backward compatibility with RPVST and PVST/PVST+ running on classic IOS and other non NX-OS that don’t require or support enabling “Bridge Assurance” feature. “Normal” is the default port type on NX-OS.

We can configure all the ports to be either “Edge” or “network” port globally using the following commands:

stp-config9

stp-config10

We can configure the STP port pathcost method to be either “short” or “long” using the following commands:

stp-config11

stp-config12

Pathcost method is the method used by the STP process on NX-OS to determine the length of the port cost used for the path cost calculation, so when we use the “short” method, this means that the port cost is 16-bits length, while if we use the “long” method, this means that the port cost is 32-bits length. Simply there are two methods for the pathcost because of the new high speed links (10Gbps and above) that are introduced in the Data Center environment, because if we still use the “short” method when there are 10Gbps or higher speed links, the STP process can’t distinguish between those links as all of them at this case will have the same STP port cost. “Short” pathcost method is the default method used on NX-OS.

We can configure the Nexus switch to be the root bridge for one or more VLANs using the following command:

stp-config23

We can configure the Nexus switch to be the secondary root bridge for one or more VLANs using the following command:

stp-config24

We can change the bridge ID by changing the switch/bridge priority using the following command:

stp-config25

We can change the STP process timers (hello, forward delay and max age timers) using the following commands:

stp-config26

stp-config27

stp-config28

We can change the port cost to be either static value or “auto” which is calculated based on the link speed using the following command:

stp-config30

stp-config31

We can change the port cost per one VLAN or multiple VLANs using the following command:

stp-config32

We can change the port priority using the following command:

stp-config33

We can change port priority per on VLAN or multiple VLANs using the following command:

stp-config34

 

Let’s talk about other features supported by NX-OS used to protect against some violations that can affect your STP domain. For more details about those features, thanks to check this link 2-R&S/Spanning Tree Protocol (STP) Part 2.

RPVST FEATURES CONFIGURATION COMMANDS:

1-BPDU Guard:
We can configure BPDU Guard feature either on per-port basis or globally to affect all the edge ports using the following commands:

stp-config13

stp-config14

2-Root Guard:
We can configure Root Guard feature on the port using the following command:

stp-config15

3-BPDU Filter:
We can configure BPDU filter feature either on per-port basis or globally to affect all the edge ports using the following commands:

stp-config17

stp-config16

4-Loop Guard:
We can configure Loop Guard feature either on per-port basis or globally to affect all the edge ports using the following commands:

stp-config18

stp-config19

5-UDLD:
We can configure UDLD feature on NX-OS using the following commands:

a-Enable the UDLD feature:

stp-config20

b-Enable UDLD normal mode or aggressive mode on per-port basis:

stp-config21

stp-config22

6-Bridge Assurance:
Bridge Assurance is a feature that is used by NX-OS to make sure that the switch/bridge connected to this local switch/bridge is properly functioning and is not malfunctioning, at which the switch/bridge will send and receive BPDUs for all the VLANs allowed on that switchport, at which the BPDUs are sent and received on all the ports that are configured as “Network” and this is regardless of STP state of this port (either Forwarding or Blocking), this means that the BPDU at this case will be used as keepalive messages to make sure that the switch/bridge connected to this local switch/bridge is responding normally and is properly functioning, hence it is used to prevent Layer 2 loop from being formed because of malfunctioning switch/bridge, if the switch no longer received BPDU on the “Network” port, it will put the port in “Bridge Assurance Inconsistent” state to prevent the port from transition from “Forwarding” to “Blocking” state, once the switch received the BPDU normally, it no longer put the port in “Bridge Assurance Inconsistent” state. We can configure bridge assurance feature using the following command:

stp-config29

 

RPVST VERIFICATION COMMANDS:

We can verify that the RSTP is the currently enabled STP mode using the following command:

stp-show1

We can deduce the following points from the previous figure:

1-Spanning tree enabled protocol is “RSTP”.
2-Root bridge ID consists of two parts:
a-Root bridge Priority = 4097
b-Root bridge Address = 5000.0001.002f
3-This switch/bridge is the Root bridge for VLAN 1.
4-Hello Timer = 1 second, Max Age timer = 6 seconds and Forward Delay timer = 4 seconds (those values are manually modified as the default values are 2, hello timer = 2 seconds, Max Age timer = 6 seconds and Forward Delay timer = 15 seconds)
5-Bridge ID consists of two parts:
a-Bridge Priority = 4097 (configured Priority = 4096 and extended System ID = 1 (as VLAN ID = 1)).
b-Bridge Address = 5000.0001.002f
6-All the listed interfaces (Eth2/1 , Eth2/2 , Eth2/3 and Eth2/4) have the following info:
a-Role: Designated
b-State: Forwarding
c-Cost: 4
d-Port ID consists of two parts: Port priority = 128, and the Port number is unique for each interface as it is H/W specific.
7-Link type: Point-to-point.

We can verify which STP instances for which VLANs are active using the following command:

stp-show3

We can check which switchports are blocked by the STP process using the following command:

stp-show4

We can check which switchports are put in “inconsistent” state by the STP process using the following command:

stp-show5

We can deduce from the previous figure that switchport (Eth2/2) is put in “Bridge Assurance Inconsistent” for the VLANs (1, 2, 3, 4, 5, 6, …) because of the Bridge Assurance feature, at which the switchport (Eth2/2) no longer receive BPDU for those VLANs, hence the switch will put that switchport in “Bridge Assurance Inconsistent” state.

We can verify the STP information regarding the switchport using the following command:

stp-show2

We can deduce the following points from the previous figure:

1-Port number = 258 , as mentioned before this value is H/W specific, that represent the second part constructing the Port ID.
2-Role: Designated.
3-State: Forwarding.
4-Port path cost = 5
5-Port priority = 128
6-Port ID consists of two parts: Port priority = 128, and the Port number = 258.
7-The designated root bridge has bridge priority = 4097, and the bridge address = 5000.0001.002f.
8-The designated bridge in this segment has bridge priority = 4097, and the bridge address = 5000.0001.002f.
9-The designated port in this segment has port ID = 128.258.
10-The path cost to reach the designated bridge = 0, as this switch itself is the designated bridge.
11-Timers: Message age = 0 as this switch is the Root bridge, Forward delay = 0 as this port right now in Forwarding state hence the Forward delay timer is not active at the moment and hold time = 0 as this time represent the min number of seconds between each BPDU sent on the port.
12-The link transit to forwarding state only one time.
13-The link type is Point-to-point by default as the port is Full-duplex which is designed to connect this port to only one device.
14-The number of sent (11784) and received(18) BPDUs.

We can check the pathcost method configured on the switch using the following command:

stp-show6

We can check the Root bridge ID for the different VLANs using the following command:

stp-show7

We can check summary about the STP and its features using the following command:

stp-show9

We can deduce the following points from the previous figure:

1-Switch is running RPVST mode.
2-This switch is the root bridge for the VLANs: 1 – 20, 1002 – 1005 and 4041.
3-Port type Default is disabled, which means that no global default configuration for the Port Type on the switch.
4-Edge port [PortFast] BPDU Guard default is enabled, which means that the BPDU Guard feature is enabled globally as default on all the Edge ports (PortFast ports).
5-Edge port [PortFast] BPDU Filter default is enabled, which means that the BPDU Filter feature is enabled globally as default on all the Edge ports (PortFast ports).
6-Bridge Assurance feature is enabled.
7-Loopguard default feature is not enabled, which means that no global default configuration for the Loopguard feature on the switch.
8-PathCost method is short method.
9-STP-Lite feature is enabled, and this feature is used with FCoE VLAN (for Storage field) so will not be discussed here.

 

BASIC MST CONFIGURATION COMMANDS:

We can configure MST as the STP mode on NX-OS using the following commands:
1-We need to configure the MST as the STP mode.
2-Configure the MST name.
3-Configure the MST revision number.
4-Configure the MST instance to VLAN(s) mapping.

mst-config1

We can configure the Nexus switch to be the root bridge for one or more MST instances using the following command:

mst-config2

We can configure the Nexus switch to be the secondary bridge for one or more MST instances using the following command:

mst-config3

We can change the bridge ID by changing the switch/bridge priority per MST instance using the following command:

mst-config4

We can change the STP process timers (hello, forward delay and max age timers) for MST using the following commands:

mst-config5

mst-config6

mst-config7

We can change the port cost per MST instance using the following command:

mst-config8

We can change port priority per MST instance using the following command:

mst-config9

 

MST VERIFICATION COMMANDS:

We can verify that the MST is the currently enabled STP mode using the following command:

mst-show1

We can deduce the following points from the previous figure:

1-Spanning tree enabled protocol is “MST”.
2-Root bridge ID for MST instance 0 consists of two parts:
a-Root bridge Priority = 32768
b-Root bridge Address = 5000.0001.002f
3-This switch/bridge is the Root bridge for VLAN 1.
4-Hello Timer = 1 second, Max Age timer = 6 seconds and Forward Delay timer = 4 seconds (those values are manually modified as the default values are 2, hello timer = 2 seconds, Max Age timer = 6 seconds and Forward Delay timer = 15 seconds)
5-Bridge ID consists of two parts:
a-Bridge Priority = 32768 (configured Priority = 32768 and extended System ID = 0 (as MST instance = 0)).
b-Bridge Address = 5000.0001.002f
6-All the listed interfaces (Eth2/1 , Eth2/2 , Eth2/3 and Eth2/4) have the following info:
a-Role: Designated
b-State: Forwarding
c-Cost: 20000
d-Port ID consists of two parts: Port priority = 128, and the Port number is unique for each interface as it is H/W specific.
7-Link type: Point-to-point.

We can check the MST configuration using the following command:

mst-show2

We can check the pending MST configuration using the following command:

mst-show3

We can verify the MST information regarding the switchport using the following command:

mst-show4

We can deduce the following points from the previous figure:

1-Eth2/2 of MST instance 1 is Designated and Forwarding.
2-VLANs mapped to MST instance 1 are 1 to 10.
3-Port info:
a-Port ID = 64.258
b-Port priority = 64
c-Port cost = 5
4-Designated Root bridge has the following info:
a-address =  5000.0001.002f
b-priority = 4097
c-cost = 0
5-Designated bridge in this segment has the following info:
a-address = 5000.0001.002f
b-priority = 4097
c-Port ID = 64.258
6-Timers:
a-message expire in 0 seconds
b-Forward delay = 0
c-Forward transitions = 1
7-Number of sent (4838) and received (34) BPDUs

 

Hope that the post is helpful.

Regards

Mostafa Hamza

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s