This chapter covers the following topics:
Port Security
When Cisco launched the Nexus product line, it introduced a new category of networking devices called data center switching. Data center switching products provide high-density, high-speed switching capacity to serve the needs of the servers (physical and virtual) in the data center. This chapter focuses on the core components of network switching and how to verify which components are working properly to isolate and troubleshoot Layer 2 forwarding issues.
The Ethernet protocol first used technologies such as Thinnet (10Base2) or Thicknet (10Base5), which connected all the network devices via the same cable. This caused problems when two devices tried to talk at the same time, because Ethernet devices use Carrier Sense Multiple Access/Collision Detect (CSMA/CD) to ensure that only one device talked at time in a collision domain. If a device detected that another device was transmitting data, it delayed transmitting packets until the cable was quiet.
As more devices were added to a cable, the less efficient the network became. All these devices were in the same collision domain (CD). Network hubs proliferated the problem because they added port density while repeating traffic. Network hubs do not have any intelligence in them to direct network traffic.
Network switches enhance scalability and stability in a network through the creation of virtual channels. Switches maintain a table that associate a host’s MAC Ethernet addresses to the port that sourced the network traffic. Instead of flooding all traffic out of every port, a switch uses the MAC address table to forward network traffic only to the destination port associated to the destination MAC address of the packet. Packets are forwarded out of all network ports for that LAN only if the destination MAC address is not known on the switch (known as unicast flooding).
Network broadcasts (MAC Address: ff:ff:ff:ff:ff:ff) cause the switch to broadcast the packet out of every LAN switch port interface. This is disruptive because it diminishes the efficiencies of a network switch to those of a hub because it causes communication between network devices to stop because of CSMA/CD. Network broadcasts do not cross Layer 3 boundaries (that is, from one subnet to another subnet). All devices that reside in the same Layer 2 (L2) segment are considered to be in the same broadcast domain.
Figure 4-1 displays PC-A’s broadcast traffic that is being advertised to all devices on that network, which include PC-B, PC-C, and R1. R1 does not forward the broadcast traffic from one broadcast domain (192.168.1.0/24) to the other broadcast domain (192.168.2.0/24).
The local MAC address table contains the list of MAC addressees and the ports that those MAC addresses learned. The MAC address table is displayed with the command show mac address-table [address mac-address]. To ensure that the switch hardware ASICS are programmed correctly, the hardware MAC address table is displayed with the command show hardware mac address-table module [dynamic] [address mac-address].
Example 4-1 displays the MAC address table on a Nexus switch. Locating the switch port the network device is attached to is the first step of troubleshooting L2 forwarding. If multiple MAC addresses appear on the same port, it indicates that a switch is connected to that port, and that connecting to the switch may be required as part of the troubleshooting processs to identify the port the network device is attached to.
Note
The terms network device and hosts are considered interchangeable in this text.
Adding a router between LAN segments helps shrink broadcast domains and provides for optimal network communication. Host placement on a LAN segment varies because of network addressing. This could lead to inefficient usage of hardware because some switch ports could go unused.
Virtual LANs (VLAN) provide a logical segmentation by creating multiple broadcast domains on the same network switch. VLANs provide higher utilization of switch ports because a port could be associated to the necessary broadcast domain, and multiple broadcast domains can reside on the same switch. Network devices in one VLAN cannot communicate with devices in a different VLAN via traditional L2 or broadcast traffic.
VLANs are defined in the Institute of Electrical and Electronics Engineers (IEEE) 802.1Q standard, which states that 32 bits are added to the packet header and are composed of the following:
Tag protocol identifier (TPID): 16-bit field set to 0x8100 to identify the packet as an 802.1Q.
Priority code point (PCP): A 3-bit field to indicate a class of service (CoS) as part of Layer 2 quality of service (QoS) between switches.
Drop Eligible Indicator (DEI): A 1-bit field that indicates if the packet can be dropped when there is bandwidth contention.
VLAN identifier (VID): A 12-bit field that specifies the VLAN associated to a network packet.
Figure 4-2 displays the VLAN packet structure.
The VLAN identifier has only 12 bits, which provide 4094 unique VLANs. NX-OS uses the following logic for VLAN identifiers:
VLAN 0 is reserved for 802.1P traffic and cannot be modified or deleted.
VLAN 1 is the default VLAN and cannot be modified or deleted.
VLANs 2 to 1005 are in the normal VLAN range and can be added, deleted, or modified as necessary.
VLANs 1006 to 3967 and 4048 to 4093 are in the extended VLAN range and can be added, deleted, or modified as necessary.
VLANs 3968 to 4047 and 4094 are considered internal VLANs and are used internally by NX-OS. These cannot be added, deleted, or modified.
VLANs 4095 is reserved by 802.1Q standards and cannot be used.
VLANs are created by using the global configuration command vlan vlan-id. A friendly name (32 characters) is associated to the VLAN by using the VLAN submode configuration command name name. The VLAN is not created until the CLI has been moved back to the global configuration context or a different VLAN identifier. Example 4-2 demonstrates the creation of VLAN 10 (Accounting), VLAN 20 (HR), and VLAN 30 (Security) on NX-1.
VLANs and their port assignment are verified with the show vlan [id vlan-id] command, as demonstrated in Example 4-3. The output is reduced to a specific VLAN by using the optional id keyword. Notice that the output is broken into three separate areas: Traditional VLANs, Remote Switched Port Analyzer (RSPAN) VLANs, and Private VLANs.
Note
Most engineers assume that a VLAN maintains a one-to-one ratio of subnet-to-VLAN. Multiple subnets can exist in the same VLAN by assigning a secondary IP address to a router’s interface or by connecting multiple routers to the same VLAN. In situations like this, both subnets are part of the same broadcast domain.
Access ports are the fundamental building block of a managed switch. An access port is assigned to only one VLAN. It carries traffic from the VLAN to the device connected to it, or from the device to other devices on the same VLAN on that switch.
NX-OS places a L2 switch port as an access port by default. The port is configured as an access port with the command switchport mode access. A specific VLAN is associated to the port with the command switchport access vlan vlan-id. If the VLAN is not specified, it defaults to VLAN 1. The 802.1Q tags are not included on packets transmitted or received on access ports.
The switchport mode access command does not appear when looking at the traditional running configuration and requires the optional all keyword, as shown in Example 4-4.
The command show interface interface-id displays the mode that the port is using. The assigned VLAN for the port is viewed with the show vlan command, as shown earlier in Example 4-2, or with show interface status. Example 4-5 demonstrates the verification of an access port and the associated VLAN. It is important to verify that both hosts must be on the same VLAN for L2 forwarding to work properly.
Trunk ports can carry multiple VLANs across them. Trunk ports are typically used when multiple VLANs need connectivity between a switch and another switch, router, or firewall. VLANs are identified by including the 802.1Q headers in the packets as the packet is transmitted across the link. The headers are examined upon the receipt of the packet, associated to the proper VLAN, and then removed.
Trunk ports must be statically defined on Nexus switches with the interface command switchport mode trunk. Example 4-6 displays Eth1/1 being converted to a trunk port.
The command show interface trunk provides a lot of valuable information into the following sections when troubleshooting connectivity between network devices:
The first section list all the interfaces that are trunk ports, status, association to a port-channel, and native VLAN.
The second section of the output displays the list of VLANs that are allowed on the trunk port. Traffic can be minimized on trunk ports to restrict VLANs to specific switches, thereby restricting broadcast traffic, too. Other use cases involve a form of load balancing between network links where select VLANs are allowed on one trunk link, and a different set of VLANs are allowed on a different trunk port.
The third section displays any ports or VLANs that are in an error disabled (Err-disabled) state. Typically, these errors are related with an incomplete virtual port channel (vPC) configuration. vPCs are explained in detail in Chapter 5, “Port Channels, Virtual Port-Channels, and FabricPath.”
The fourth section displays the VLANs that are in a forwarding state on the switch. Ports that are in blocking state are not listed under this section.
Example 4-7 demonstrates the use of the show interface trunk command.
Traffic on a trunk port’s native VLAN does not include the 802.1Q tags. The native VLAN is a port-specific configuration and is changed with the interface command switchport trunk native vlan vlan-id.
The native VLAN should match on both ports, or traffic can change VLANs. Although connectivity between hosts is feasible (assuming that they are on the different VLAN numbers), this causes confusion for most network engineers and is not a best practice.
Note
All switch control-plane traffic is advertised using VLAN 1. As part of Cisco’s security hardening guide, it is recommended to change the native VLAN to something other than VLAN 1. More specifically, it should be set to a VLAN that is not used at all to prevent VLAN hopping.
As stated earlier, VLANs can be restricted from certain trunk ports as a method of traffic engineering. This can cause problems if traffic between two hosts is expected to traverse a trunk link, and the VLAN is not allowed to traverse that trunk port. The interface command switchport trunk allowed vlan-ids specifies the VLANs that are allowed to traverse the link. Example 4-8 displays sample configuration to limit the VLANs that can cross the Eth1/1 trunk link to 1,10, 30, and 99.
Note
The full command syntax is switchport trunk allowed {vlan-ids | all | none | add vlan-ids | remove vlan-ids | except vlan-ids} provides a lot of power in a single command.
When scripting configuration changes, it is best to use the add or remove keywords because they are more prescriptive. A common mistake is using the switchport trunk allowed vlan-ids command, where only the VLAN that is being added is listed. This results in the current list being overwritten, causing traffic loss for the VLANs that were omitted.
Some network designs require segmentation between network devices. This is easily accomplished by two techniques:
Creating unique subnets for every security domain and restricting network traffic with an ACL. Using this technique can waste IP addresses when a host range falls outside of a subnet range (that is, a security zone with 65 hosts requires /25 and results in wasting 63 IP addresses; this does not take into consideration the broadcast and network addresses).
Using private VLANs.
Private VLANs (PVLAN) provide two-tier hierarchy (primary or secondary VLAN) to restrict traffic between ports from a L2 perspective. An explicit mapping between the primary VLAN and secondary VLAN is required to allow communication outside of the PVLAN. Ports are associated into three categories:
Promiscuous: Ports associated to this VLAN are a primary PVLAN (the first tier) and are allowed to communicate to all hosts. Typically, these are ports assigned to a router, firewall, or server that is providing centralized services (DHCP, DNS, and so on).
Isolated: These ports are in a secondary PVLAN (in the second tier of the hierarchy) and are allowed to communicate only with ports associated to the promiscuous PVLAN. Traffic is not transmitted between ports in the same isolated VLAN.
Community: These ports are in a secondary PVLAN and are allowed to communicate with other ports in this VLAN and ports associated to the promiscuous VLAN.
Figure 4-3 demonstrates the usage of PVLANs for a service provider. R1 is the router for every host in the 10.0.0.0/24 network segment and is connected with a promiscuous PVLAN. Host-2 and Host-3 are from different companies and should not be able to communicate with any host. They should only be able to communicate with R1.
Host-4 and Host-5 are from the same third company and need to talk with each other along with R1. Host-6 and Host-7 are from the same fourth company and need to talk with each other along with R1. All other communication is not allowed.
Table 4-1 displays the communication capability between hosts. Notice that Host-4 and Host-5 communicate with each other; but cannot communicate with Host-2, Host-3, Host-6, and Host-7.
R1 |
Host-2 |
Host-3 |
Host-4 |
Host-5 |
Host-6 |
Host-7 |
|
R1 |
N/A |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
Host-2 |
✓ |
N/A |
X |
X |
X |
X |
X |
Host-3 |
✓ |
X |
N/A |
X |
X |
X |
X |
Host-4 |
✓ |
X |
X |
N/A |
✓ |
X |
X |
Host-5 |
✓ |
X |
X |
✓ |
N/A |
X |
X |
Host-6 |
✓ |
X |
X |
X |
X |
N/A |
✓ |
Host-7 |
✓ |
X |
X |
X |
X |
✓ |
N/A |
Isolated PVLANs allow communication only with promiscuous ports; thereby, only one isolated PVLAN is needed for one L3 domain. The process for deploying isolated PVLANs on a Nexus switch is as follows:
Step 1. Enable the private VLAN feature. Enable the PVLAN feature with the command feature private-vlan in the global configuration mode.
Step 2. Define the isolated PVLAN. Create the isolated PVLAN with the command vlan vlan-id. Underneath the VLAN configuration context, identify the VLAN as an isolated PVLAN with the command private-vlan isolated.
Step 3. Define the promiscuous PVLAN. Create the promiscuous PVLAN with the command vlan vlan-id. Underneath the VLAN configuration context, identify the VLAN as a promiscuous PVLAN with the command private-vlan primary.
Step 4. Associate the isolated PVLAN to the promiscuous PVLAN. Underneath the promiscuous PVLAN configuration context, associate the secondary (isolated or community) PVLANs with the command private-vlan secondary-pvlan-id. If multiple secondary PVLANs are used, delineate with the use of a comma.
Step 5. Configure the switchport(s) for the promiscuous PVLAN. Change the configuration context to the switch port for the promiscuous host with the command interface interface-id. Change the switch port mode to promiscuous PVLAN with the command switchport mode private-vlan promiscuous.
The switch port must then be associated to the promiscuous PVLAN with the command switchport access vlan promiscuous-vlan-id. A mapping between the promiscuous PVLAN and any secondary PVLANs must be performed using the command switchport private-vlan mapping promiscuous-vlan-id secondary-pvlan-vlan-id. If multiple secondary PVLANs are used, delineate with the use of a comma.
Step 6. Configure the switchport(s) for the isolated PVLAN. Change the configuration context to the switch port for the isolated host with the command interface interface-id. Change the switch port mode to the secondary PVLAN type with the command switchport mode private-vlan host.
The switch port must then be associated to the promiscuous PVLAN with the command switchport access vlan isolated-vlan-id. A mapping between the promiscuous PVLAN and the isolated PVLAN must be performed using the command switchport private-vlan mapping host-association promiscuous-vlan-id isolated-pvlan-vlan-id.
Example 4-9 displays the deployment of VLAN 20 as an isolated PVLAN on NX-1, according to Figure 4-3. VLAN 10 is the promiscuous PVLAN.
After configuring a switch for PVLANs, it is recommended to verify the configuration using the command show vlan [private-vlan]. The optional private-vlan keyword only shows the output of the PVLAN section from show vlan.
In Example 4-10, the primary VLAN correlates to the promiscuous PVLAN, the secondary VLAN correlates to the isolated PVLAN, the PVLAN type is confirmed, and all active ports are listed off to the side. The promiscuous ports are always included. If a port is missing, recheck the interface configuration because an error probably exists in the PVLAN mapping configuration.
Note
An isolated or community VLAN can be associated with only one primary VLAN.
PVLAN ports require a different port type and are set by the switchport mode private-vlan {promiscuous | host} command. This setting is verified by examining the interface using the show interface command. Example 4-11 displays the verification of the PVLAN switch port type setting.
Another technique is to verify that the isolated PVLAN host devices can reach the promiscuous host device. This is achieved with a simple ping test, as shown in Example 4-12.
A community PVLAN allows communication only with promiscuous ports and other ports in the same community PVLAN. The process for deploying community PVLANs on a Nexus switch is as follows:
Step 1. Enable the private VLAN feature. Enable the PVLAN feature with the command feature private-vlan in the global configuration mode.
Step 2. Define the community PVLAN. Create the community PVLAN with the command vlan vlan-id. Underneath the VLAN configuration context, identify the VLAN as a community PVLAN with the command private-vlan community.
Step 3. Define the promiscuous PVLAN. Create the promiscuous PVLAN with the command vlan vlan-id. Underneath the VLAN configuration context, identify the VLAN as a promiscuous PVLAN with the command private-vlan primary.
Step 4. Associate the community PVLAN to the promiscuous PVLAN. Underneath the promiscuous PVLAN configuration context, associate the secondary (isolated or community) PVLANs with the command private-vlan secondary-pvlan-id. If multiple secondary PVLANs are used, delineate with the use of a comma.
Step 5. Configure the switch port(s) for the promiscuous PVLAN. Change the configuration context to the switch port for the promiscuous host with the command interface interface-id. Change the switch port mode to promiscuous PVLAN with the command switchport mode private-vlan promiscuous.
The switch port must then be associated to the promiscuous PVLAN with the command switchport access vlan promiscuous-vlan-id. A mapping between the promiscuous PVLAN and any secondary PVLANs needs to be performed using the command switchport private-vlan mapping promiscuous-vlan-id secondary-pvlan-vlan-id. If multiple secondary PVLANs are used, delineate with the use of a comma.
Step 6. Configure the switch port(s) for the community PVLAN. Change the configuration context to the switch port for the isolated host with the command interface interface-id. Change the switch port mode to the secondary PVLAN type with the command switchport mode private-vlan host.
The switch port must then be associated to the promiscuous PVLAN with the command switchport access vlan isolated-vlan-id. A mapping between the promiscuous PVLAN and the community PVLAN needs to be performed using the command switchport private-vlan mapping host-association promiscuous-vlan-id community-pvlan-vlan-id.
Example 4-13 displays the deployment of VLAN 30 as a community PVLAN for Host-4 and Host-5 along with VLAN 40 for Host-6 and Host-7, according to Figure 4-3. VLAN 10 is the promiscuous PVLAN.
Note
VLAN 20 was a part of the promiscuous port configuration to demonstrate how isolated and community PVLANs co-exist as a continuation of the previous configuration to provide the solution shown in Figure 4-3.
Verification of community PVLANs is accomplished with the command show vlan [private-vlan]. Remember that if a port is missing in the PVLAN section, recheck the interface configuration because an error probably exists in the mapping configuration.
Example 4-14 displays all the PVLANS and associated ports. Notice how VLAN 10 is the primary VLAN for VLAN 20, 30, and 40.
Example 4-15 provides basic verification that all hosts in the isolated and community PVLANs can reach R1. All hosts are not allowed to reach any other host in the isolated PVLAN, whereas hosts in community PVLANs can only reach hosts in the same community PVLAN.
A switched virtual interface (SVI) can be configured as a promiscuous port for a PVLAN. The primary and secondary PVLAN mappings are performed as previously explained, but the VLAN interface has the command private-vlan mapping secondary-vlan-id. Example 4-16 demonstrates NX-1 adding the SVI for VLAN 10 with the IP address of 10.0.0.10/24.
The promiscuous PVLAN SVI port mapping is confirmed with the command show interface vlan promiscuous-vlan-id private-vlan mapping, as shown in Example 4-17.
Example 4-18 demonstrates the connectivity between the hosts with the promiscuous PVLAN SVI. The two promiscuous devices (NX-1 and R1) can ping each other. In addition, all the hosts (demonstrated by Host-2) ping both NX-1 and R1 without impacting the PVLAN functionality assigned to isolated or community PVLAN ports.
Some topologies require that a PVLAN span across multiple switches. In these designs, there are three possible options depending upon the capabilities of the upstream or downstream switch. These scenarios are as follows:
All switches support PVLANs: In this scenario, all the PVLANs and their primary/secondary mappings must be configured on both upstream and downstream switches. A normal 802.1Q trunk link is established between the devices. The switch with the promiscuous port is responsible for directing traffic to/from the promiscuous port. In this scenario, spanning tree maintains a separate instance for each of the PVLANs.
The upstream switch does not support PVLANs: In this scenario, the PVLANs and their primary/secondary mappings must be configured on the downstream switch. Because the upstream switch does not support PVLANs, the downstream switch must merge/separate the secondary PVLANs to the primary PVLANs so that devices on the upstream switch only need to use the primary PVLAN-ID. The upstream trunk switch port is configured with the command switchport mode private-vlan trunk promiscuous. These trunk ports are often referred to as promiscuous PVLAN trunk ports.
The downstream switch does not support PVLANs: In this scenario, the PVLANs and their primary/secondary mappings must be configured on the upstream switch. Because the downstream switch does not support PVLANs, the upstream switch must merge/separate the secondary PVLANs to the primary PVLANs so that devices on the downstream switch only need to use the secondary PVLAN-ID. The downstream trunk switch port is configured with the command switchport mode private-vlan trunk secondary. These trunk ports are often referred to as isolated PVLAN trunk ports.
Note
In all three scenarios, regular VLANs are transmitted across the trunk link.
Note
Not all Nexus platforms support the promiscuous or isolated PVLAN trunk ports. Check www.cisco.com for feature parity.
A good network design provides redundancy in devices and network links (paths). The simplest solution involves adding a second link between switches to overcome network link failure, or ensuring that a switch is connected to at least two switches in a topology.
However, these topologies cause problems when a switch has to forward broadcasts or unknown unicast flooding occurs. Network broadcasts forward in a continuous loop until the link becomes saturated and the switch is forced to drop packets. In addition, the MAC address table will be constantly changing ports as the packets make loops, therefore increasing CPU and memory consumption and probably crashing the switch.
The Spanning Tree Protocol is the protocol that builds a L2 loop-free topology in an environment by temporarily blocking traffic on specific ports. The Spanning Tree Protocol has multiple iterations:
802.1D is the original specification
Per-VLAN Spanning Tree (PVST)
Per-VLAN Spanning Tree Plus (PVST+)
802.1W Rapid Spanning Tree Protocol (RSTP)
802.1S Multiple Spanning Tree Protocol (MST)
Nexus switches operate as RSTP or MST mode only. Both of these are backward compatible with 802.1D standards.
The original version of STP comes from the IEEE 802.1D standards and provides support for ensuring a loop-free topology for one VLAN. In the Spanning Tree Protocol, every port transitions through a series of the following states:
Disabled: The port is in an administratively off position (that is, shutdown).
Blocking: The switch port is enabled, but the port is not forwarding any traffic to ensure a loop is created. The switch does not modify the MAC address table. It can only receive Bridge Protocol Data Units (BPDU) from other switches.
Listening: The switch port has transitioned from a blocking state and can now send or receive BPDUs. It cannot forward any other network traffic.
Learning: The switch port can now modify the MAC address table with any network traffic that it receives. The switch still does not forward any other network traffic besides BPDUs. The switch port transitions into this state after the forward delay has expired.
Forwarding: The switch port can forward all network traffic and can update the MAC address table as expected. This is the final state for a switch port to forward network traffic.
Broken: The switch has detected a configuration or operational problem on a port that can have major effects. The port will discard packets for as long as the problem continues to exist.
The original Spanning Tree Protocol defined the following three port types:
Designated port: A network port that receives and forwards frames to other switches. Designated ports provide connectivity to downstream devices and switches.
Root port: A network port that connects to the root switch or an upstream switch in the spanning-tree topology.
Blocking port: A network that is not forwarding traffic because of Spanning Tree Protocol.
Within the Spanning Tree Protocol are a couple key terms that must be understood:
Root bridge: The root bridge is the most important switch in the L2 topology. All ports are in a forwarding state. This switch is considered the top of the spanning-tree for all path calculations by other switches. All ports on the root bridge are categorized as designated ports.
Bridge Protocol Data Unit (BPDU): This network frame is used strictly for detecting the STP topology so that switches can identify the root bridge, root ports, designated ports, and blocking ports. The BPDU consists of the following fields: STP Type, Root Path Cost, Root Bridge Identifier, Local Bridge Identifier, Max Age, Hello Time, Forward Delay. The BPDU uses a destination MAC address of 01:80:c2:00:00:00.
Root Path Cost: The combination of the cost for a specific path toward the root switch.
Root Bridge Identifier: Combination of the root bridge system MAC, system-ID extension, and system priority of the root bridge.
Local Bridge Identifier: Combination of the advertising switch’s bridge system MAC, System ID extension, and system priority of the root bridge.
Max Age: The timer the controls the maximum length of time that passes before a bridge port saves its BPDU information. On Nexus switches, this is relevant for backward compatibility with switches using traditional 802.1D STP.
Hello Time: The time that a BPDU is advertised out of a port. The default value is 2 seconds and is configured to a value of 1 to 10 seconds with the command spanning-tree vlan vlan-id hello-time hello-time.
Forward Delay: The amount of time that a port stays in a listening and learning state. The default value is 15 seconds and can be changed to a value of 15 to 30 seconds with the command spanning-tree vlan vlan-id forward-time forward-time.
Note
A lot of STP terminology uses the term bridge, even though STP runs on switches. The term bridge and switch are interchangeable in this context.
802.1 D (the first version of Spanning Tree Protocol) created only one topology tree. For larger environments with multiple VLANs, creating different Spanning Tree Protocol topologies allowed for different VLANs to use different links. Cisco created Per-VLAN Spanning Tree (PVST) and Per-VLAN Spanning Tree Plus (PVST+) to allow for such flexibility.
PVST and PVST+ were proprietary spanning protocols. The concepts in these protocols were incorporated with other enhancements to form the IEEE 802.1W specification. The 802.1Q specification incorporated additional enhancements to provide faster convergence and is called Rapid Spanning Tree Protocol (RSTP).
RSTP defines the following port roles:
Designated port: A network port that receives and forwards frames to other switches. Designated ports provide connectivity to downstream devices and switches.
Root port: (RP) A network port that connects to the root switch or an upstream switch in the spanning-tree topology.
Alternate port: A network port that provides alternate connectivity toward the root switch via a different switch.
Backup port: A network port that provides link redundancy toward the current root switch. The backup port cannot guarantee connectivity to the root bridge in the event the upstream switch fails. A backup port exists only when multiple links connect between the same switches.
With RSTP protocol, switches exchange handshakes with other switches to transition through the following Spanning Tree Protocol states faster:
Discarding: The switch port is enabled, but the port is not forwarding any traffic to ensure a loop is created. This state combines the traditional Spanning Tree Protocol states of Disabled, Blocking, and Listening.
Learning: The switch port now modifies the MAC address table with any network traffic that it receives. The switch still does not forward any other network traffic besides BPDUs.
Forwarding: The switch port forwards all network traffic and updates the MAC address table as expected. This is the final state for a switch port to forward network traffic.
Note
A switch tries to establish an RSTP handshake with the device connected to the port. If a handshake does not occur, the other device is assumed to be non-RSTP compatible, and the port defaults to regular 802.1D behavior. This means that host devices such as computers and printers still encounter a significant transmission delay (~50 seconds) after the network link is established.
Note
RSTP is enabled by default for any L2 switch port with a basic configuration. Additional configuration can be applied to the switch to further tune RSTP.
The interface Spanning Tree Protocol cost is an essential component for root path calculation because the root path is found based upon the cumulative interface Spanning Tree Protocol cost to reach the root bridge. The interface Spanning Tree Protocol cost is associated based upon a reference value of 20 Gbps. Table 4-2 displays a list of interface speeds and the correlating interface Spanning Tree Protocol cost.
Link Speed |
Interface Spanning Tree Protocol Cost |
10 Mbps |
100 |
100 Mbps |
19 |
1 Gbps |
4 |
10 Gbps |
2 |
20 Gbps or faster |
1 |
The first step with Spanning Tree Protocol is to identify the root bridge. As a switch initializes, it assumes that it is the root bridge and uses the local bridge identifier as the root bridge identifier. It then listens to its neighbor’s BPDU and does the following:
If the neighbor’s BPDU is inferior to its own BPDU, the switch ignores that BPDU.
If the neighbor’s BPDU is preferred to its own BPDU, the switch updates its BPDUs to include the new root bridge identifier along with a new root path cost that correlates the total path cost to reach the new root bridge. This process continues until all switches in a topology have identified the root bridge switch.
Spanning Tree Protocol deems a switch more preferable if the priority in the bridge identifier is lower than other BPDUs. If the priority is the same, the switch prefers the BPDU with the lower system MAC.
Note
Generally, older switches have a lower MAC address and are considered more preferable. Configuration changes can be made for optimizing placement of the root switch in a L2 topology.
Figure 4-4 provides a simple topology to demonstrate some important spanning-tree concepts. In this topology, NX-1, NX-2, NX-3, NX-4, and NX-5 all connect to each other. The configuration on all the switches do not include any customizations for Spanning Tree Protocol, and the focus is primarily on VLAN 1, but VLANs 10, 20, and 30 exist in the topology. NX-1 has been identified as the root bridge because its system MAC address (5e00.4000.0007) is the lowest in the topology.
The root bridge is identified with the command show spanning-tree root. Example 4-19 demonstrates the command being executed on NX-1. The output includes the VLAN number, root bridge identifier, root path cost, hello time, max age time, and forwarding delay. Because NX-1 is the root bridge, all ports are designated, so the Root Port field displays This bridge is root.
The same command is run on NX-2 and NX-3 with the output displayed in Example 4-20. The Root ID field is the same as NX-1; however, the root path cost has changed to 2 because both switches must use the 10 Gbps link to reach NX-1. Eth 1/1 has been identified on both of these switches as the root port.
After the switches have identified the root bridge, they must determine their Root Port (RP). The root bridge continues to advertise BPDUs out all of its ports. The switch compares the BPDU information to identify the RP. The RP is selected using the following logic: (The next criteria is used if there is a tie.)
The interface associated to lowest path cost is more preferred.
The interface associated to the lowest system priority of the advertising switch.
The interface associated to the lowest system MAC address of the advertising switch.
When multiple links are associated to the same switch, the lowest port priority from the advertising router is preferred.
When multiple links are associated to the same switch, the lower port number from the advertising router is preferred.
The command show spanning-tree root is run on NX-4 and NX-5 with the output displayed in Example 4-21. The Root ID field is the same as NX-1 from Example 4-20; however, the root path cost has changed to 4 because both switches must traverse two 10 Gbps link to reach NX-1. Eth1/3 was identified as the RP on both switches.
Now that the root bridge and RPs are identified, all other ports are considered designated ports. However, if two switches are connected to each other on their designated ports, one of those switch ports must be set to a blocking state to prevent a forwarding loop. The logic to calculate which ports should be blocked between the two switches is the following:
The interface must not be considered as a RP.
The system priority of the local switch is compared to the system priority of the remote switch. The local port is moved to a blocking state if the remote system priority is lower than the local switch.
The system MAC address of the local switch is compared to the system priority of the remote switch. The local port is moved to a blocking state if the remote system MAC address is lower than the local switch.
Note
Step 3 is the last step of the selection process. If a switch has multiple links toward the root switch, the downstream switch always identifies the RP. All other ports will match the criteria for Step 2 or Step 3 and are placed into a blocking state.
The command show spanning-tree [vlan vlan-id] is used to provide useful information for locating a port’s Spanning Tree Protocol state. Example 4-22 displays NX-1’s Spanning Tree Protocol information for VLAN 1. The first portion of the output displays the relevant root bridge’s information, which is then followed by the local bridge’s information. The associated interface’s Spanning Tree Protocol port cost, port priority, and port type are displayed as well. All of NX-1’s ports are designated ports (Desg) because it is the root bridge.
There are three port types expected on NX-OS switches:
Point-to-Point (P2P): This port type connects with another network device (PC or RSTP switch).
P2P Peer (STP): This port type detects that it is connected to an 802.1D switch and is operating with backward compatibility.
Network P2P: This port type is specifically configured to connect with another RSTP switch and to provide bridge assurance.
Edge P2P: This port type is specifically configured to connect with another host device (PC, not a switch). Portfast is enabled on this port.
Note
If the Type field includes *TYPE_Inc –, this indicates a port configuration mismatch between the Nexus switch and the switch to which it is connected. It is either the port type, or the port mode (access versus trunk) is misconfigured.
Example 4-23 displays the Spanning Tree Protocol topology from NX-2 and NX-3. Notice that in the first root bridge section, the output provides the total root path cost and the port on the switch that is identified as the RP.
All the ports on NX-2 are in a forwarding state, but port Eth1/2 on NX-3 is in a blocking (BLK) state. Specifically, that port has been designated as an alternate port to reach the root in the event that Eth1/1 connection fails.
The reason that NX-3’s Eth1/2 port was placed into a blocking state versus NX-2’s Eth1/3 port is that NX-2’s system MAC address (5e00.4001.0007) is lower than NX-3’s system MAC address (5e00.4002.0007). This was deduced by looking at the Figure 4-4 and the system MAC addresses in the output.
All the interfaces that participate in that VLAN are listed in the output of the command show spanning-tree. This can be a daunting task for trunk ports that carry multiple VLANs. This can quickly be checked by examining the Spanning Tree Protocol state of the interface with the command show spanning-tree interface interface-id as shown in Example 4-24. If a VLAN is missing on a trunk port, check the allowed VLANs for that trunk interface, because that VLAN is probably missing from the list.
A properly designed network strategically places the root bridge on a specific switch and modifies which ports should be designated ports (that is, forwarding state) and which ports should be alternate ports (that is, discarding/blocking state). Design considerations factor in hardware platform, resiliency, and network topology.
Ideally, the root bridge is placed on a core switch, and a secondary root bridge is designated to minimize changes to the overall spanning tree. Root bridge placement is accomplished by lowering the system priority on the root bridge to the lowest value possible, the secondary root bridge to a value slightly higher than the root bridge, and ideally increasing the system priority on all other switches. This ensures a consistent placement of the root bridge. The priority is set with either of the following commands:
spanning-tree vlan vlan-id priority priority
The priority is a value between 0-61,440 in increments of 4,096.
spanning-tree vlan vlan-id root {primary | secondary}
Selecting the primary keyword sets the priority to 24,576 and the secondary keyword sets the priority to 28,672.
Note
The best way to prevent erroneous devices from taking over the root role is to set the priority to zero on the desired root bridge switch.
Example 4-25 demonstrates NX-1 being set as the root primary and NX-2 being set as the root secondary. Notice on NX-2’s output that it displays the root system priority, which is different from its system priority.
Note
Notice that the priority on NX-1 is off by one. That is because the priority in the BPDU packets is the priority plus the value of the Sys-Id-Ext (which is the VLAN number). So the priority for VLAN 1 is 24,577, and the priority for VLAN 10 is 24,586.
Root guard is a Spanning-Tree Protocol feature that prevents a configured port from becoming a root port by placing a port in ErrDisabled state if a superior BPDU is received on a configured port. Root guard prevents a downstream switch (often misconfigured or rogue) from becoming a root bridge in a topology.
Root guard is enabled on an interface-by-interface basis with the interface command spanning-tree guard root. Root guard is placed on designated ports toward other switches that should never ever become a root bridge. In the sample topology, root guard should be placed on NX-2’s Eth1/4 port and NX3-‘s Eth1/5 port. This prevents NX-4 and NX-5 from ever becoming a root bridge, but still allows for NX-2 to maintain connectivity to NX-1 via NX-3 in the event that the NX-1 ← → NX-2 link becomes incapacitated.
The Spanning Tree Protocol port cost is used for calculating the Spanning Tree Protocol tree. When a switch generates the BPDUs, the total path cost includes only its calculated metric to the root and does not include the port cost that the BPDU is advertised out of. The receiving router then adds the port cost on the interface the BPDU was received in conjunction with the value of the total path cost in the BPDU.
In Figure 4-4, NX-1 advertises its BPDUs to NX-3 with a total path cost of zero. NX-3 receives the BPDU and adds its Spanning Tree Protocol port cost of 2 to the total path cost in the BPDU (zero), resulting in a value of 2. NX-3 then advertises the BPDU toward NX-5 with a total path cost of 2, which NX-5 then adds to its ports cost of 2. NX-5 reports a cost of 4 to reach the root bridge via NX-3. The logic is confirmed in the output of Example 4-26. Notice that there is not a total path cost in NX-1’s output.
The interface path is modified to impact which ports are designated or alternate ports with the interface configuration command spanning tree [vlan vlan-id] cost cost. This is set up for all VLANs by omitting the optional vlan keyword, or for a specific VLAN.
Example 4-27 demonstrates the modification of NX-3’s port cost for Eth1/1, which ultimately impacts the Spanning Tree Protocol topology because the Eth1/2 port is no longer an alternate port, but is now a designated port. NX-2’s Eth1/3 port changed from a designated port to an alternate port.
The Spanning Tree Protocol port priority impacts which port is an alternate port when multiple links are used between switches. In Figure 4-4, there are two links between NX-4 and NX-5. The Spanning Tree Protocol port cost on Eth1/3 (which connects to NX-3) was modified to 1,234 so that one of the two links connecting to NX-4 is the RP.
Example 4-28 verifies that this change has made NX-5’s Eth1/1 the RP toward NX-4. Remember that system-Id and port cost is the same, so the next check is port priority and then followed by the port number. Both the port priority and port number are controlled by the upstream switch.
Modify the port priority on NX-4 with the command spanning-tree [vlan vlan-id] port-priority priority. The optional vlan keyword allows changing the priority on a VLAN-by-VLAN basis. Example 4-29 displays changing the port priority on NX-4’s Eth1/5 port to 64, and the impact it has on NX-5. Notice how NX5’s Eth1/4 port is now the RP.
In a Spanning-Tree Protocol topology, BPDUs traditionally flow from the root bridge toward the edge switches. Under normal operating conditions, BPDUs are not sent toward the root bridge. However, when a link becomes active or inactive, the change in topology has an impact to all the switches in the L2 topology.
The switch that detects the link status change sends a topology change notification (TCN) toward the root bridge. The root bridge creates a new TCN, which is then flooded toward all the switches in the L2 forwarding domain. Upon receipt of the root bridge’s TCN, all switches flush their MAC address table. This results in traffic being flooded out all ports while the MAC address table is rebuilt. Remember that hosts communicate using CSMA/CD, so this behavior causes a delay in communication while the switch rebuilds its MAC address table.
TCNs are generated on a VLAN basis, so the impact of TCNs directly correlate to the number of hosts in a VLAN. As the number of hosts increase, the more likely the frequency of TCN generation occurs and the more hosts that are impacted by the broadcasts. Topology changes should be checked as part of the troubleshooting process.
Topology changes are seen with the command show spanning-tree [vlan vlan-id] detail on the root bridge. In the output, examine the topology change count and time since the last change has occurred. A sudden or continuous increase in TCNs indicates a potential problem and should be investigated further.
Example 4-30 displays the output of the show spanning-tree vlan 10 detail command. Notice that the time since the last TCN was detected in and the interface that the TCN originated from is included. The next step is to locate the switch that is connected to the port causing the TCN. This is found by looking at CDP tables or your network documentation. The show spanning-tree [vlan vlan-id] detail is executed again to find the last switch in the topology to identify the problematic port.
Viewing the NX-OS event-history provides another insight to the Spanning Tree Protocol activities on a switch. The Spanning Tree Protocol event-history is displayed with the command show spanning-tree internal event-history all as demonstrated in Example 4-31.
The generation of TCN for hosts does not make sense because they generally have only one connection to the network. Restricting TCN creation to only ports that connect with other switches and network devices increases the L2 network’s stability and efficiency. The Spanning Tree Protocol portfast feature disables TCN generation for access ports.
Another benefit of the Spanning Tree Protocol portfast feature is that the access ports bypass the earlier 802.1D Spanning Tree Protocol states (learning and listening) and forward traffic immediately. This is beneficial in environments where computers use dynamic host configuration protocol (DHCP) or preboot execution environment (PXE).
The portfast feature is enabled on a specific port with the command spanning-tree port type edge, or globally on all access ports with the command spanning-tree port type edge default.
Example 4-32 demonstrates enabling portfast for NX-1’s Eth1/6 port along with its verification. Notice how the portfast ports are displayed with Edge P2P. The last section demonstrates how portfasts are enabled globally for all access ports.
In environments with thousands of VLANs, maintaining a Spanning Tree Protocol state for all the VLANs can become a burden to the switch’s processors. MST provides a blended approach by placing multiple VLANs on to a single Spanning Tree Protocol tree, called an MST instance. Traffic engineering is performed by modifying MST instance parameters versus modifying parameters on a VLAN-by-VLAN basis.
MST is configured by the following process:
Step 1. Set the Spanning Tree Protocol mode as MST. Define MST as the spanning-tree protocol with the command spanning-tree mode mst.
Step 2. Define the MST instance priority (optional). The MST instance priority is set to a MST region by one of two methods:
spanning-tree mst instance-number priority priority
The priority is a value between 0-61,440 in increments of 4,096
spanning-tree mst instance-number root {primary | secondary}
Selecting the primary keyword sets the priority to 24,576 and the secondary keyword sets the priority to 28,672
Step 3. Associate VLANs to an MST instance. By default all VLANs are associated to the MST 0 instance. The MST configuration submode must be entered with the command spanning-tree mst configuration. Then the VLANs are assigned to a different MST instance with the command instance instance-number vlan vlan-id.
Step 4. Specify the MST version number. The MST version number must match for all switches in the same MST region. The MST version number is configured with the submode configuration command revision version.
Step 5. Define the MST region name (optional). MST regions are recognized by switches that share a common name. By default, a region name is an empty string. The MST region name is set with the command name mst-region-name.
Example 4-33 demonstrates the MST configuration on NX-1. MST instance 2 contains VLAN 30, MST instance 1 contains VLANs 10 and 20, and MST instance zero contains all other VLANs.
The command show spanning-tree mst configuration provides a quick verification of the MST configuration on a switch. Example 4-34 demonstrates the output. Notice that MST instance zero contains all VLANs, except for VLANs 10, 20, and 30, regardless of whether those VLANs are configured on the switch.
The relevant spanning tree information can still be obtained with the command show spanning-tree. The primary difference is that the VLAN numbers are not shown, but the MST instance is provided instead. As well, the priority value for a switch is the MST instance plus the switch priority. Example 4-35 displays the output of this command.
A consolidated view of the MST topology table is displayed with the command show spanning-tree mst [instance-number]. The optional instance-number can be included to restrict the output to a specific instance. The command is demonstrated in Example 4-36. Notice that the VLANs are displayed next to the MST instance, simplifying any steps for troubleshooting.
The specific MST settings are viewed for a specific interface with the command show spanning-tree mst interface interface-id. Example 4-37 demonstrates the command. Notice that the output also includes additional information about optional Spanning Tree Protocol features, like BPDU Filter and BPDU Guard.
MST supports the tuning of port cost and port priority. The interface configuration command spanning-tree mst instance-number cost cost sets the interface cost. Example 4-38 demonstrates the configuration of NX-3’s Eth1/1 port being modified to a cost of 1, and verification of the interface cost before and after the change.
The interface configuration command spanning-tree mst instance-number port-priority priority sets the interface priority. Example 4-39 demonstrates the configuration of NX-4’s Eth1/5 port being modified to a priority of 64, and verification of the interface priority before and after the change.
High CPU consumption and low free-memory space are common symptoms of a L2 forwarding loop. Network packets do not decrement the Time-To-Live portion of the header as a packet is forwarded in a L2 topology. In an L2 forwarding packet, besides constantly consuming switch bandwidth, the CPU spikes as well. As the packet is received on a different interface, the switch must move the MAC address from one interface to the next. Eventually the switches in the topology crash because of exhausted CPU and memory resources.
Some common scenarios for L2 forwarding loops are the following:
Misconfigured load-balancer that transmits traffic out multiple ports with same MAC address.
Misconfigured virtual switch that bridges two physical ports. Virtual switches typically do not participate in Spanning Tree Protocol.
Use of a dumb network switch or hub by end users.
Virtual Machine migration to a different physical host. (This is not an L2 loop but does display a change of MAC address between ports.)
Fortunately, NX-OS includes a couple safeguards and protection mechanisms for L2 forwarding loops.
The most important option is to be able to identify which packets are being looped and the interfaces that they are being looped on. Nexus switches detect the change of MAC address and notify via syslog of the MAC address move. The NX-OS MAC address notification feature is enabled by default on newer software versions, but can be manually added with the global configuration command mac address-table notification mac-move.
Cisco added a protection mechanism that keeps CPU utilization from increasing during a L2 forwarding loop. When the MAC address move threshold is crossed (three times back and forth across a set of ports in a 10-second interval), the Nexus switch flushes the MAC address table and stops learning MAC addresses for a specific amount of time. Packets continue to be forwarded in a loop fashion, but the CPU does not max out, and it allows for other diagnostic commands to be executed so that the situation is remediated.
Example 4-40 displays the detection of the forwarding loop on VLAN 1 and the flushing of the MAC address table.
NX-OS provides an enhancement to this detection and places the port in a shutdown state when it detects a flapping MAC address. This functionality is enabled with the command mac address-table loop-detect port-down. Example 4-41 demonstrates the configuration of this feature, an occurrence where the feature is engaged, and how the interface is confirmed to be in a down state.
Note
Some platforms do not display the MAC notifications by default and require the following additional configuration commands:
logging level spanning-tree 6
logging level fwm 6
logging monitor 6
BPDU guard is a safety mechanism that shuts down ports configured with Spanning Tree Protocol portfast upon receipt of a BPDU. This ensures that loops cannot accidentally be created if an unauthorized switch is added to a topology.
BPDU guard is enabled globally on all Spanning Tree Protocol portfast ports with the command spanning-tree port type edge bpduguard default. BPDU guard can be enabled or disabled on a specific interface with the command spanning-tree bpduguard {enable | disable}. Example 4-42 displays the BPDU guard configuration for a specific port or globally on all access ports. Upon examination of the spanning-tree port details the by default keyword indicates that the global configuration is what applied BPDU guard to that port.
Note
BPDU guard should be configured on all host facing ports. However, do not enable BPDU guard on PVLAN promiscuous ports.
By default, ports that are put in ErrDisabled because of BPDU guard do not automatically restore themselves. The Error Recovery service can be used to reactivate ports that are shut down for a specific problem, thereby reducing administrative overhead. The Error Recovery service recovers ports shutdown from BPDU guard with the command errdisable recovery cause bpduguard. The period that the Error Recovery checks for ports is configured with the command errdisable recovery interval time-seconds.
Example 4-43 demonstrates the configuration of the Error Recovery service for BPDU guard and Error Recovery in action.
BPDU filter quite simply blocks BPDUs from being transmitted out of a port. BPDU filter can be enabled globally or on a specific interface. The behavior changes depending upon the configuration:
If BPDU filter is enabled globally with the command spanning-tree port type edge bpdufilter enable, the port sends a series of at least 10 BPDUs. If the remote port has BPDU guard on it, that generally shuts down the port as a loop prevention mechanism.
If BPDU filter is enabled on a specific interface with the command spanning-tree bpdufilter enable, the port does not send any BPDUs on an ongoing basis. However, the switch sends a series of at least 10 BPDUs when a port first becomes active. If the remote port has BPDU guard on it, that generally shuts down the port as a loop prevention mechanism.
Note
Be careful with the deployment of BPDU filter because it could cause problems. Most network designs do not require BPDU filter, and the use of BPDU filter adds an unnecessary level of complexity while introducing risk.
Example 4-44 verifies the BPDU filter was enabled globally on the Eth1/1 interface. This configuration sends the 10 BPDUs when the port first becomes active.
Network topologies that use fiber for connectivity can encounter unidirectional traffic flows because one cable transmits data from downstream to upstream switches while the other cable transmits data from upstream to downstream switches. In these scenarios, BPDUs are not able to be transmitted, so the downstream switch eventually times out the existing root port and identifies a different port as the root port. Now traffic is received on one port and forwarded out a different port, creating a forwarding loop.
There are three solutions to resolve this situation:
Spanning Tree Protocol LoopGuard
Unidirectional Link Detection
Bridge Assurance
Loop guard prevents any alternative or root ports from becoming designated ports (ports toward downstream switches) because of a loss of BPDUs on the root port. Loop guard places the original port in an ErrDisabled state while BPDUs are not being received. When BPDU transmission starts again on that interface, the port recovers and begins to transition through the Spanning Tree Protocol states again.
Loop guard is enabled globally using the command spanning-tree loopguard default, or it can be enabled on an interface basis with the interface command spanning-tree guard loop. It is important to note that loop guard should not be enabled on portfast enabled ports (directly conflicts with the root/alternate port logic) nor should it be enabled on virtual port-channel (vPC) ports.
Example 4-45 demonstrates the configuration of loop guard on NX-2’s Eth1/1 port.
Placing BPDU filter on NX-2’s Eth1/1 port that connects to the NX-1 (the root bridge) triggers loop guard. This is demonstrated in Example 4-46.
At this point in time, the port is considered in an inconsistent state. Inconsistent ports are viewed with the command show spanning-tree inconsistentports, as shown in Example 4-47. Notice how an entry exists for all the VLANs carried across the Eth1/1 port.
Unidirectional link detection (UDLD) allows for the bidirectional monitoring of fiber-optic and copper Ethernet cables. UDLD operates by transmitting UDLD packets to a neighbor device that includes the system-ID and port-ID of the interface transmitting the UDLD packet. The receiving router then repeats that information back to the originating router, which includes its system-ID and port-ID. The process continues indefinitely. If the frame is not acknowledged, the port is placed into an ErrDisabled state.
The UDLD feature must be enabled first with the command feature udld. UDLD is then enabled under the specific interface with the command udld enable. Example 4-48 demonstrates NX-1’s UDLD configuration on the link to NX-2.
UDLD must be enabled on the remote switch as well. Once configured, the status of UDLD for an interface is checked using the command show udld interface-id. Example 4-49 displays the output of UDLD status for an interface. The output contains the current state, Device-IDs (Serial Numbers), originating interface-IDs, and return interface-IDs.
After a UDLD failure, the interface state indicates that the port is down because of UDLD failure, as shown in Example 4-50.
The event-history provides relevant information for troubleshooting UDLD errors. The history is viewed with the command show udld internal event-history errors. This provides a time stamp and preliminary indication as to the cause of the problem. The history is displayed in Example 4-51.
There are two common UDLD failures, which are described in the following sections:
Empty Echo
Tx-Rx Loop
The Empty echo UDLD problem occurs in the following circumstances:
The UDLD session times out.
The remote switch does not process the UDLD packets.
The local switch does not transmit the UDLD packets.
Example 4-52 demonstrates the syslog messages that appear with a UDLD Empty Echo Detection.
This condition occurs when a UDLD frame appears to be received on the same port that it was advertised on. This means that the system-ID and port-ID in the received UDLD packet match the system-ID and port-ID on the receiving switch (that is, what was transmitted by the other switch). The Tx-Rx loop occurs in the following circumstances:
A misconfiguration or incorrect wiring in an intermediate device (optical transport)
Incorrect wiring or media problem
Example 4-53 demonstrates the syslog messages that appear with a UDLD Empty Echo Detection.
Bridge assurance overcomes some of the limitations that loop guard and UDLD are affected by. Bridge assurance works on Spanning Tree Protocol designated ports (which loop guard cannot) and overcomes issues when a port starts off in a unidirectional state. Bridge assurance makes Spanning Tree Protocol operate like a routing protocol (EIGRP/OSPF, and so on) where it requires health-check packets to occur bidirectionally.
The bridge assurance process is enabled by default, but requires that the trunk ports are explicitly configured with the command spanning-tree port type network. Example 4-54 demonstrates bridge assurance being configured on the interfaces connecting NX-1, NX-2, and NX-3 with each other.
Example 4-55 displays the Spanning Tree Protocol port type after configuring bridge assurance. Notice how the Network keyword has been added to the P2P type.
Example 4-56 demonstrates a BPDU filter being applied on NX-2’s link to NX-3. Almost instantly, bridge assurance has engaged on NX-2 and NX-3 because it cannot maintain a mutual handshake of BPDU packets.
The Spanning Tree Protocol port types now include the comment *BA_Inc*, which refers to the fact that those interfaces are now in an inconsistent port state for bridge assurance. Example 4-57 displays the new interface port types.
The command show spanning-tree inconsistentports list all the interfaces and the reasons that port is identified as inconsistent. Example 4-58 demonstrates the use of the command on NX-2. This is relevant to cross-referencing the event-history as shown earlier.
And upon removal of the BPDU filter, bridge assurance disengages and returns the port to a forwarding state, as shown in Example 4-59.
Note
Bridge assurance is the preferred method for detection of unidirectional links protection and should be used when all platforms support it.
This chapter provided a brief review of the Ethernet communication standards and the benefits that a managed switch provides to L2 topology. Troubleshooting L2 forwarding issues are composed of many components. The first step in troubleshooting L2 forwarding is to identify both the source and destination switch ports. From there it is best to follow the flowchart in Figure 4-5 for troubleshooting. Depending upon the outcome, the flowchart will redirect you back to the appropriate section in this chapter.
Fuller, Ron, David Jansen, and Matthew McPherson. NX-OS and Cisco Nexus Switching. Indianapolis: Cisco Press, 2013.
Cisco. Cisco NX-OS Software Configuration Guides, www.cisco.com.
18.118.144.12