spanning-tree port type network (Nexus)

Rupesh Kashyap · ‎01-16-2010

Hi, I have two Nexus 7000 switch named as SW-A & B. I have one 3750 series switch. I have configured PO-41 on both Nexus which is connecting with 3750 switch. My question is , Should I give command "spanning-tree port type network" in Po configuration on Nexus.

Please help as other side 3750 is not supporting this command.

interface port-channel41
description DDC-SA-C01B Po32 - L2/Trunk
switchport
switchport mode trunk
switchport trunk native vlan 999
switchport trunk allowed vlan 32-62,68,999
vpc 41
spanning-tree port type network
spanning-tree guard root
storm-control broadcast level 10

Peter Paluch · ‎01-19-2010

Hello Rupesh,

Your Nexus is configured for a feature called STP Bridge Assurance. You may find additional information about it here:

http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/DC_3_0/DC-3_0_IPInfra.html#wp1037337

(Scroll a little down on the page and look for Bridge Assurance)

http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli/SpanningEnhanced.html#wp1085663

According to the latter document:

Bridge Assurance is enabled by default and can only be disabled globally. Also, Bridge Assurance can be enabled only on spanning tree network ports that are point-to-point links. Finally, both ends of the link must have Bridge Assurance enabled. With Bridge Assurance enabled, BPDUs are sent out on all operational network ports, including alternate and backup ports, for each hello time period. If the port does not receive a BPDU for a specified period, the port moves into the blocking state and is not used in the root port calculation. Once that port receives a BPDU, it resumes the normal spanning tree transitions.

Basically, the Bridge Assurance tries to prevent switching loops by forcing the STP BPDUs to be sent from all operational ports, even those which under normal STP operation do not send out BPDUs. This makes the BPDU a true Hello mechanism, similar to Hellos in HSRP, OSPF, EIGRP or many other protocols. If a port does not receive BPDUs for a certain period, it assumes that the STP software on the peer has terminated and that the peer is not guaranteed to prevent a Layer2 loop anymore, therefore it blocks the port towards that peer.

Following this fact, both peers at the same link must run the Bridge Assurance, otherwise the feature is unusable. I have highlighted this fact in the quotation. Unfortunately, the 3750 switches do not appear to support the Bridge Assurance. According to the Cisco Feature navigator at http://cisco.com/go/fn the Bridge Assurance is supported only on certain Catalyst 6000 series.

I am afraid you will have to deactivate the Bridge Assurance on your Nexus to be able to interwork with your 3750 series switch.

Best regards,

Peter

japlank · ‎06-27-2010

Peter,

I hope by "deactivate on your Nexus" you are simply just saying change the port type to "normal".

"Bridge assurance works in conjunction with the spanning-tree port type command. The default port type for all ports in the switch is "normal" for backward compatibility with devices that do not yet support bridge assurance; therefore, even though bridge assurance is enabled globally, it is not active by default on these ports. The port must be configured to a spanning tree port type of "network" for bridge assurance to function on that port. Both ends of a point-to-point Rapid-PVST connection must have the switches enabled for bridge assurance, and have the connecting ports set to type "network" for bridge assurance to function properly. This can be accomplished on two switches running NX-OS, with bridge assurance on by default, and ports configured as type "network" as shown below."

Instead of setting the type to "network" - set it to "normal".

http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/nx_7000_dc.html#wp873732

HTH,

Jason