Rebooting MX95 Triggers BPDU Guard

SOLVED
Zac123
Here to help

Rebooting MX95 Triggers BPDU Guard

I have a very strange scenario, and I am curious if anyone has experienced this or has some insight.

 

I deployed two MX95's in warm spare.  There are no other Meraki appliances (MS or otherwise) in this network.  They're connected to a Nexus switch, but on separate fabric extenders.  This is my first time connecting gear to a Nexus switch.  Each MX95 has a connected WAN (Internet 1) and LAN (LAN 9 using 10g SFP+ fibre module) port to the Nexus switch.  The WAN ports are on their own VLAN, and the LAN connections are trunks.  The LAN trunks are currently allowing only one tagged VLAN.

 

When I reboot either MX95 the LAN port on the Nexus switch goes in to a BPDUGuard errdisable state.

 

This is really confusing to me because I know that the MX appliances do not participate in STP, but they will forward BPDUs.  There aren't any links other than the two in each MX95 (one WAN and one LAN in each MX).  If there was a loop then I would expect BPDU Guard to trigger right away instead of when an MX is rebooted.  Doing a shut/no shut on the Nexus switches affected port fixes the issue until the MX is rebooted.

 

I contacted Meraki support and they don't see any issues with the MX95's.  He checked logs in the appliance before and after I reproduced the issue.  Any thoughts?

1 ACCEPTED SOLUTION
Zac123
Here to help

I have an update on the issue.  We moved the devices (WAN and LAN ports) off the fabric extenders and on to the switches that the extenders connect to, and now the issue isn't happening anymore.  I can reboot either MX without the connected switchport going in to errdisable state.

View solution in original post

3 REPLIES 3
Ryan_Miles
Meraki Employee
Meraki Employee

Do you have the LAN side disconnected now? I don't see port 9 connected on either and the MX pair appears to be in dual master scenario at the moment. Or are the Nexus ports currently down because of BPDU guard?

 

Also, have you opened a case with Cisco to look at the Nexus side? Looking through some other posts (this one for example) I see mentions of needing bdpu filter command on the FEX when switches or firewalls are connected. Does the log of the Nexus give a reason for the err-disable state?

 

Makes me wonder if during a reboot if somehow BDPUs are getting passed from the WAN to LAN on the MXs. Would need pcaps to confirm.

Thanks for the reply @Ryan_Miles.  I do have some packet captures we took from the Nexus as I rebooted one of the MX appliances.  I attached it to my Meraki support ticket if you want to take a look.  There are BPDUs in there, but I'm pretty sure those aren't from either MX and now I'm wondering about your last thought.  Maybe traffic is bridged for a moment as the MX is going down for a reboot.  BPDU Guard is triggered a few seconds after I initiate the reboot.

 

As for why port 9 was down, that was because we hadn't reset the port yet.  We did a shut/no shut to bring the port back up before doing a test 15 minutes ago.  Also, this only happens to LAN ports.  The WAN ports haven't experienced this problem.

 

We haven't opened a ticket with Cisco to have someone look at the Nexus yet.  We're going to try moving one of the LAN ports off the fabric extender to see if that helps.  Failing that, we'll open a ticket with Cisco.

Zac123
Here to help

I have an update on the issue.  We moved the devices (WAN and LAN ports) off the fabric extenders and on to the switches that the extenders connect to, and now the issue isn't happening anymore.  I can reboot either MX without the connected switchport going in to errdisable state.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels