RSTP Issue

Solved
JonP
Getting noticed

RSTP Issue

I have an odd problem with my Meraki switches. Different models, but the same behaviour.

 

We have RSTP and BPDU Guard enabled on all our switches across the estate with the RSTP root being our core stack. We have a couple of managed Cisco (non-Meraki) switches which we installed in some key areas this week, however when connecting the switches to our network, the Meraki switch shuts down the port citing an RSTP/BPDU Guard issue. The only way I can get these other Cisco switches to function correctly on the network is to turn off RSTP for this port, which I don't like to do. This occurs even when the non-Meraki switch is the only thing connected to the Meraki switchport.

 

Can anyone offer me some guidance on why Meraki would see a fellow Cisco switch as a loop?

 

Thanks all! 🙂

1 Accepted Solution
alemabrahao
Kind of a big deal
Kind of a big deal

Well,

The BPDU guard feature can be globally enabled on the switch or can be enabled per interface, but the feature operates with some differences.

At the global level, you enable BPDU guard on Port Fast-enabled STP ports by using the spanning-tree portfast bpduguard default global configuration command. Spanning tree shuts down STP ports that are in a Port Fast-operational state if any BPDU is received on those ports. In a valid configuration, Port Fast-enabled STP ports do not receive BPDUs. Receiving a BPDU on a Port Fast-enabled port signals an invalid configuration, such as the connection of an unauthorized device, and the BPDU guard feature puts the interface in the error-disabled state.

 

I understand that in this case you should not use BPD guard between two switches. 

 

I would be better to use the root guard on the core switch ports that uplink with other switches.

 

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

View solution in original post

10 Replies 10
alemabrahao
Kind of a big deal
Kind of a big deal

What is the bridge priority configured on your switch core:

 

alemabrahao_0-1648807360979.png

 

Is the RSTP enabled on Cisco IOS switches? The ports are configured as trunk or access?

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
JonP
Getting noticed

The core stack is priority 0:

 

RSTP Priority.png

 

The Cisco IOS devices have RSTP enabled, and the uplink is a trunk port:

 

POD-SW1#sh span
 
 
Spanning tree enabled mode: RSTP
Default port cost method:   long
Loopback guard:             Disabled
 
 
 
  Root ID    Priority:   0
             Address:    a8:46:9d:d9:1e:11
             Cost:       50000
             Port:       gi1
             Hello Time: 2 sec Max Age: 20 sec Forward Delay: 15 sec
  Bridge ID  Priority:   32768
             Address:    2c:1a:05:26:39:e8
             Hello Time: 2 sec Max Age: 20 sec Forward Delay: 15 sec
 
  Number of topology changes: 2 last change occurred: 165:24:43 ago
  Times:  hold: 1, topology change: 35, notification: 2
          hello: 2, max age: 20, forward delay: 15
 
Interfaces
  Name     State   Prio.Nbr    Cost    Sts   Role PortFast       Type
--------- -------- --------- -------- ------ ---- -------- -----------------
   gi1    enabled    128.1    20000    Frw   Root    No       P2P (RSTP)
   gi2    enabled    128.2   2000000   Dsbl  Dsbl    No            -
   gi3    enabled    128.3    20000    Frw   Desg   Yes       P2P (RSTP)
   gi4    enabled    128.4    20000    Frw   Desg   Yes       P2P (RSTP)
   gi5    enabled    128.5    20000    Frw   Desg   Yes       P2P (RSTP)
   gi6    enabled    128.6    20000    Frw   Desg   Yes       P2P (RSTP)
   gi7    enabled    128.7    200000   Frw   Desg   Yes       P2P (RSTP)
   gi8    enabled    128.8    20000    Frw   Desg   Yes       P2P (RSTP)
   Po1    enabled  128.1000   20000    Dsbl  Dsbl    No            -
   Po2    enabled  128.1001   20000    Dsbl  Dsbl    No            -
   Po3    enabled  128.1002   20000    Dsbl  Dsbl    No            -
   Po4    enabled  128.1003   20000    Dsbl  Dsbl    No            -
 
_____________________________________________________________________
 
POD-SW1#sh run int ge1
interface GigabitEthernet1
switchport mode trunk
 
alemabrahao
Kind of a big deal
Kind of a big deal

Well,

The BPDU guard feature can be globally enabled on the switch or can be enabled per interface, but the feature operates with some differences.

At the global level, you enable BPDU guard on Port Fast-enabled STP ports by using the spanning-tree portfast bpduguard default global configuration command. Spanning tree shuts down STP ports that are in a Port Fast-operational state if any BPDU is received on those ports. In a valid configuration, Port Fast-enabled STP ports do not receive BPDUs. Receiving a BPDU on a Port Fast-enabled port signals an invalid configuration, such as the connection of an unauthorized device, and the BPDU guard feature puts the interface in the error-disabled state.

 

I understand that in this case you should not use BPD guard between two switches. 

 

I would be better to use the root guard on the core switch ports that uplink with other switches.

 

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
JonP
Getting noticed

Of course! I'm dumb. When I connected the switch it was sending out BPDU's like crazy, and because we had BPDU guard enabled, the Meraki port transitioned to a disabled state. Because it is a switch and not a client device it would always send BPDU's.

 

Thank you @ww and @alemabrahao for the info.

ww
Kind of a big deal
Kind of a big deal

You are running bpdu guard on trunk ports connecting to the cisco catalyst?

JonP
Getting noticed

They are not Catalyst switches. These are CBS-250's and 350's. BDPU guard is not enabled on those switches.

ww
Kind of a big deal
Kind of a big deal

But are you running bpdu guard on the meraki trunk port?

JonP
Getting noticed

Yes, BDPU guard was enabled on the Meraki trunk port, but I had to switch it off to get the CBS switch to work.

ww
Kind of a big deal
Kind of a big deal

Yes because switches send bpdu's. Else it will never work

alemabrahao
Kind of a big deal
Kind of a big deal

Ok, But like @ww  said,  switches send bpdu's. Else it will never work. 🙂

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Get notified when there are additional replies to this discussion.