Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1355
Views
5
Helpful
1
Replies

After migrate gateway to ACI some L2 switchs change spanning-tree root aleatory

Go to solution
josecarlos
Level 1
Level 1

‎01-10-2019 08:04 AM - edited ‎03-01-2019 05:44 AM

Hello guys,

 

I moved my gateway to ACI BD and after a week I realized that my access switches (catalyst 2960) connected to the leafs are assuming other spanning tree roots of the network. Can it be some configuration of the ACI that is influencing? There is a lot of packet loss on the network and STP events on ACI.. I'm imagining that the problem is stp.

 

NtopologyNtopology

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
gmonroy
Cisco Employee
Cisco Employee

‎01-10-2019 10:58 AM

josecarlos,

    There are some considerations when it comes to ACI and Spanning Tree. Whether or not BPDUs pass from one leaf to another within the same BD will depend on your configuration. Please see the following note from this guide:

A Note About Spanning Tree and VLAN Domains

Although the ACI fabric does not participate in spanning tree, it can partition a spanning tree domain based on access policy configuration. ACI does not rely on a bridge domain or its settings to determine spanning tree domains. Instead, leaf switches flood BPDUs within the same VLAN encapsulation, if a VLAN Pool is assigned to EPG domains. The VLAN pool assigned to EPG domains ultimately serves as the spanning tree domain.

Using multiple EPG domains tied to different VLAN Pools does not allow BPDUs to flood across endpoints properly, even if they are all using the same VLAN ID. The type of EPG domain, (physical or Layer 2 external), does not change this behavior.

Because the ACI Fabric floods all BPDUs from all devices within a spanning-tree domain, this may trigger behaviors on external devices that are verifying BPDU info, such as the MAC address per interface. An example of a feature that activates is "spanning-tree EtherChannel misconfig guard" found on IOS devices. These features should be taken into account when utilizing ACI as a Layer 2 Tunnel.

 

In short, if you are relying on BPDUs to make it from one leaf to another and that appears to not be happening, there is a chance that the EPG tied to the VLAN in question has multiple Domains that contain the same VLAN with subsequent access policies. If that is the case, the only way to clear up that config issue is to consolidate the domains then remove/re-apply the static binding config to allow the VLAN config to be reprogrammed onto the leaves.

 

For this, it may be beneficial to contact TAC to validate the above.

 

-Gabriel

 

View solution in original post

1 Reply 1

Go to solution
gmonroy
Cisco Employee
Cisco Employee

‎01-10-2019 10:58 AM

josecarlos,

    There are some considerations when it comes to ACI and Spanning Tree. Whether or not BPDUs pass from one leaf to another within the same BD will depend on your configuration. Please see the following note from this guide:

A Note About Spanning Tree and VLAN Domains

Although the ACI fabric does not participate in spanning tree, it can partition a spanning tree domain based on access policy configuration. ACI does not rely on a bridge domain or its settings to determine spanning tree domains. Instead, leaf switches flood BPDUs within the same VLAN encapsulation, if a VLAN Pool is assigned to EPG domains. The VLAN pool assigned to EPG domains ultimately serves as the spanning tree domain.

Using multiple EPG domains tied to different VLAN Pools does not allow BPDUs to flood across endpoints properly, even if they are all using the same VLAN ID. The type of EPG domain, (physical or Layer 2 external), does not change this behavior.

Because the ACI Fabric floods all BPDUs from all devices within a spanning-tree domain, this may trigger behaviors on external devices that are verifying BPDU info, such as the MAC address per interface. An example of a feature that activates is "spanning-tree EtherChannel misconfig guard" found on IOS devices. These features should be taken into account when utilizing ACI as a Layer 2 Tunnel.

 

In short, if you are relying on BPDUs to make it from one leaf to another and that appears to not be happening, there is a chance that the EPG tied to the VLAN in question has multiple Domains that contain the same VLAN with subsequent access policies. If that is the case, the only way to clear up that config issue is to consolidate the domains then remove/re-apply the static binding config to allow the VLAN config to be reprogrammed onto the leaves.

 

For this, it may be beneficial to contact TAC to validate the above.

 

-Gabriel

 

Customers Also Viewed These Support Documents

Save 25% on Day-2 Operations Add-On License