STP Behaviour in VPC

STP Behaviour in VPC

Posted on Jan 24, 2020 (0)

STP Behaviour in VPC

STP Behavior in vPC:

vPC system is created to avoid the STP blocked ports and hence provide the loop free layer -2 topology.

In vPC STP provide the following function:

  • Protect the Layer 2 network by detection and breaking any loops before vPC configuration
  • Provides the loop free path for non-vPC attached device
  • Manages the loop when vPC is added or removed

While doing the STP configuration, it is recommend to configure the same parameter both side.

Global parameters:

  • STP mode (RPVST or MST)
  • STP region configuration for MST
  • Enable/disable state per VLAN
  • Bridge Assurance setting
  • STP Port type setting (Enable or Disable edge port type by default on all access ports)
  • Loop Guard settings (Enable or Disable loop guard by default on all ports)
  • BPDU Guard settings (Enable or Disable BPDU guard by default on all edge ports)
  • BPDU filter settings ((Enable or Disable BPDU filter by default on all edge ports)

Interface settings:

  • STP Port type setting (edge, network or normal)
  • Loop Guard (enabled or disabled)
  • Root Guard (enabled or disabled)
  • BPDU Filter
  • BPDU Guard

If any of the parameter is misconfigured then type 1 consistency error is detected and we have already learned that what happened when type-1 consistency error occurs.

vPC and STP BPDU Flow:

Even though vPC is configured on both Peer- device , STP still runs and BPDU are still processed.In vPC system ,the primary switch will process and reply for BPDU and its primary switch which will send the STP Root Bridge information to al switches which are part of vPC system.Whenever any secondary role vPC device received any BPDU from access switches, it is proxies towards to vPC Primary vPC peer device.

Both vPC member ports on both peer device always share same STP port state.

While configuring the STP on vPC system the following recommendation must be taken in to consideration.

  • Always define the vPC domain as STP root for all VLAN in that domain (configure aggregation vPC peer devices as STP root primary and STP root secondary)
  • Enforce this rule by implementing STP root guards on vPC peer devices ports connected to another L2 switch.

When user configures the port-channel as vPC peer-link (adding keyword “vpc peer-link”), the system automatically turns on Bridge Assurance on the link. Bridge Assurance is a STP extension that protects L2 network from any unidirectional link event caused by physical cable failure or adjacent switch control plane failure.

Now let’s see how BPDU flows and role of primary and secondary vPC peer device in STP.
[pms-restrict subscription_plans="1315, 1316, 1317, 1735"]
Let’s suppose in vPC system , N7K1 is the primary and N7K2 is secondary and is also STP root , now in this case the BPDU Process will be done as per below :

  • Primary switch: It will send the BPDU to Peer-link and vPC Member ports.
  • Secondary Switch (STP ROOT): It will send BPDU to Peer-link and Non-vPC member port.

Now the disadvantage is in this case is if any failure happens on ROOT Switch which is secondary switch N7K2 it would cause the new convergence in network and during shorter period some traffic would be interrupted.

To solve this issue we need to configure Peer-switch command under vPC domain on both Peer-switch.

N7K(config-vpc-domain)# peer-switch

While doing so the both Primary and secondary switch will become the Root as they will have same bridge ID and then following BPDU flow will happen:

  • Primary switch: It will send the BPDU to Peer-link and vPC Member ports.
  • Secondary Switch (STP ROOT): It will send BPDU to Peer-link and Non-vPC member port and vPC member port

The only disadvantage is that access switch which are in vPC will receive two copies of BPDU and even if any peer-switch goes down, no new STP convergence would happen.

When vPC peer-switch is activated, both vPC peer devices MUST have the same spanning tree configuration (same Spanning Tree Protocol priority for all vPC VLAN).vPC Peer-switch supports hybrid topology as this topology means that both vPC-attached access device and STP-attached access device co-exist in the vPC domain.

Below figure represents the hybrid topology for Peer-switch with spanning tree pseudo-information.

This Pseudo-information has been introduced to enable VLAN based load balancing to avoid STP topology change when peer device recovers after failure or reload.

Spanning-tree pseudo-information configuration contains 2 sub-commands: designated priority and root priority.

Designated priority defines the STP priority for the VLAN on the bridge (i.e. peer device) and is used to effectively load balance the different VLAN across the 2 peer devices.

Root Priority: It is used only when one of the two peer device fails and recovers. In hybrid topology, STP topology change when a vPC peer device (say S1) recovers because of the difference between the regular STP links (non-vPC) and vPC link bring-up. Regular STP link can be up prior to vPC, and hence the vPC peer-switch formation. Since vPC peer-switch is not formed, the peer device S1 will use the local system MAC for STP bridge ID an if that local MAC address is better than the vPC system MAC then it will trigger STP topology change since the STP bridge priority is the same on both vPC peer devices.

In above switch S1 is the STP root for VLAN 1 and S2 is the root for VLAN 2 below is the following configuration:

S1 configuration:
S1(config)# spanning-tree pseudo-information
S1(config-pseudo)# vlan 1 designated priority 4096
S1(config-pseudo)# vlan 2 designated priority 8192
S1(config-pseudo)# vlan 1 root priority 4096
S1(config-pseudo)# vlan 2 root priority 4096
S1(config)# vpc domain 1
S1(config-vpc-domain)# peer-switch
S2 configuration:
S2(config)# spanning-tree pseudo-information
S2(config-pseudo)# vlan 1 designated priority 8192
S2(config-pseudo)# vlan 2 designated priority 4096
S2(config-pseudo)# vlan 1 root priority 4096
S2(config-pseudo)# vlan 2 root priority 4096
S2(config)# vpc domain 1
S2(config-vpc-domain)# peer-switch

vPC and Bridge Assurance

When there is a unidirectional link detection in layer 2 switch domain Bridge Assurance protect this failure and prevent the Loop.

It works in such a way that if any neighbour port stops receiving BPDU, due to bridge assurance this port is moved to blocking state and as soon as blocking ports receives the BPDU, it is removed from bridge assurance blocking state to normal RSTP-PVST state.

When any switch is configured with Bridge assurance, it cause switch to send BPDU on all STP type network ports including alternate and backup port.Bridge assurance BPDU are sent in every 2 Sec and are processed by SUPERVISOR CPU.But when the VPC is configured, it is not recommended to enable bridge assurance on vPC.

Let’s understand this by example given in below figure

S1 is vPC primary and is STP root for all vPC VLAN and S2, S3, S4 are configured with bridge Assurance on vPC member ports and port-channel.

In normal state, Primary switch will send and process the BPDU Now if primary device fails, secondary switch needs to starts sending BPDU now, Primary was also a STP root and now secondary switch will take over STP root role, now if this process last too long the uplinks on access devices S3 and S4 may go to bridge Assurance inconsistence state. Bridge assurance is enabled on vPC peer-link by default and we should avoid enabling it on vPC member ports.  


  • Super Duper Explanation


Please login here to comment.