No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Broadcast storm happens because Trunk port denies VLAN 1

Publication Date:  2013-12-26 Views:  107 Downloads:  0
Issue Description
The topology is show as below.

The swithes are communicating with each other by layer-2 network, with the ports deny VLAN 1. All switches have configured VLAN 10, 20 and 30, and enabled the MSTP feature. Configure DIS1 as the main root of instance 1 (VLAN 10, 20) and the backup root of instance 2 (VLAN 30), and configure DIS2 as the main root of instance 2 and the backup root of instance 1. During ping test within the same network segment, the ping test sometimes passed and sometimes failed.
Alarm Information
When performing ping test on switch, the ping test sometimes passed and sometimes failed.

<DIS1>ping 192.168.1.10
  PING 192.168.1.10: 56  data bytes, press CTRL_C to break
    Request time out
    Request time out
    Request time out
    Reply from 192.168.1.10: bytes=56 Sequence=4 ttl=128 time=40 ms
    Request time out

  --- 192.168.1.10 ping statistics ---
    5 packet(s) transmitted
    1 packet(s) received
    80.00% packet loss
    round-trip min/avg/max = 40/40/40 ms

At the same time, there is an alarm of MAC address move on the switch.

<DIS1>
Aug  6 2013 10:04:53-08:00 DIS1 L2IFPPI/4/MFLPVLANALARM:OID 1.3.6.1.4.1.2011.5.25
.160.3.7 MAC move detected, VlanId = 10, MacAddress = 000b-09cf-dd07, Original-Po
rt = GE0/0/1, Flapping port = GE0/0/24. Please check the network accessed to flap
ping port.
Handling Process
1. Examine the configuration. VLAN 1 has been denied. Allow pass the VLAN 1, and then check the status of STP. After that some ports on access switch has changed to DISCARDING status, and every MSTP instance has chosen the correct root bridge.

interface GigabitEthernet0/0/24
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 2 to 4094
port trunk allow-pass vlan 1(add)
#
<Access>dis stp b
MSTID  Port                        Role  STP State     Protection
   0    GigabitEthernet0/0/1        ROOT  FORWARDING      NONE
   0    GigabitEthernet0/0/2        ALTE  DISCARDING      NONE
   0    GigabitEthernet0/0/24       DESI  FORWARDING      NONE
   1    GigabitEthernet0/0/1        ROOT  FORWARDING      NONE
   1    GigabitEthernet0/0/2        ALTE  DISCARDING      NONE
   1    GigabitEthernet0/0/24       DESI  FORWARDING      NONE
   2    GigabitEthernet0/0/1        ALTE  DISCARDING      NONE
   2    GigabitEthernet0/0/2        ROOT  FORWARDING      NONE
<Access>dis stp instance 1
-------[MSTI 1 Global Info]-------
MSTI Bridge ID      :32768.4c1f-ccc7-fda8
MSTI RegRoot/IRPC   :0.4c1f-cc46-bbcb / 1

MSTI RootPortId     :128.1
Master Bridge       :32768.4c1f-cc46-bbcb
Cost to Master      :1
TC received         :16
TC count per hello  :0
Time since last TC  :0 days 0h:1m:2s
Number of TC        :7
<Access>dis stp instance 2
-------[MSTI 2 Global Info]-------
MSTI Bridge ID      :32768.4c1f-ccc7-fda8
MSTI RegRoot/IRPC   :0.4c1f-ccbe-e20e / 1

MSTI RootPortId     :128.2
Master Bridge       :32768.4c1f-cc46-bbcb
Cost to Master      :1
TC received         :16
TC count per hello  :0
Time since last TC  :0 days 0h:5m:39s
Number of TC        :9
2. Now, peform the same ping test again on the switch. This time, ping test is always passed and there is no phenominon of MAC address move.
<DIS1>ping 192.168.1.10
  PING 192.168.1.10: 56  data bytes, press CTRL_C to break
    Reply from 192.168.1.10: bytes=56 Sequence=1 ttl=128 time=10 ms
    Reply from 192.168.1.10: bytes=56 Sequence=2 ttl=128 time=60 ms
    Reply from 192.168.1.10: bytes=56 Sequence=3 ttl=128 time=30 ms
    Reply from 192.168.1.10: bytes=56 Sequence=4 ttl=128 time=60 ms
    Reply from 192.168.1.10: bytes=56 Sequence=5 ttl=128 time=30 ms

  --- 192.168.1.10 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 10/38/60 ms
Root Cause
By default, BPDU packet does not carry VLAN ID, so in general the transportation of the BPDU packet are achieved by VLAN 1. However, in this case, the Trunk port does not allow the VLAN 1 pass, making it not possible to compare MSTP configuration, like bridge, preference, cost, etc. Therefore every switch takes itself as a independent MSTP domain, and take itself as the root of the MSTP domain. All ports are in the state of FORWARDING, which causes broadcast storm, MAC address move, and abnormal status of ping test within the same network segment.

1. Examine the STP state of ports. All ports are in the state of FORWARDING which is abnormal.
<Access>dis stp b
MSTID  Port                        Role  STP State     Protection
   0    GigabitEthernet0/0/1        DESI  FORWARDING      NONE
   0    GigabitEthernet0/0/2        DESI  FORWARDING      NONE
   0    GigabitEthernet0/0/24       DESI  FORWARDING      NONE
   1    GigabitEthernet0/0/1        DESI  FORWARDING      NONE
   1    GigabitEthernet0/0/2        DESI  FORWARDING      NONE
   1    GigabitEthernet0/0/24       DESI  FORWARDING      NONE
   2    GigabitEthernet0/0/1        DESI  FORWARDING      NONE
   2    GigabitEthernet0/0/2        DESI  FORWARDING      NONE
2. Examine the detail information of MSTP. From the information displayed, the switch does not receive TC packet. The switch takes itself as the root and all the ports of the switch are designated ports and are in FORWARDING status.
<Access>dis stp instance 1
-------[MSTI 1 Global Info]-------
MSTI Bridge ID      :32768.4c1f-ccc7-fda8
MSTI RegRoot/IRPC   :32768.4c1f-ccc7-fda8 / 0
MSTI RootPortId     :0.0
Master Bridge       :32768.4c1f-ccc7-fda8
Cost to Master      :0
TC received         :0
TC count per hello  :0
Time since last TC  :0 days 0h:3m:36s
Number of TC        :1

<DIS1>dis stp instance 1
-------[MSTI 1 Global Info]-------
MSTI Bridge ID      :0.4c1f-cc46-bbcb
MSTI RegRoot/IRPC   :0.4c1f-cc46-bbcb / 0
MSTI RootPortId     :0.0
MSTI Root Type      :Primary root
Master Bridge       :32768.4c1f-cc46-bbcb
Cost to Master      :0
TC received         :0
TC count per hello  :0
Time since last TC  :0 days 0h:4m:54s
Number of TC        :2

<DIS2>dis stp instance 1
-------[MSTI 1 Global Info]-------
MSTI Bridge ID      :4096.4c1f-ccbe-e20e
MSTI RegRoot/IRPC   :4096.4c1f-ccbe-e20e / 0
MSTI RootPortId     :0.0
MSTI Root Type      :Secondary root
Master Bridge       :32768.4c1f-ccbe-e20e
Cost to Master      :0
TC received         :0
TC count per hello  :0
Time since last TC  :0 days 0h:7m:9s
Number of TC        :1
Suggestions
1. Allow pass VLAN 1 on trunk ports, to avoid the drops of some protocol packets. But it is still needed to have some ways of avoiding the potential risk of allowing pass VLAN 1.
2. For the STP, if the VLAN 1 has to be denied on trunk ports, the command of set bpdu vlan can be used to specify the VLAN ID that carried by STP protocol packet. This way the relatve VLANs can be allowed to pass.

END