vPC Changes , Spanning-Tree & Bridge Assurance

How vPC Changes Spanning-Tree

1. Unique Bridge ID in Spanning-Tree

   • Each switch running Spanning-Tree has its own Bridge ID.

   • This ID is included in the BPDU frames the switch sends out.

   • A unique MAC address on the switch helps form the Bridge ID, ensuring every switch is unique.

     
     

2. vPC Makes Two Switches Look Like One

   • With vPC, two switches share a system MAC to create a single Bridge ID.

   • They appear as one switch to devices connected via vPC ports.

   • Devices not on vPC ports (called orphan ports) still receive normal BPDUs with the real Bridge ID (using the switch’s actual MAC address).

     
     

3. BPDU Handling by Primary and Secondary

   • By default, only the primary vPC switch sends BPDUs to vPC-member ports.

   • The secondary switch does not process BPDUs—it forwards any received BPDU to the primary via the peer-link.

     
     

Optimising with the peer-switch Command

1. Both Switches Send & Process BPDUs

   • Enabling peer-switch allows both peer switches to handle BPDUs.

   • They still share the same Bridge ID (system MAC).

2. Advantages

   • Less Traffic Loss during peer-link recovery (when a peer-link comes back up).

   • If a dual-active scenario occurs, both switches process BPDUs, which helps prevent loops.

   • If the primary and secondary roles swap, there is reduced BPDU loss.

3. Configuration Requirements

   • The spanning-tree settings must be the same on both switches.

   • Example:

     
     

     vpc domain 11

     peer-switch

     spanning-tree vlan 1 priority 4096

     
     

   • You may see a log message reminding you to configure spanning-tree bridge priority properly.

     
     

Bridge Assurance

1. Two-Way BPDU Communication

   • Normally, switches send BPDUs but don’t expect a reply.

   • Bridge Assurance changes this so that all operational ports exchange BPDUs in both directions, even in alternate or backup states.

2. Detecting Problems

   • If a port doesn’t get a return BPDU, it goes into BA-Inconsistent state and blocks traffic.

   • This prevents issues caused by unidirectional links or malfunctioning switches.

3. Default on the Peer-Link

   • The peer-link ports are set as Spanning Tree network ports by default.

   • Network ports automatically enable Bridge Assurance.

   • Do not disable Bridge Assurance on the peer-link.

4. Disabling Bridge Assurance

   • For end-device connections, you may disable Bridge Assurance on those member ports.

   • Do not disable it if connecting switch-to-switch or using back-to-back vPC.

   • Command to Disable on an interface (for end devices, if needed):

     
     

     interface po 15

     no spanning-tree bridge assurance

     
     

5. Bridge Assurance is a Spanning-Tree Feature

   • It’s not a vPC-specific feature, but it is very useful when combined with vPC.

     
     

Error Message Example

• Blocking/Unblocking Messages

  • You may see messages like:

    
    

    %STP-2-BRIDGE_ASSURANCE_BLOCK: Bridge Assurance blocking port port-channel200 VLAN963 %STP-2-BRIDGE_ASSURANCE_UNBLOCK: Bridge Assurance unblocking port port-channel200 VLAN963

    
    

  • These indicate that Bridge Assurance is blocking/unblocking a port to prevent potential loops.

    
    

Summary

• vPC makes two switches look like one by sharing a system MAC for their Bridge ID.

• Default: Only the primary switch sends BPDUs over vPC-member ports; the secondary forwards BPDUs to the primary.

• Peer-switch optimizes BPDU handling by letting both switches process and send BPDUs, improving resiliency.

• Bridge Assurance helps detect unidirectional links or faulty switches by requiring a two-way BPDU exchange; it is automatically enabled on peer-link ports and should generally remain enabled except on ports directly connected to end devices.