[c-nsp] me3600 : l2protocol forward stp on EVC

James Bensley jwbensley+cisco-nsp at gmail.com
Mon Dec 14 05:55:29 EST 2020 

On Tue, 8 Dec 2020 at 10:39, BASSAGET Cédric
<cedric.bassaget.ml at gmail.com> wrote:
>
> Hello,
>
> I need to interconnect two L2 domains. I was planning to use a me3600 for
> this :
>
> interface port-channel 1
> ...
>  service instance 1439 ethernet
>   encapsulation dot1q 1439 second-dot1q 1-4094
>   rewrite ingress tag pop 1
>   bridge-domain 1439
>  !
>  service instance 1440 ethernet
>   encapsulation dot1q 1440 second-dot1q 1-4094
>   rewrite ingress tag pop 1
>   bridge-domain 1439
>  !
>
> Works fine, hosts on same C-VLAN on both sides of bridge-domain can ping.
>
> As I need my interconnection to be STP-transparent, I tried to add
> "l2protocol forward stp" on these 2 EVCs.
>
> This resulted in side effects on my backbone, and I saw STP events on the
> other side of my port-channel (n3k switch) :
> 2020 Dec  8 06:32:37 N3K-eqx-pa3-1 %STP-2-BLOCK_PVID_LOCAL: Blocking
> port-channel1 on MST0000. Inconsistent local vlan.
>
> Question : why is the port-channel affected by l2protocol forward on an EVC
> ?
>
> I guess I'll have to remove the "second-dot1q 1-4094" to allow untagged
> trafic on EVCs, and make L2CP work correctly.
>
> Is this the right way to do ?
> Thanks for your help.
> Regards,
> Cédric

Hi Cédric,

STP frames aren't really supposed to be VLAN tagged so the STP frames
won't match your encapsulation statements; "encapsulation dot1q 1439
second-dot1q 1-4094" or "encapsulation dot1q 1440 second-dot1q 1-4094"
unless you are VLAN tagging your STP frames.

If you match untagged frames into the bridge domain that might work,
but the error you have provided is on your Nexus device:

> 2020 Dec  8 06:32:37 N3K-eqx-pa3-1 %STP-2-BLOCK_PVID_LOCAL: Blocking
> port-channel1 on MST0000. Inconsistent local vlan.

What does this mean; has the Nexus received no BPDUs so it's blocked
the port, because it was expected BPDUs? Also it looks to me like your
Nexus is running MSTP - where are the STP frames coming from on the
ME3600 side, the ME3600 itself or another device? Are you mixing STP
and MSTP, or is this because the Nexus only supports MSTP?

My two pence is that you should try to re-design this solution. I
don't know why you'd have STP frames being allowed through the
port-channel, and S-VLANs 1439 and 1440 only, but then have other
S-VLANs being bridged somewhere else. If everything that comes into
the port-channel can go to the Nexus just relax the EVC encapsulations
to capture everything. It sounds to me like the L2 topology is being
split by this ME3600, so I'd definitely try and find another design
instead.

Cheers,
James.

More information about the cisco-nsp mailing list