Spanning-Tree Path selection and cost vs. port priority

Both Spanning-Tree port priority and link cost can be used to influence path selection. To select a path to the root Spanning-Tree uses several different values.

The most important one is the total path cost. When Spanning-Tree has two paths to the root, one costing 100 and the other one costing 1000, STP will choose the path costing 100, because this one should be shorter.

If two paths have the same cost, STP will choose the path from the switch with the lowest bridge id. This can be seen in the following example. I use the same topology as last time:

Read more

Spanning-Tree Uplinkfast

Uplinkfast is a legacy feature of Spanning Tree to speed up convergence in case of a root port failure. When it knows it has a backup path to the root it will put it into forwarding state without waiting for the listening and learning stages of normal STP convergence.

Uplinkfast is designed to be used at the outer edges of your network. When enabling Uplinkfast the switch reconfigures the spanning tree priority to 49152 to make itself less attracting as a transit switch. It also increases the port priority with 3000.

I’m testing this in a very simple topology. I’ve got four switches, these are fully meshed, but for the sake of this test I’ve disabled the crosslinks (so the links between SW1 & SW4 and SW2 & SW3)

Read more

Spanning-tree portfast

So I’m labbing up on some tech, one of the labs concerned itself with portfast. Portfast is a legacy spanning-tree improvement made by Cisco that has found it’s way in rapid spanning tree and MST alike as edge ports. However, in Cisco IOS the portfast term can still be found.

Portfast enables a port to skip the listening and learning phases and go directly to the forwarding phase. This helps a port to become operational much faster than without portfast. However, this shorter time to productivity isn’t even its biggest advantage. When a port has been configured for portfast it won’t generate Topology Change Notifications (TCN) in spanning tree causing the CAM tables to time out faster (or instantly). In a big network this is a huge advantage.

Portfast introductions aside. Like I said I was labbing up on portfast. The lab manual said “configure port G0/0 as a portfast port” and “configure port G0/0 as a trunk port”. Normally I would configure this with the interface command:

 spanning-tree portfast trunk

Within my lab this worked as well, however, I saw the following when using the questionmark:

SW1(config-if)#spanning-tree portfast ?
  disable  Disable portfast for this interface
  edge     Enable portfast edge on the interface
  network  Enable portfast network on the interface

The command spanning-tree portfast trunk doesn’t exist according to the context sensitive help. The command does work as can be verified:

SW1#sh spanning-tree interface g 0/0 portfast 
VLAN0001            disabled
VLAN0002            disabled
VLAN0005            disabled
VLAN0007            disabled
SW1(config-if)#spanning portfast trunk
%Warning: portfast should only be enabled on ports connected to a single
 host. Connecting hubs, concentrators, switches, bridges, etc... to this
 interface  when portfast is enabled, can cause temporary bridging loops.
 Use with CAUTION

SW1#sh spanning-tree interface g 0/0 portfast 
VLAN0001            enabled
VLAN0002            enabled
VLAN0005            enabled
VLAN0007            enabled

however, according to the context sensitive help the actual command should be:

spanning-tree portfast edge trunk

This is in line with the ‘new’ terminology introduced in Rapid Spanning Tree. Don’t confuse the above command with:

spanning-tree portfast network

This will enable bridge-assurance on the port if configured globally. Bridge assurance is a topic for another post.

Cisco ACI and Nutanix Foundation Discovery

Nutanix uses an IPv6 multicast system for its foundation discovery. When you do this on a flat l2 network this is no problem. However, when attempting to do this on ACI you need to enable a specific setting for this to work.

Nutanix itself doesn’t know which setting to enable, if you ask them they only give you instructions for enabling the IPv6 multicast settings on a ‘normal’ Cisco network. For those using ACI this is useless. I can also imagine when working on a production network you don’t want to test several settings.

For us it worked by enabling a ND policy in the Bridge Domain. For this you need to know which vlan is configured on the Nutanix node itself.

This setting can be found when going to Networks, Bridge domains and then selecting the correct bridge domain. Here you can go to L3 networking. On the bottom of this page you’ll find the ND policy option. When you select the default policy and submit this it should work.

There might be other solutions for this. Please share them if you know them.

Cisco ACI upgrade from 1.2 to 1.3

So last week I attempted an upgrade of our ACI environment from version 1.2 to version 1.3. I know 2.0 is already available, but does not offer anything we need at this point and the upgrade to 1.3 was done because of an annoying bug.

A minor upgrade shouldn’t be a big issue but apparently it was.

We started the upgrade normally. We uploaded the new software and started the APIC upgrade. Easy. Just follow the upgrade instructions and you’ll be fine. The APICs will all install the new software and reboot when required. ACI is even smart enough to wait for a rebooting controller to come back online and pass all the health checks. You can’t do anything wrong.


At least, thats what we thought. Apparently after installing the new version we couldn’t reach the APICs using HTTPS anymore. After some troubleshooting we had the following information:

  • Ping doesn’t work
  • SSH does work
  • HTTP(S) doesn’t work

We started looking further. A collegue of mine tried to access the APIC from a server in the same network as the APICs (we use the out-of-band addresses on the APIC). That worked. We were baffled. We knew because of this behaviour it had to be a policy on the APIC itself. Fortunately, using the server in the same subnet as the APIC we had HTTPS access to ACI again which made it possible to troubleshoot. However, since we’re both fairly new at this and weren’t the guys who implemented the network we didn’t know where to look.

Fortunately the supplier did know where to look and helped us fix the problem. It was indeed a policy. I’ll come back on this topic in a bit.


Unfortunately this issue was my own fault. It is documented in the release notes for version 1.2(2), which I glanced over when preparing for the change. The actual text from Cisco is:

When upgrading to the 1.2(2) release, a non-default out-of-band contract applied to the out-of-band node management endpoint group can cause unexpected connectivity issues to the APICs. This is because prior to the 1.2(2) release, the default out-of-band that was contract associated with the out-of-band endpoint group would allow all default port access from any address.  In 1.2(2), when a contract is provided on the out-of-band node management endpoint group, the default APIC out-of-band contract source address changes from any source address to only the local subnet that is configured on the out-of-band node management address. Thus, if an incorrectly configured out-of-band contract is present that had no impact in 1.2(1) and prior releases, upgrading to the 1.2(2) release can cause a loss of access to the APICs from the non-local subnets.

These release notes can be found here.

For all of you preparing to do the upgrade from 1.2(1) to a version higher, please remember this one as it will bite you.

To check whether you will encounter this you can go to Tenants > mgmt > Node Management EPGs > Out of Band EPG – default.

Here you can view whether you use the default contract. In our case a non-default contract was specified here. You can look up this contract at: Tenants > mgmt > Out of Band Contracts > Name of your contract

You need to specify HTTPS access in this contract to be able to reach the APIC.

Unfortunately I can’t post any screenshots here as the referenced environment is a production environment which I’m not allowed to show, but if you have any questions or need for clarification, please let me know.

1 2 3 5