Strange behavoir of PVST

Question

Network Diagram

: The spanning-tree root for vlan 1050(192.168.50.0) is Core2

: The spanning-tree root for vlan 1020(192.168.20.0) is Core1

I was trying to add some redundancy to my network and added the links from switch 1 -> switch2, and switch2 -> switch3. I noticed by using SPANs and a packet sniffer that traffic being originated in the 192.168.50.0/24 network and heading to the 192.168.20.0/24 network was both traversing the trunk to Core2 AND the trunk to switch 2, even though the link to switch2 was in BLKing state. When I shutdown the interface between switch1 and switch2, I noticed that the traffic would go out switch1 into Core2, then out of Core2 -> switch3 -> switch2 then back to Core2. (Even though the link from switch3 to switch2 was in BLKing state. The traffic eventually makes it over to Core1 and gets delivered but I am confused.

I thought that when an interface was in blocking state that it wouldn't transmit any traffic??? Also why would any of this traffic hit switch2 or switch3 with a much better path to core2?

More info is required: Which one is routing between the vlans? Are all trunks carrying all vlan's ? Are you using per-vlan spanning-tree or not ? — Tonny, Jan 19 '12 at 21:54
@ Shane Core1 and Core2 have SVIs to do the inter VLAN routing. — btk_, Jan 19 '12 at 22:42
@ Tony Yes all trunk are carrying all vlans, yes all switches are configured for PVST. — btk_, Jan 19 '12 at 22:43

score 0 · Answer 1 · answered Jan 19 '12 at 22:11

There's a couple of things about spanning tree that might help to clear some of your confusion:

All ports on the root bridge must always be in forwarding mode.
Links are not blocked; ports are. A link that's blocked has the port on one of the ends in blocking mode, but traffic can still get sent by the other end.

So, in your first scenario, you've got a packet being sent out a link that's supposed to be blocked. It's flooding because the destination MAC hasn't been learned on any port, but it'll flood out of every forwarding port; on the little switches it's indefinite which side will block, but forwarding a flooded frame out a link that's blocked on the other side is expected and normal. If you clarify which switch is forwarding the traffic, and where the destination of the frame should be (what's doing the routing?), then I should be able to clarify further.

In your second scenario, the entire thing is feasible except for the traffic being sent back to core 2.. if switch 2 is blocking on its link to switch 3, then a flooded frame would traverse the network in exactly that fashion - except switch 2 would get its copy directly from the core, and the copy that ingressed from switch 3 would be discarded.

Feel free to ask any clarifying questions, or let me know if I've gotten any assumptions wrong - it might be useful if you update your diagram to show which ports are in blocking state on each vlan, and clarify the expected and observed sources and destinations of the traffic.

Well to start with the first question, on the link between switch1 and switch2, switch1s port is in BLK and switch2s side is Desg. Core2 is the root bridge so the link from switch1->Core2 is root. The traffic is being originated on switch1 some of the traffic is going out the link to Core2, but some of the traffic is going out to switch2. Switch1 also has the MAC address of core2s SVI in the mac address table and it's pointed to the link to core2. Why wouldn't the traffic just go directly to Core2??, and why being that switch1s port is in BLK state on it's side does it still forward traffic? — btk_, Jan 19 '12 at 23:02
Gotcha - if switch 1's port is in block mode, nothing should egress that port. Can you explain how you're determining that it is being sent out that port? — Shane Madden, Jan 19 '12 at 23:04
I have configured: monitor session1 source interface fas0/2; monitor session 1 destination interface fas0/48, and I have Linux with tcpdump attached to fas0/48. — btk_, Jan 20 '12 at 03:30

Strange behavoir of PVST

1 Answers1