Question

5 Nutanix Nodes with two Cisco Nexus 9K cores Networking Best Practice

  • 11 December 2020
  • 2 replies
  • 113 views

I am connecting 5 Nutanix Nodes to two Cisco Nexus 9K cores.

The MGMT ports are connected to TOR FEX then 1-10 Gig Fibre to Core1 and 1-10 Gig Fibre to Core2 from each node. All 10 are VPC ports in trunk mode, switchport trunk native vlan # with spanning-tree port type edge trunk.

My question is, I found a Nutanix article #000002455 for Cisco Nexus Recommended Pratices and they state you should add to the configuration spanning-tree bpduguaard enable and spanning-tree bpdufilter enable.

Cisco says they dont recommend these spanning-tree settings.

Who is right?


2 replies

Userlevel 5
Badge +5

Hi ScooterHanson,

 

When choosing to follow vendor best practices and recommendations it is important to keep in mind the reasoning behind them, I think.

What a BPDU guard is for basically is isolating the environment from the port that has received a BPDU frame while it should not have.

BPDU filter ignores the BPDU frames received on the port.

Cisco:

BPDU Guard prevents a port from receiving BPDUs. If the port still receives a BPDU, it is put in the error-disabled state as a protective measure.

Caution Be careful when using this command. You should use this command only with interfaces that connect to end stations; otherwise, an accidental topology loop could cause a data-packet loop and disrupt the switch and network operation.

Nutanix KB-2455:

consider enabling BDPU Filter and Guard either globally, or on a per-interface basis.
This ensure the mitigation of spanning tree issues on a per-host basis.
A potential issue would be an administrator or a user bringing up a virtual router or similar workload inside a VM, and injecting BDPUs into the network from a host interface.

Enabling BPDU guard on the ports facing Nutanix cluster seems like a reasonable thing to do to me.

What’s your take on it? Which part of it confuses you?

Thank you for your reply, my confusion was Cisco did not recommend using the spanning-tree settings and Nutanix did.

In the end I went with Nutanix’s recommendation and added both guard and filter on each port (per-host)

Reply