问题

5个Nutanix节点,两个思科Nexus 9K核网络最佳实践

  • 2020年12月11日
  • 2回答
  • 519的浏览量
年代

我将5个Nutanix节点连接到两个思科Nexus 9K核心。

MGMT接口连接到TOR FEX,每个节点1- 10g光纤连接到Core1, 1- 10g光纤连接到Core2。所有10个端口都是trunk模式的VPC端口,switchport trunk native vlan # with spanning-tree port type edge trunk。

我的问题是,我发现了一篇Nutanix的文章#000002455的Cisco Nexus推荐实践,他们说你应该添加到配置生成树bpduguard enable和生成树bpdufilter enable。

思科表示,他们不推荐这些生成树设置。

谁是正确的?

I am connecting 5 Nutanix Nodes\u00a0to two Cisco Nexus 9K cores.<\/p>

The MGMT ports are\u00a0connected to TOR FEX then\u00a01-10 Gig\u00a0Fibre to Core1 and 1-10 Gig\u00a0Fibre to Core2 from each node. All 10 are VPC ports in trunk mode, switchport trunk native vlan #\u00a0with\u00a0spanning-tree port type edge trunk.<\/p>

My question is, I found a Nutanix article #000002455 for Cisco Nexus Recommended Pratices\u00a0and they state you should add to the configuration spanning-tree bpduguaard enable and spanning-tree bpdufilter enable.<\/p>

Cisco says they dont recommend these spanning-tree settings.<\/p>

Who is right?<\/p>","quoteUsername":"ScooterHanson","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">

2回答

Alona
排名
Userlevel 6
徽章 +5

嗨ScooterHanson,

我认为,当选择遵循供应商的最佳实践和建议时,重要的是要记住它们背后的原因。

BPDU保护的作用基本上是将环境与接收了不应该接收的BPDU帧的端口隔离开来。

BPDU filter忽略端口收到的BPDU帧。

思科:

BPDU保护功能用于阻止端口接收BPDU报文。如果端口仍然收到BPDU报文,则作为一种保护措施,将端口置于error-disabled状态。

谨慎使用该命令时请谨慎。你应该只在连接到端站的接口上使用这个命令;否则,一个偶然的拓扑循环可能会导致数据包循环,从而中断交换机和网络的运行。

Nutanixkb - 2455

考虑在全局或每个接口上启用BDPU Filter和Guard。
这确保了在每台主机的基础上减轻生成树问题。
潜在的问题可能是管理员或用户在虚拟机中使用虚拟路由器或类似的工作负载,并从主机接口将BDPUs注入网络。

在面向Nutanix集群的端口上启用BPDU保护对我来说似乎是一件合理的事情。

你对此有什么看法?哪一部分让你感到困惑?

Hi ScooterHanson,<\/p>

\u00a0<\/p>

When choosing to follow vendor best practices and recommendations it is important to keep in mind the reasoning behind them, I think.<\/p>

What a BPDU guard is for basically is isolating the environment from the port that has received a BPDU frame while it should not have.<\/p>

BPDU filter ignores the BPDU frames received on the port.<\/p>

Cisco:<\/p>

BPDU Guard prevents a port from receiving BPDUs. If the port still receives a BPDU, it is put in the error-disabled state as a protective measure.<\/p>

Caution <\/strong>Be careful when using this command. You should use this command only with interfaces that connect to end stations; otherwise, an accidental topology loop could cause a data-packet loop and disrupt the switch and network operation.<\/p><\/blockquote>

Nutanix KB-2455<\/a>:<\/p>

consider enabling BDPU Filter and Guard either globally, or on a per-interface basis.
This ensure the mitigation of spanning tree issues on a per-host basis.
A potential issue would be an administrator or a user bringing up a virtual router or similar workload inside a VM, and injecting BDPUs into the network from a host interface.<\/p><\/blockquote>

Enabling BPDU guard on the ports facing Nutanix cluster seems like a reasonable thing to do to me.<\/p>

What\u2019s your take on it? Which part of it confuses you?<\/p>","quoteUsername":"Alona","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">

年代

谢谢你的回复,我的困惑是Cisco不推荐使用生成树设置,而Nutanix推荐了。

最后,我采用了Nutanix的建议,在每个端口(每个主机)上都添加了守卫和过滤器。

Thank you for your reply, my confusion was Cisco did not recommend using the spanning-tree settings and Nutanix did.<\/p>

In the end I went with Nutanix\u2019s recommendation and added both guard and filter on each port (per-host)<\/p>","quoteUsername":"ScooterHanson","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">

回复


Baidu