I think tcnguard is broken...

phil-denton · ‎2023-01-16

core switch-------distribution switch--------access switch

I have a M4300-12X12F stack running 12.0.15.4 firmware as a fiber distribution switch. One of the downstream switches connected to this switch is sending a lot of TCNs so in order to stabilize the environment, I decided to enable tcnguard on the distribution side of the LAG connected to that access switch. Unfortunately, I'm still receiving TCNs on the distribution switch. Did I miss something here? Does tcnguard not block incoming TCNs? Or does it just keep the receiving switch from forwarding those TCNs any further once received?

Here's the output from the fiber switch:

(M4300-12X12F) #show running-config interface lag 1

!Current Configuration:
!
interface lag 1
port-channel load-balance 6
spanning-tree tcnguard
switchport mode trunk
exit

(M4300-12X12F) #show logging buffered | include lag

<13> Jan 16 22:45:43 FiberSwitchStack-1 TRAPMGR[dot1s_task]: traputil.c(795) 82605 %% Spanning Tree Topology Change Received: MSTID: 0 lag 1
<13> Jan 16 22:45:42 FiberSwitchStack-1 TRAPMGR[dot1s_task]: traputil.c(795) 82602 %% Spanning Tree Topology Change Received: MSTID: 0 lag 1
<13> Jan 16 22:45:02 FiberSwitchStack-1 TRAPMGR[dot1s_task]: traputil.c(795) 82562 %% Spanning Tree Topology Change Received: MSTID: 0 lag 1
<13> Jan 16 22:45:01 FiberSwitchStack-1 TRAPMGR[dot1s_task]: traputil.c(795) 82559 %% Spanning Tree Topology Change Received: MSTID: 0 lag 1
<13> Jan 16 22:43:36 FiberSwitchStack-1 TRAPMGR[dot1s_task]: traputil.c(795) 82421 %% Spanning Tree Topology Change Received: MSTID: 0 lag 1
<13> Jan 16 22:43:35 FiberSwitchStack-1 TRAPMGR[dot1s_task]: traputil.c(795) 82419 %% Spanning Tree Topology Change Received: MSTID: 0 lag 1
<13> Jan 16 22:43:02 FiberSwitchStack-1 TRAPMGR[dot1s_task]: traputil.c(795) 82365 %% Spanning Tree Topology Change Received: MSTID: 0 lag 1
<13> Jan 16 22:43:01 FiberSwitchStack-1 TRAPMGR[dot1s_task]: traputil.c(795) 82362 %% Spanning Tree Topology Change Received: MSTID: 0 lag 1
<13> Jan 16 22:38:54 FiberSwitchStack-1 TRAPMGR[dot1s_task]: traputil.c(795) 82105 %% Spanning Tree Topology Change Received: MSTID: 0 lag 1
<13> Jan 16 22:38:53 FiberSwitchStack-1 TRAPMGR[dot1s_task]: traputil.c(795) 82103 %% Spanning Tree Topology Change Received: MSTID: 0 lag 1
<13> Jan 16 22:38:13 FiberSwitchStack-1 TRAPMGR[dot1s_task]: traputil.c(795) 82057 %% Spanning Tree Topology Change Received: MSTID: 0 lag 1
<13> Jan 16 22:38:12 FiberSwitchStack-1 TRAPMGR[dot1s_task]: traputil.c(795) 82055 %% Spanning Tree Topology Change Received: MSTID: 0 lag 1
<13> Jan 16 22:36:27 FiberSwitchStack-1 TRAPMGR[dot1s_task]: traputil.c(795) 81889 %% Spanning Tree Topology Change Received: MSTID: 0 lag 1
<13> Jan 16 22:36:26 FiberSwitchStack-1 TRAPMGR[dot1s_task]: traputil.c(795) 81886 %% Spanning Tree Topology Change Received: MSTID: 0 lag 1
<13> Jan 16 22:35:52 FiberSwitchStack-1 TRAPMGR[dot1s_task]: traputil.c(795) 81848 %% Spanning Tree Topology Change Received: MSTID: 0 lag 1
<13> Jan 16 22:35:51 FiberSwitchStack-1 TRAPMGR[dot1s_task]: traputil.c(795) 81846 %% Spanning Tree Topology Change Received: MSTID: 0 lag 1

(M4300-12X12F) #

On the core switch, the TCN received notifications stopped but I still see topology changes anyway. What am I missing here? Please help!

<189> Jan 16 16:52:33 core-switch TRAPMGR[dot1s_task]: traputil.c(777) 77373 %% Spanning Tree Topology Change: VLAN 13, Unit: 1
<189> Jan 16 16:52:33 core-switch TRAPMGR[dot1s_task]: traputil.c(777) 77372 %% Spanning Tree Topology Change: VLAN 2, Unit: 1
<189> Jan 16 16:51:13 core-switch TRAPMGR[dot1s_task]: traputil.c(777) 77371 %% Spanning Tree Topology Change: VLAN 14, Unit: 1
<189> Jan 16 16:51:13 core-switch TRAPMGR[dot1s_task]: traputil.c(777) 77370 %% Spanning Tree Topology Change: VLAN 13, Unit: 1
<189> Jan 16 16:51:13 core-switch TRAPMGR[dot1s_task]: traputil.c(777) 77369 %% Spanning Tree Topology Change: VLAN 2, Unit: 1
<189> Jan 16 16:50:32 core-switch TRAPMGR[dot1s_task]: traputil.c(777) 77368 %% Spanning Tree Topology Change: VLAN 14, Unit: 1
<189> Jan 16 16:50:32 core-switch TRAPMGR[dot1s_task]: traputil.c(777) 77367 %% Spanning Tree Topology Change: VLAN 13, Unit: 1
<189> Jan 16 16:50:32 core-switch TRAPMGR[dot1s_task]: traputil.c(777) 77366 %% Spanning Tree Topology Change: VLAN 2, Unit: 1
<189> Jan 16 16:45:22 core-switch TRAPMGR[dot1s_task]: traputil.c(777) 77364 %% Spanning Tree Topology Change: VLAN 14, Unit: 1
<189> Jan 16 16:45:22 core-switch TRAPMGR[dot1s_task]: traputil.c(777) 77363 %% Spanning Tree Topology Change: VLAN 13, Unit: 1
<189> Jan 16 16:45:22 core-switch TRAPMGR[dot1s_task]: traputil.c(777) 77362 %% Spanning Tree Topology Change: VLAN 2, Unit: 1
<189> Jan 16 16:44:25 core-switch TRAPMGR[dot1s_task]: traputil.c(777) 77361 %% Spanning Tree Topology Change: VLAN 14, Unit: 1
<189> Jan 16 16:44:25 core-switch TRAPMGR[dot1s_task]: traputil.c(777) 77360 %% Spanning Tree Topology Change: VLAN 13, Unit: 1
<189> Jan 16 16:44:25 core-switch TRAPMGR[dot1s_task]: traputil.c(777) 77359 %% Spanning Tree Topology Change: VLAN 2, Unit: 1
!*******************************This is when I enabled tcnguard on the downstream switch
<189> Jan 16 16:43:46 core-switch TRAPMGR[dot1s_task]: traputil.c(777) 77358 %% Spanning Tree Topology Change Received: VLAN ID: 1 Gi1/0/21
<189> Jan 16 16:43:44 core-switch TRAPMGR[dot1s_task]: traputil.c(777) 77357 %% Spanning Tree Topology Change: VLAN 1, Unit: 1
<189> Jan 16 16:43:44 core-switch TRAPMGR[dot1s_task]: traputil.c(777) 77356 %% Spanning Tree Topology Change Received: VLAN ID: 1 Gi1/0/21
<189> Jan 16 16:43:44 core-switch TRAPMGR[dot1s_task]: traputil.c(777) 77355 %% Spanning Tree Topology Change: VLAN 14, Unit: 1
<189> Jan 16 16:43:44 core-switch TRAPMGR[dot1s_task]: traputil.c(777) 77354 %% Spanning Tree Topology Change: VLAN 13, Unit: 1
<189> Jan 16 16:43:44 core-switch TRAPMGR[dot1s_task]: traputil.c(777) 77353 %% Spanning Tree Topology Change: VLAN 2, Unit: 1
<189> Jan 16 16:38:45 core-switch TRAPMGR[dot1s_task]: traputil.c(777) 77352 %% Spanning Tree Topology Change Received: VLAN ID: 1 Gi1/0/21
<189> Jan 16 16:38:44 core-switch TRAPMGR[dot1s_task]: traputil.c(777) 77351 %% Spanning Tree Topology Change: VLAN 14, Unit: 1
<189> Jan 16 16:38:44 core-switch TRAPMGR[dot1s_task]: traputil.c(777) 77350 %% Spanning Tree Topology Change: VLAN 1, Unit: 1
<189> Jan 16 16:38:44 core-switch TRAPMGR[dot1s_task]: traputil.c(777) 77349 %% Spanning Tree Topology Change Received: VLAN ID: 1 Gi1/0/21
<189> Jan 16 16:38:44 core-switch TRAPMGR[dot1s_task]: traputil.c(777) 77348 %% Spanning Tree Topology Change: VLAN 13, Unit: 1
<189> Jan 16 16:38:44 core-switch TRAPMGR[dot1s_task]: traputil.c(777) 77347 %% Spanning Tree Topology Change: VLAN 2, Unit: 1
<189> Jan 16 16:38:11 core-switch TRAPMGR[dot1s_task]: traputil.c(777) 77346 %% Spanning Tree Topology Change Received: VLAN ID: 1 Gi1/0/21
<189> Jan 16 16:38:09 core-switch TRAPMGR[dot1s_task]: traputil.c(777) 77345 %% Spanning Tree Topology Change Received: VLAN ID: 1 Gi1/0/21
<189> Jan 16 16:37:38 core-switch TRAPMGR[dot1s_task]: traputil.c(777) 77344 %% Spanning Tree Topology Change Received: VLAN ID: 1 Gi1/0/21

You can see above that the explicit notifications of TCN received on G1/0/21 stopped right after I enabled tcnguard on the distribution switch, but it looks like the topology is changing anyway (and there's no other log message indicating a source/cause). Any ideas? I'm old at networking but new to Netgear so I appreciate any insights you can provide!