I am kind of confused by your configuration. If the Cisco side is configured as LACP trunk, then the Juniper side also needs to be configured as LACP trunks. Spanning-tree would be getting confused because the Cisco is treating the LACP trunk as a single interface for purposes of spanning-tree (which should be configured at the port-channel level), Juniper is considering them to all be individual ports and would be sending BPDUs over each individual interface. The Cisco is correctly error disabling the port because it detects individual port BPDUs and determines that the channel is misconfigured. Or am I missing something in your config completely?
If you are configuring ports other than the connected ports as trunks then your case makes sense. One thing that might cause you issue is the VLAN access of the LACP trunk. If one side has an vlan access list and the other side does not, you might get a spanning tree error when you configure a port on a new VLAN. Essentially you have a "trunk all" on one side and a new VLAN is showing up on a trunk that is not allowed on the other side. It would also help to see your spanning tree configuration (i.e. are both side running the same spanning tree mode?). The clue here is that the event triggers even though the port is not up yet. If you configure a new port on a VLAN that is not currently up, the VLAN will come up on all trunks that are allowed to have all VLANs immediately. Steven Naslund Chicago IL >-----Original Message----- >From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Joseph Jenkins >Sent: Thursday, April 05, 2018 3:58 PM >To: nanog@nanog.org >ubject: Juniper Config Commit causes Cisco Etherchannels to go into >err-disable state > >I have cases open with both Cisco and Juniper on this, but wanted to see if >anyone else had seen an issue like this because support has no idea. > >I have a Juniper QFX 5100 Core running in Virtual Chassis mode with 4 >switches. I have 4 separate stacks of Cisco 3750 switches with 2x1GB uplinks >>bound into 4 different LACP trunks. I have had it happen twice now where I >apply a trunk port config(not an LACP trunk) to a port that isn't a part of >>any of the LACP trunks and it causes all 4 of the Etherchannels on the Cisco >stacked switches to go into an err-disable state with these >messages: > >Mar 14 07:11:33: %PM-4-ERR_DISABLE: channel-misconfig (STP) error detected on >Gi1/0/48, putting Gi1/0/48 in err-disable state > >Mar 14 07:11:33: %PM-4-ERR_DISABLE: channel-misconfig (STP) error detected on >Po17, putting Gi1/0/48 in err-disable state > >Mar 14 07:11:33: %PM-4-ERR_DISABLE: channel-misconfig (STP) error detected on >Po17, putting Po17 in err-disable state > >Mar 14 07:11:34: %LINEPROTO-5-UPDOWN: Line protocol on Interface >GigabitEthernet1/0/48, changed state to down > >Mar 14 07:11:33: %PM-4-ERR_DISABLE: channel-misconfig (STP) error detected on >Gi2/0/48, putting Gi2/0/48 in err-disable state (CA-TOR-1-7-2) > >Mar 14 07:11:34: %LINEPROTO-5-UPDOWN: Line protocol on Interface >GigabitEthernet2/0/48, changed state to down > >Mar 14 07:11:34: %LINEPROTO-5-UPDOWN: Line protocol on Interface >Port-channel17, changed state to down > >Here is the config I am applying to the port that has caused this issue to >happen twice now: > >set interfaces ge-0/0/67 description "Firewall Port" >set interfaces ge-0/0/67 unit 0 family ethernet-switching interface-mode trunk >set interfaces ge-0/0/67 unit 0 family ethernet-switching vlan members >9-10 >set interfaces ge-0/0/67 unit 0 family ethernet-switching vlan members 29 set >interfaces ge-0/0/67 unit 0 family ethernet-switching vlan members >31-32 set >interfaces ge-0/0/67 unit 0 family ethernet-switching vlan members 43 set >interfaces ge-0/0/67 unit 0 family ethernet-switching vlan members >50-51 set >interfaces ge-0/0/67 unit 0 family ethernet-switching vlan members 56 set >interfaces ge-0/0/67 unit 0 family ethernet-switching vlan members >58 set >interfaces ge-0/0/67 unit 0 family ethernet-switching vlan members 66 set >interfaces ge-0/0/67 unit 0 family ethernet-switching vlan members 68 >set >interfaces ge-0/0/67 unit 0 family ethernet-switching vlan members 90 set >interfaces ge-0/0/67 unit 0 family ethernet-switching vlan members 143 >set >interfaces ge-0/0/67 unit 0 family ethernet-switching vlan members 170 > >The issue happens within a couple of minutes of committing the config on the >Juniper side, there are no cables plugged into port 0/0/67 so technically >>there shouldn't be any BPDU's sent out since there isn't a port change. > >Juniper Support wants me to turn on trace option and then run though a bunch >of scenarios, the issue is that testing this takes down my network. > >Just wanted to put it out there to see if anyone else had run into a situation >similar to this. > >TIA > >Joe
