Solved: Re: how to disable nexus 2k BPDU guard on a single port.

muhammednikhilmm · ‎10-16-2018

Hi,

How can i disable the BPDU guard on a single port of nexus 2k (2248TP-E).

currently port is configured as spanning-tree port type edge.

while i try to make the port type as normal its also not taking, showing "ERROR: Command not supported on fex port"

Also i tried with disabling command but no luck.

spanning-tree bpduguard disable
ERROR: Command not supported on FEX interfaces. BPDUGuard is enabled by default for FEX interfaces

Andrea Testino · ‎10-19-2018

Hi there,

You cannot disable BPDUGuard on a FEX HIF; however, you can enable BPDUFilter on the interface and that way when you receive a BPDU from a connected switch, it is filtered and thus cannot trigger BPDUGuard.

Do understand the risk this poses as you're essentially disabling STP on this port and would have to guarantee a loop free network on the connecting switch in some fashion.

Fabric Extenders are intended for Host facing interfaces -- They were not built for switches to be connected to it and their buffers are not necessarily deep so do keep performance in mind as well.

Nexus# conf t
Nexus(config)# int e101/1/24
Nexus(config-if)# spanning-tree bpdufilter enable 
Nexus(config-if)# end
Nexus# show run int e101/1/24

!Command: show running-config interface Ethernet101/1/24
!Time: Fri Oct 19 15:40:24 2018

version 7.3(3)N1(1)

interface Ethernet101/1/24
  switchport access vlan 111
  spanning-tree bpdufilter enable <<<

Thank you,

- Andrea, CCIE #56739 R&S

View solution in original post

Confregerator · ‎04-11-2023

Very helpful to someone plugging in a switch to a FEX for the first time...thanks!

View solution in original post

mojafri · ‎10-17-2018

Hi Muhammed,

Have a look to below link:

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus2000/sw/configuration/guide/rel_521/Configuring_the_Cisco_Nexus_2000_Series_Fabric_Extender_rel_5_2_chapter1.html#con_1046083

**All Fabric Extender host interfaces run as spanning tree edge ports with BPDU Guard enabled and cannot be configured as Spanning Tree network ports.**

Please rate if you find it helpful.

Regards,

MJ

muhammednikhilmm · ‎10-18-2018

Thank you for the information but i am looking for the solution on the nexus 2k box itself, which i could not found yet. The only solution i found is that i have to move this legacy device connectivity from 2k to any other switch.

Andrea Testino · ‎10-19-2018

Hi there,

You cannot disable BPDUGuard on a FEX HIF; however, you can enable BPDUFilter on the interface and that way when you receive a BPDU from a connected switch, it is filtered and thus cannot trigger BPDUGuard.

Do understand the risk this poses as you're essentially disabling STP on this port and would have to guarantee a loop free network on the connecting switch in some fashion.

Fabric Extenders are intended for Host facing interfaces -- They were not built for switches to be connected to it and their buffers are not necessarily deep so do keep performance in mind as well.

Nexus# conf t
Nexus(config)# int e101/1/24
Nexus(config-if)# spanning-tree bpdufilter enable 
Nexus(config-if)# end
Nexus# show run int e101/1/24

!Command: show running-config interface Ethernet101/1/24
!Time: Fri Oct 19 15:40:24 2018

version 7.3(3)N1(1)

interface Ethernet101/1/24
  switchport access vlan 111
  spanning-tree bpdufilter enable <<<

Thank you,

- Andrea, CCIE #56739 R&S

frazreid2 · ‎06-14-2019

Please add this to the Nexus Configuration Guides because they all now say after NXOS 5.2 or 7.x the following......

You can configure BPDU Guard at the interface level. When configured at the interface level, BPDU Guard shuts the port down as soon as the port receives a BPDU, regardless of the port type configuration. When you Configure BPDU Guard globally , it is effective only on operational spanningtree edge ports. In a valid configuration, LAN edge interfaces do not receive BPDUs. A BPDU that is received by an edge LAN interface
signals an invalid configuration, such as the connection of an unauthorized host or switch. BPDU Guard,
when enabled globally , shuts down all spanning tree edge ports when they receive a BPDU.

Which we all now know to be Wrong! I just had to try to configure this just to be sure that the Cisco Docs were wrong.

There used to be a Note about it not working on a FEX - but not any more.

dontsellmydata · ‎06-09-2021

Hi Andrea,

I just came across this thread as I'm having the same issue.

I'm trying to connect a Fortigate 60F firewall management port into the FEX port on a Cisco N2K to setup management connectivity through our ACI mini fabric.

Each time I connect and configure up the port in APIC it puts the port into 'bpdu-guard-err-disable'.

This Fortigate is fresh out of the box and operating in NAT (layer 3) mode and isn't sending any BPDU's towards the FEX so I'm confused as to why this is happening.

Hope you can help,

George

Sergiu.Daniluk · ‎06-09-2021

HI @dontsellmydata

Since you are asking about ACI, you should open a new thread in here: https://community.cisco.com/t5/application-centric/bd-p/12206936-discussions-aci

Stay safe,

Sergiu

Orlando_Native · ‎06-14-2021

Sergio,

It's not *just* a ACI problem.

I have FEX's attached to Cisco Nexus 9336c-fx2 switches running NX-OS 9.3.5. I have both 2232pp's and 2232tm's with vpc port channels to the 9336 cores.

Some of the FEX's have their ports defined as regular edge switches; and; of course; those work as one would expect. But some of the FEX ports on both the pp's and the tm's are *trunked*; that is they connect to other switches downstream. All those ports have bpdufilter enabled; and *MOST* of them never report encountering a BPDU... ...though some of them *did* before I enabled bpdufilter. However; one or two of them *DO* even after bpdufilter was enabled; and; of course; those ports get disabled; then re-enabled; then disabled again via recovery timeout. And what's even more interesting is that not all of them have any *other* further downstream connected switches.

If the downstream switches are Cisco's; I've found that disabling bpduguard and enabling bpdufilter on the uplink port (if possible) between the downstream switches and the FEX; does sometimes solve the issue; but some other vendor's switches don't really give one as much control.

So it's possible these other folks are having the same issues I've encountered. And Cisco needs to find out why and fix it. Either that; or they need to "fix" the FEX code to allow bpduguard to be disabled on FEX interfaces. Because it's certainly not working the way it's supposed to.

I actually had a case open with Cisco; one of which issues was this exact one. They never really did solve *WHY* bpdufilter didn't filter *all* BPDU packets; or why some packets didn't trip bpdufilter but did trip bpduguard (couldn't reproduce the issue in their own lab; though I also don't think they managed to create the exact same hardware setup). One would think the tests in *both* cases would be the same; maybe even call the same routine to do the test.

Confregerator · ‎04-11-2023

Very helpful to someone plugging in a switch to a FEX for the first time...thanks!

Sergiu.Daniluk · ‎06-16-2021

Hi @Orlando_Native

I am a bit confused. So your FEX running in NXOS? Can you be more detailed with the topology you have?

Also, maybe something which you should keep in mind - FEXs were not designed to be used to connect other switches/routers on the. Some arguments to support this is the buffer size and the fact that only a very limited protocols are running locally on FEXs. FEX is good for server connectivity and pretty much that's all.

About the """they need to "fix" the FEX code to allow bpduguard to be disabled on FEX interfaces. Because it's certainly not working the way it's supposed to.""" - it's actually working as it was designed to work. Since is not expected to receive STP BPDUs from a server, BPDU guard shouldn't be disabled.

Stay safe,

Sergiu

Orlando_Native · ‎04-11-2023

Sergio,

Sorry this is soooo late. For some odd reason I missed the notification of your reply.

ALL 2xxx versions of FEX hardware get their operating firmware via download from the parent switch. Which is NX-OS based in my case. So; yes; one *could* say they run NX-OS firmware.

Basically; as I noted further up in this thread; I have 2 9336 fx2 switches as a vpc pair; with breakout interfaces down to the FEX's from each switch in the pair. The FEX's themselves in some cases have servers connected to them; and in others; switches. Downstream switches are connected via trunk ports; and downstream servers are connected via access ports.

Now; the issue I encountered originally was that *some* FEX ports with downstream switches attached would go disabled because of received BPDU's. Which is; I agree; *normal* behavior for a FEX port. But as Angela noted above; you can enable BPDUFILTER even on a FEX port - which should trap and strip out BPDU packets *BEFORE* the BPDUGUARD code detects them. And; yes; that's risky unless you're very; VERY sure of your network topology. Which in my case I happen to be.

What I was actually *seeing*; though; was that even with BPDUfilter enabled; on a few FEX ports with downstream switches connected BPDUguard would still "trip"; even though the filtering shouldn't have allowed a BPDU packet to pass. In other words; for a FEX interface - and I never saw this on direct switch-switch connections - apparently there must be some sort of BPDU packet that's NOT RECOGNIZED by BPDUfilter; but *IS* by BPDUguard. *THATS* why I said there's an issue with FEX's that needed to be fixed.

Perhaps it's because some "malformed" packet that for some reason is *interpreted* by BPDUguard as being a BPDU but not by BPDUfilter; but even so; the checks to determine whether a packet is a BPDU packet *SHOULD* be the same for both spanning-tree settings - the default; unchangeable BPDUguard one and the user configurable BPDUfilter one.