Having portfast enabled on a port connected to a device generating Bridge Protocol Data Units (BPDUs) causes the port to go to errdisable status when BPDU guard is enabled on the switch.
BPDU Guard one of the feature that protect STP from several types of problems or attacks, depending on whether a port is a trunk or access port.
BPDU Guard puts an interface configured for STP PortFast into the err-disable state upon receipt of a BPDU. The BPDU Guard disables interfaces as a preventive step to avoid a potential bridging loop. The BPDU Guard feature is used to protect the Spanning Tree domain from external influence. BPDU Guard is disabled by default but is recommended for all ports on which the Port Fast feature has been enabled. This prevents false information from being injected into the Spanning Tree domain on ports that have Spanning Tree disabled.
When a port only has a host device connected to it, we will enable portfast, this will speed up the port initialization process and put the port into forwarding state straight away. This eliminates 30 seconds of delay that would have been encountered if STP was not bypassed and the port went through the Listening and Learning states. Because host is a workstation, it sends no BPDUs and so disabling Spanning Tree on a port like this is not an issue.
If we removed this end host of this port and connected a switch. This new switch will start to generate BPDUs and could take over as been the Root Bridge for the network, or it could cause a loop in our network if it has another link connected into another part of the network.
So what BPDU Guard will provide is a secure response to invalid configurations, or unauthorised switches onto our network, because the administrator must manually reenable the err-disabled interface after fixing the invalid configuration, or removing the unauthorised switch form the network.
A port may be in errdisable status due to BPDU guard.
The errdisable status indicates that the port was automatically disabled by the switch operating system software because of an error condition encountered on the port.
To determine if a port is in errdisablestatus, issue the show port command. For example, to check the status on port 3/2, issue the show port 3/2 command. This is a sample command output:
The switch sends a message to the console describing why the port is disabled when it puts a port in the errdisable state. If syslog is configured, the message is available on the syslog server as well.
Another way to determine the reason for the errdisable status is to issue the show errdisable-timeout command. This command is available in Catalyst OS (CatOS) 5.4(1)or later. This is a sample command output:
If the switch configured with BPDU guard enabled sees a BPDU coming into a port that has portfast enabled, it puts the port in errdisable status and a message similar to this is printed on the console:
%SPANTREE-2-RX_PORTFAST: Received BPDU on PortFast enabled port. Disabling 3/2. (CatOS)
%PM-SP-4-ERR_DISABLE: bpduguard error detected on Gi4/1, putting Gi4/1 in err-disable state. (Cisco IOS system software)
If BPDU guard is the reason for the errdisable status, check these settings:
Verify that the port using portfast is connected to an end station, not to a device that generates Spanning-Tree Protocol (STP) BPDU packets such as switches, bridges, or routers doing bridging.
If the port is connected to a STP device which is generating BPDU packets, disable portfast on that port. The command to disable portfast on port 3/2 is set spantree portfast 3/2 disable.
Once the cause of the errdisable status has been found and corrected, re-enable the port by issuing the set port enable command. For example, to re-enable port 3/2, issue the set port enable 3/2 command.
If the set port enable command is issued without the cause of the errdisable status being corrected, the port eventually goes back to the errdisable status.
So I'm trying to think of a way to do this and have been messing around in gns3 a bit but I figured I'd post here for ideas while I putz around. 2 internet routers that connect to 2 different ISP's. They share the BGP tables. ...
Hello Community, I'm working on the setup of a Cisco CSR. I have a route 10.0.0.0/24 learned by a BGP session on tunnel 200 and 201 (MPLS and failover), I also have a static route 10.0.0.0/29 (smaller than the previous one) to a tunnel 202.&nbs...
Hello Dear Community, i have crated a small test topology where i have a main DHCP Server connected to a Switch(WS-C2960-24TT), on the same Switch there are 4 devices connected and are set to ask DHCP for IP address.what i am trying to reach:1- i wou...
Normally I would give the a device that always needs to be on a static IP address through its web interface or command line. However I ran into a different device. Its a security panel that's always on and there is no way to log into it, no web inter...
Hello Everyone,I'm setting up a lab with intervlan routing. With 2 hosts, Cisco SG220 switch and a Cisco 1941 router. I added the topology. On the switch Gi1 is an access port in VLAN 10 and Gi2 is an access port in VLAN20. WS1 is connected to G...