spanning-tree bpdu guard

espmolina · ‎09-20-2006

I am running 12.2(25)SEE on a Cat 3550 and I need to enable BPDU Guard on the access ports. My question is do I need to enable PortFast to make bpduguard work.

I have the following on my switch;

!

interface FastEthernet0/9

switchport access vlan 813

switchport mode access

speed 100

duplex full

spanning-tree portfast

spanning-tree bpduguard enable

end

But for some reason, when I connect another switch on this port, it goes to forwarding;

cgda-3550-icpe-3#show spanning-tree int fa0/9 detail

Port 9 (FastEthernet0/9) of VLAN0813 is forwarding

Port path cost 19, Port priority 128, Port Identifier 128.9.

Designated root has priority 33581, address 000d.ed60.2280

Designated bridge has priority 33581, address 000d.ed60.2280

Designated port id is 128.9, designated path cost 0

Timers: message age 0, forward delay 0, hold 0

Number of transitions to forwarding state: 1

The port is in the portfast mode

Link type is point-to-point by default

Bpdu guard is enabled

BPDU: sent 2823, received 0

cgda-3550-icpe-3#

Any help will be appreciated.

Tks.

eofelt · ‎09-20-2006

BPDU Guard is globally enabled on (some) Cisco switches and is in effect on any port configured with the port fast option.

IOS(config)#spanning-tree portfast bpduguard

http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a008009482f.shtml

espmolina · ‎09-20-2006

Yes but I want to enable specifically on some ports but not on some. My problem is the port is suppose to go err-disabled once it receives BPDUs on the port. But for some reason the port goes forwarding. even when BPDUs appear on the port. Could be a bug but I just want to make sure that I am not missing anything.

sundar.palaniappan · ‎09-20-2006

Hi,

You can enable bpduguard individually on a port with the command 'spanning-tree bpduguard enable' under the interface. If the port receives any BPDU then it would put the port in err-disabled state. The admin has to shut and no shut to reenable the port.

The output below is from a 3550 switch.

SW1-3550#show int f0/11 status

Port Name Status Vlan Duplex Speed Type

Fa0/11 connected 1 a-full a-100 10/100BaseTX

SW1-3550#show run int f0/11

Building configuration...

Current configuration : 69 bytes

!

interface FastEthernet0/11

switchport mode dynamic desirable

end

SW1-3550#config t

Enter configuration commands, one per line. End with CNTL/Z.

SW1-3550(config)#int f0/11

SW1-3550(config-if)#spanning-tree ?

bpdufilter Don't send or receive BPDUs on this interface

bpduguard Don't accept BPDUs on this interface

cost Change an interface's spanning tree port path cost

guard Change an interface's spanning tree guard mode

link-type Specify a link type for spanning tree protocol use

mst Multiple spanning tree

port-priority Change an interface's spanning tree port priority

portfast Enable an interface to move directly to forwarding on link up

stack-port Enable stack port

vlan VLAN Switch Spanning Tree

SW1-3550(config-if)#spanning-tree bpduguard ?

disable Disable BPDU guard for this interface

enable Enable BPDU guard for this interface

SW1-3550(config-if)#spanning-tree bpduguard enable

SW1-3550(config-if)#^Z

SW1-3550#sh

6d19h: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port FastEthernet0/11 with

BPDU Guard enabled. Disabling port.

6d19h: %PM-4-ERR_DISABLE: bpduguard error detected on Fa0/11, putting Fa0/11 in

err-disable stateow run in

6d19h: %SYS-5-CONFIG_I: Configured from console by console

6d19h: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/11, changed

state to downt f0/11

6d19h: %LINK-3-UPDOWN: Interface FastEthernet0/11, changed state to down

Building configuration...

Current configuration : 101 bytes

!

interface FastEthernet0/11

switchport mode dynamic desirable

spanning-tree bpduguard enable

end

SW1-3550#show int f0/11 status

Port Name Status Vlan Duplex Speed Type

Fa0/11 err-disabled 1 auto auto 10/100BaseTX

HTH

Sundar

bbaltas · ‎09-20-2006

From what I can see your config looks correct. The output from show spanning-tree shows that the port has not received any BPDU packets. Remember BPDU guard takes the port into an err-disable mode if it receives BPDU packets, it does not prevent BPDU packets from being transmitted.