VLAN Issue for Beginner

mstory222 · ‎10-26-2017

I have a old Cisco 2950 with our ISP connected to port 46 with the following config:

interface FastEthernet0/46
switchport access vlan 2
switchport mode access
macro description cisco-desktop

spanning-tree portfast
spanning-tree bpduguard enabled

Somehow they are able to see VLAN1 and that switches IP address. The port disables itself with a solid amber light and this error in the logs:

00:46:22: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port FastEther net0/46 with BPDU Guard enabled. Disabling port.
00:46:22: %PM-4-ERR_DISABLE: bpduguard error detected on Fa0/46, putti ng Fa0/46 in err-disable state

Am I missing a command to isolate that vlan on port 46? This vlan passes through a trunk on port 48 to a subinterface on our router.

Georg Pauwen · ‎10-26-2017

Hello,

the BPDUs are coming from whatever is connected to FastEthernet0/46. What kind of ISP connection is this ?

Seb Rupik · ‎10-26-2017

Try the following:

!
int gi0/46
  no spanning-tree bpduguard enabled
  spanning-tree bpdufilter enabled
!

The ISP router is sending you BPDU packets which is causing your switch to put the switchport into an err-disabled state. Using the bpdufilter will get round this issue. You should want to drop these BPDU as you do not mange the ISP router and do not want it to affect your STP topology.

Providing the ISP is sending un-tagged frames, they will be associated with VLAN2 on the switch and be allowed to be forward up your trunk link on Gi0/48

cheers,

Seb.

mstory222 · ‎10-26-2017

I did disable portfast and bpduguard. The port was still solid amber for almost an our and then the connection magically came up. We have the scan interval set to the default 300 second refresh. I don't know what changed, maybe our ISPs equipment takes longer to reset. The connection is up so I'm happy. Thanks everyone for the replies.

Flavio Miranda · ‎10-26-2017

Hi @mstory222

Change to resolved and rate as useful.

Thank you.

Georg Pauwen · ‎10-26-2017

Hello,

disabling spanning tree portfast might not be a good idea. I don't know what you are getting from your ISP through that link, but services such as DHCP may not work properly.

That might be the reason the link took about an hour to come up...

Flavio Miranda · ‎10-26-2017

Hello @mstory222

As per the log you have a port with BPDU guard enabled and this port is receiving BPDUs from the remote device.

Remote device shouldn´t be a switch or you need to disable BPDU guard and config the port accordingly for a Switch.

-If I helped you somehow, please, rate it as useful.-

paul driver · ‎10-26-2017

Hello
Can you explain what you mean by this?

By the way I agree with Georg enabling bgpdufilter wouldn't be a good idea unless you are positive you dont need stp as this has this feature has the same effect of not having stp.

@mstory222 wrote:

Somehow they are able to see VLAN1 and that switches IP address. The port disables itself with a solid amber light and this error in the logs:

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul