06-11-2019 06:01 AM
[Question]
Is it supported to configure bpdu guard globally on Fabric Edges in a SDA environment?
(Customer is looking to configure bpdu guard using Template Editor feature provided by DNA-C)
Version info : DNA-C 1.2.10.4 , FabricEdges 16.9.3 (Cat9300 )
[Background]
Our customer is concerned that if someone connects multiple L2 switches to Fabric Edges creating loop topology, that causes a network outage due to the loop. They have confirmed that bpdu guard config on fabric edges alleviate the loop issue caused by mis-cablings.
(As the network operations team does not know what end users would do to the network, they are concerned about this.)
[Other Information]
in DNAC 1.2.5 release note, below is stated .
Using the template-based configuration, approved SDA configurations can be manually pushed through template configuration via Cisco DNA Center. The following configurations are supported:
Switch Hardening : CoPP, SSH ACL, Line VTY, BPDU Guard, Root Guard
Solved! Go to Solution.
06-11-2019 06:46 AM
akinugas,
If your customer uses the "Closed Authentication" template for the ports, then if a user attaches a switch it would not authenticate and the port would not pass any traffic.
As we do not have Layer 2 between Fabric Edges, there would be no Layer 2 loops anywhere. There could be a loop within a Fabric Edge I suppose, but that would be only if multiple switches were connected to the same Fabric Edge node and if they were authenticated into the same VLAN.
All that said, the customer can use Template Editor to push out a BPDU Guard configuration if they wish.
Cheers,
Scott Hodgdon
Senior Technical Marketing Engineer
Enterprise Networking Group
06-11-2019 06:46 AM
akinugas,
If your customer uses the "Closed Authentication" template for the ports, then if a user attaches a switch it would not authenticate and the port would not pass any traffic.
As we do not have Layer 2 between Fabric Edges, there would be no Layer 2 loops anywhere. There could be a loop within a Fabric Edge I suppose, but that would be only if multiple switches were connected to the same Fabric Edge node and if they were authenticated into the same VLAN.
All that said, the customer can use Template Editor to push out a BPDU Guard configuration if they wish.
Cheers,
Scott Hodgdon
Senior Technical Marketing Engineer
Enterprise Networking Group
06-11-2019 07:01 AM
Thank you for your prompt response, Scott.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide