Buy or Renew
Buy or Renew
Register Here! - Join us 11/13 for the "Navigating DHCP Processes in SD-Access Network" Community Live event
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3016
Views
0
Helpful
12
Replies

BPDU guard on SDA Fabric Edges

Go to solution
akinugas
Cisco Employee
Cisco Employee

‎06-11-2019 06:01 AM

[Question]

Is it supported to configure bpdu guard globally on Fabric Edges in a SDA environment? 

(Customer is looking to configure bpdu guard using Template Editor feature provided by DNA-C)

Version info :  DNA-C 1.2.10.4 ,  FabricEdges 16.9.3 (Cat9300 )

 

[Background]

Our customer is concerned that if someone connects multiple L2 switches to Fabric Edges creating loop topology, that causes a network outage due to the loop. They have confirmed that bpdu guard config on fabric edges alleviate the loop issue caused by mis-cablings.

  (As the network operations team does not know what end users would do to the network, they are concerned about this.)

 

[Other Information]

in DNAC 1.2.5 release note, below is stated .

Using the template-based configuration, approved SDA configurations can be manually pushed through template configuration via Cisco DNA Center. The following configurations are supported:

  • Switch Hardening : CoPP, SSH ACL, Line VTY, BPDU Guard, Root Guard

https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/1-2/rn_release_1_2_5/b_dnac_release_notes_1_2_5.html

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Scott Hodgdon
Cisco Employee
Cisco Employee

‎06-11-2019 06:46 AM

akinugas,

If your customer uses the "Closed Authentication" template for the ports, then if a user attaches  a switch it would not authenticate and the port would not pass any traffic.

As we do not have Layer 2 between Fabric Edges, there would be no Layer 2 loops anywhere. There could be a  loop within a Fabric Edge I suppose, but that would be only if multiple switches were connected to the same Fabric Edge node and if they were authenticated into the same VLAN.

All that said, the customer can use Template Editor to push out a BPDU Guard configuration if they wish.

Cheers,
Scott Hodgdon

Senior Technical Marketing Engineer

Enterprise Networking Group

View solution in original post

0 Helpful
12 Replies 12

Go to solution
Scott Hodgdon
Cisco Employee
Cisco Employee

‎06-11-2019 06:46 AM

akinugas,

If your customer uses the "Closed Authentication" template for the ports, then if a user attaches  a switch it would not authenticate and the port would not pass any traffic.

As we do not have Layer 2 between Fabric Edges, there would be no Layer 2 loops anywhere. There could be a  loop within a Fabric Edge I suppose, but that would be only if multiple switches were connected to the same Fabric Edge node and if they were authenticated into the same VLAN.

All that said, the customer can use Template Editor to push out a BPDU Guard configuration if they wish.

Cheers,
Scott Hodgdon

Senior Technical Marketing Engineer

Enterprise Networking Group

0 Helpful

Go to solution
akinugas
Cisco Employee
Cisco Employee
In response to Scott Hodgdon

‎06-11-2019 07:01 AM

Thank you for your prompt response, Scott.

 

0 Helpful

Go to solution
Hendrik Oosthuizen
Level 1
Level 1

‎02-05-2025 05:20 AM

Hi Scott, I know this is an old post but it is related. Since BPDU Guard is being deployed by Catalyst Center now when selected for a fabric in the Authentication Template. Is there a way to disable it for a single access interface? I am concerned that using a CLI template do to it may be undone automatically by Catalyst Center later.

0 Helpful

Go to solution
jedolphi
Cisco Employee
Cisco Employee

‎03-05-2025 05:32 AM - edited ‎03-05-2025 05:34 AM

Hi Hendrik, possible solutions:

1. It can be disabled within the closed auth template specifically, not sure if your single port intends to use the closed auth template? I guess probably not.

2. Set the single port to trunk, and set the native VLAN and allowed VLAN to 10 (or whatever VLAN you wanted on the port)

There is also some roadmap to solve this in a better way, but it's too far out for me to discuss timelines. Please consider "Make a wish" and also passing any feedback on to your Cisco sales team.

 

 

 

 

 

0 Helpful

Go to solution
Andrii Oliinyk
VIP
VIP
In response to jedolphi

‎03-05-2025 05:42 AM

is any of options 1) or 2) automated with CatC UI or at least there is an API-calls can be leveraged?

0 Helpful

Go to solution
jedolphi
Cisco Employee
Cisco Employee
In response to Andrii Oliinyk

‎03-05-2025 06:02 AM

Option 1 is automated by CatC, I assume there is a public API. Option 2 would require setting port to trunk (should be an API for that), and then template for native/allowed VLAN. We do have UI and API coming for trunk+native+allowed trough SDA automation, for timelines best to talk to sales team.

 

 

 

0 Helpful

Go to solution
Andrii Oliinyk
VIP
VIP
In response to jedolphi

‎03-05-2025 06:56 AM

appreciate you to show me the flag where we can disable bpduguard on the access-port in PortAssignment workflow. thank you

0 Helpful

Go to solution
jedolphi
Cisco Employee
Cisco Employee
In response to Andrii Oliinyk

‎03-05-2025 07:54 AM

Hi Andy, it's for the whole closed auth template:

jedolphi_0-1741190085077.png

 

 

0 Helpful

Go to solution
jedolphi
Cisco Employee
Cisco Employee
In response to Andrii Oliinyk

‎03-07-2025 12:24 AM

Hi Andy, BPDU Guard is off by default on SDA Edge Node trunk ports, are you asking for a means of turning it on? If yes then template is only option today. Please do make a wish and explain the use case if you think it's something that should be automated.

 

 

0 Helpful

Go to solution
Hendrik Oosthuizen
Level 1
Level 1

‎03-05-2025 07:22 AM

Hi Jerome, thank you for the response.

Wrt option 1: I am using the closed auth template but changing it in the template would disable it on all closed ports in the fabric as far as I know.

Wrt option 2: I lose 802.1x with this option.

What I ended up doing is using a template referencing a system variable to select interfaces while provisioning on which the command to disable BPDU Guard will be run. This works of course but my concern is whether Catalyst Center would overwrite this in the future.

0 Helpful

Go to solution
jedolphi
Cisco Employee
Cisco Employee
In response to Hendrik Oosthuizen

‎03-05-2025 07:52 AM - edited ‎03-05-2025 07:52 AM

Unfortunately, I can't predict what a future CatC version might do, especially if someone goes into SDA host onboarding UI and changes the port configuration. Ideally this use case would be solved through a formal SDA automation feature, please do "make a wish" in the CatC UI.
Yes, disabling BPDU Guard in the closed auth template will impact all closed auth ports. The counterargument is that if endpoints are being authenticated then it's safe to disable BPDU Guard since all the endpoints are "known", but of course that's a generalisation that might not fit all customers.

 

0 Helpful
Customers Also Viewed These Support Documents