Solved: Re: bpdu guard and spanning tree

jkay18041 · ‎11-06-2018

Hello, I've got 3 Cisco 3750E stacks and would like to turn on bpdu guard on the access interfaces. We are running rstp and I've set one port to port-fast and bpduguard. However when I plugged in an HP switch (set to factory defaults) and a cheap linksys switch the port never went into error mode. I then turned spanning tree on the default vlan using the HP switch and it kicked the port off. Do most switches not send bpdu guard packets by default?

Also if I turn bpduguard on does it automatically turn port-fast on as well or do I need to have it enabled also if I want port-fast?

Thank you

Reza Sharifi · ‎11-06-2018

Correct. It should only affect the access ports, so no one can plug in a switch to an access port on the network. Not much you can do about hubs, as they don't send or receive bpdus. You can use port security on access ports and limit the numbers to 1 or 2 MACs (if phones connect to PCs) so no one can plug in a hub and connect multiple PC/laptops to it.

HTH

View solution in original post

Reza Sharifi · ‎11-06-2018

If you issue this command globally, it will enable both features for you globally.

spanning-tree portfast bpduguard default

HTH

jkay18041 · ‎11-06-2018

My only fear is that if I do this it will mess up my LACP links between switches. If I enable it globally does it only enable it on Access ports?

Thank you for the help

Reza Sharifi · ‎11-06-2018

bpdu gurad will be apply to access ports only.

It should not affect the trunk ports or Portchannel configured between switches.

HTH

jkay18041 · ‎11-06-2018

So as long as the port is set to switchport mode trunk it won't change it? Even if a native vlan is set on that port?

Reza Sharifi · ‎11-06-2018

Correct. It should only affect the access ports, so no one can plug in a switch to an access port on the network. Not much you can do about hubs, as they don't send or receive bpdus. You can use port security on access ports and limit the numbers to 1 or 2 MACs (if phones connect to PCs) so no one can plug in a hub and connect multiple PC/laptops to it.

HTH

mkazam001 · ‎11-06-2018

if you want more control, you could do this manually using:

interface range *

spanning-tree portfast

spanning-tree bpduguard enable

both commands are configured & removed separately

regards, mk

please rate if helpful :)

paul driver · ‎11-06-2018

Hello

@jkay18041 wrote:

Hello, I've got 3 Cisco 3750E stacks and would like to turn on bpdu guard on the access interfaces. We are running rstp and I've set one port to port-fast and bpduguard. However when I plugged in an HP switch (set to factory defaults) and a cheap linksys switch the port never went into error mode. I then turned spanning tree on the default vlan using the HP switch and it kicked the port off. Do most switches not send bpdu guard packets by default?

Also if I turn bpduguard on does it automatically turn port-fast on as well or do I need to have it enabled also if I want port-fast?

Thank you

No it doesn't. automatically turn PF on

If you enable bpduguard on the interface you DONT need to have portfast enabled before.

If you enable bpduguard globally and NOT on the specific interface then you need either to have port fast enabled globally or on the interface beforehand.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

jkay18041 · ‎11-06-2018

So i turned on "spanning-tree portfast bpduguard default" and it doesn't seem to work. If i enabled it on a specific port it does.

Any suggestions?

Alex Pfeil · ‎11-06-2018

Do you have spanning-tree portfast default?

That command should enable bpdu guard on any port that is an access port with spanning-tree portfast enabled on the port.

Please check helpful posts if this is helpful.