Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
877
Views
5
Helpful
3
Replies

BPDU Guard not guarding

jnesbitt1
Level 1
Level 1

‎05-12-2015 03:01 PM - edited ‎03-07-2019 11:59 PM

A quick rundown on the problem. I had a user plug a switch into another switch configured with BPDU guard and the port shut down. They plugged their switch into another port also configured with BPDU guard and it let the switch connect. A little baffled by this I loaded my switches configuration into my lab to troubleshoot. Sure enough I was able to plug another cisco switch into a BPDU guard enabled port and link came right up. To make sure the ports were configured correctly with Portfast and BPDU guard wiped the config and issued the following commands:

 

All the ports are configured as regular switchports.

 

Switch(config)#spanning-tree portfast bpduguard default

Switch(config)#int range gi1/0/1 - 24

Switch(config-if-range)#no spanning-tree portfast disable

 

With this, I plugged another cisco switch into this one and the links came right up. However, when I unplugged the cable and plugged it right back into the same port BPDU guard shut the port down like it should. Why is BPDU guard even allowing connections from another switch to come up? Doesn't this defeat the purpose of BPDU guard? Once I got a port to shut down I plugged the cable over to another port and got link; I unplugged and plugged back in and BPDU shut the port down. I have done this on two different switches now just to eliminate hardware and have also upgraded to a more recent iOS. Can someone please help me figure this out? Thanks in advanced.


 

Labels:
0 Helpful
3 Replies 3

Leo Laohoo
Hall of Fame
Hall of Fame

‎05-12-2015 03:42 PM

Can you try this:  sh run | i errdisable recovery cause bpduguard

jnesbitt1
Level 1
Level 1
In response to Leo Laohoo

‎05-12-2015 03:47 PM

I gave that a try but nothing comes up.

0 Helpful

Rolf Fischer
Level 9
Level 9
In response to jnesbitt1

‎05-12-2015 11:14 PM

BPDU Guard will always detect a Rapid-STP switch due to the initial proposal/agreement sequence.

However, when the other switch runs the original (non-rapid) spanning-tree protocol, it depends on which switch sends the first BPDU.

There is a 50% probability that your switch sends its first BPDU sooner than the other switch. If that BPDU also reports the better Root-ID, the other switch knows instantly that this BPDU is superior and doesn't send any BPDUs on that link, so BPDU Guard won't be triggered.

I wouldn't say it doesn't guard in such scenarios because it nevertheless prevents that third-party switches actively participate in your spanning-tree. You can combine it with port-security in order to limit the number of endsystems allowed on your edgeports.

HTH

Rolf
 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card