BPDU Guard without ERR-Disable

danielpurton · ‎12-02-2014

Hi Everyone,

I recently had an instance in one of my networks where a user plugged in a home router to our network. The router then started handing out incorrect IP addresses to clients.

I know I can use DHCP Snooping or BPDU guard to stop this happening again and we do have BPDU Guard running at other sites successfully. The problem has always been if we enable it in a new production network we might disable ports that have legitimate devices on the other end. For example someone is using a small switch to share a port between a PC and a printer.

Is there a way of turning on BPDU guard but without it putting ports into an Err-Disabled mode and just alerting in the logs instead?

Regards, Daniel

InayathUlla Sharieff · ‎12-02-2014

I have never done this hence not sure if you can achieve this.

HTH

paul driver · ‎12-03-2014

Hello

My undertaking I dont hink you can.
Do you have bpduguard running at a global or interface level?

If you know where these devices are attached then I suppose you could negate portfast on the port ( only if bpduguard is set a global level)

If you have it set on a interface level the bpduguard doesn't require portfast so then you can either negate this also or apply Bpdufilter

Bpdufilter at a global level turns off stp portfast , At an interface level, I would advise against this, As it can also cause network loops as it ignores bpdus altogether and can cause loops.

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

danielpurton · ‎12-03-2014

So the main reason I would like to use BPDU guard without an ERR-Disable reaction would be discover where these devices are in the network. Is there some other method of finding ports with BPDU packets?

InayathUlla Sharieff · ‎12-03-2014

By default all ports would be sending the BPDU as you would have STP enabled.

Now its upto us how we want to filter/use protection mechanism :-

eg:--BPDU guard,BPDU filter,Port-Fast etc.....

But there is no way you can just without configuring the above concept you can get only the message out f the switches that means that you are promising your network?

What some one comes by mistake and connect a rogue switch and you dont have any protection mechanism on your box? That would bring down complete network right?

HTH

Leo Laohoo · ‎12-08-2014

Is there a way of turning on BPDU guard but without it putting ports into an Err-Disabled mode and just alerting in the logs instead?

Yes and no. Whatever the case maybe, I wouldn't recommend it.

NOTE: BPDU Guard is every network operator's BEST FRIEND. BPDU Guard is not to be treated like a "hassle" or a PIA. BPDU Guard is there to ensure no one plugs a switch into your network that can potentially cause an STP loop.

If your switch is a Catalyst 3K (and higher), you can craft an EEM which involves sending an e-mail when BPDU Guard gets invoked. EEM is NOT supported in Cat 2K switches.

Now, there's a settings to "recovery" a port which has been put into "error-disable". If you don't knwo what you're doing, then I'd recommend you stay away from this setting. I've seen, first hand, how this command "errdisable recovery" have brought down a network to it's knees and crashed a brand-spanking new Catalyst 6807-X chassis.

danielpurton · ‎12-08-2014

Hi Leo,

Thanks for your input in the discussion. However I think you are misunderstanding why I am asking this question.

I WANT to enable BPDU guard on this network, I know its not a PIA and I am well aware of what it does and why it would be implemented.

The reason I am asking this question is because I need to transition from a network that doesn't have BPDU guard enabled to one that does. If i turn the feature on it will start disabling ports on switches and stop peoples workflow until it is resolved. The reason people have unidentified switches plugged into the network might be legitimate, but the way they got around their problem wasn't the best.

My goal is to find out where these rogue switches are, find out why they are there. Find an alternative way to connect these devices to the network by either purchasing new switches or running more cabling. This network does not have any onsite IT and therefor all this needs to be figured out remotely.

So the crux of the problem is. How to find STP devices that are plugged into my switches.

Thoughts?

Leo Laohoo · ‎12-09-2014

The reason I am asking this question is because I need to transition from a network that doesn't have BPDU guard enabled to one that does. If i turn the feature on it will start disabling ports on switches and stop peoples workflow until it is resolved. The reason people have unidentified switches plugged into the network might be legitimate, but the way they got around their problem wasn't the best.

My recommendation is to enable BPDU Guard on an interface-level rather than globally. If you've switches in copper and/or fibre optic ports, don't you use 802.1q Trunking? If you do, then BPDU Guard doesn't need to be enabled, right?

My goal is to find out where these rogue switches are, find out why they are there.

BPDU Guard on access ports will shut down the interface to switches but not to hubs. :)

If your switches support EEM, whenever BPDU Guard gets triggered you'll get an email.

paul driver · ‎12-09-2014

Hello

For layer one devices you can apply some port security

int x/x
switchport mode access
switchport port-security
switchport port-security  maximum 1
switchport port-security  aging type inactivity
switchport port-security  aging time 10
switchport port-security  violation shutdown

errdisable recovery cause psecure-violation

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul