cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1125
Views
0
Helpful
8
Replies

bpduguard Question

sampusarkar
Level 1
Level 1

Hello :

I have one customer who has created a

physical loop on a Cat4506 switch with

bpduguard enabled on access ports but he

sees STP loop .

Same loop was given to Cat3560 sw but the moment the physical loop given the port goies to error disable state .

So my customer wants to know is there any

limitation on bpdu which is causing a STP loop on Cat4506sw ?

Regards

Arjun

8 Replies 8

dario.didio
Level 4
Level 4

Hi,

BPDUGuard will only work on portfast enabled ports.

Verify that portfast was configured.

HTH,

Dario

Hello :

BPDU guard has configured globally .

We ahve the following config .

interface FastEthernet2/1

switchport mode access

dot1x mac-auth-bypass

dot1x pae authenticator

dot1x port-control auto

dot1x host-mode multi-host

dot1x control-direction in

dot1x timeout tx-period 1

dot1x max-reauth-req 1

dot1x guest-vlan 993

macro description nomab | mab | nomab | mab

spanning-tree portfast

I don't understand your question

Francois Tallet
Level 7
Level 7

Arjun,

Loops are not prevented by bpduguard. They are prevented by STP. Do you have any sort of BPDU filtering enabled on your ports? That would be a reason why STP could fail. Also, if you connect together ports with portfast enabled, you might get a temporary loop. The problem with a loop, even temporary, is that it can generate a very high traffic rate. If for some reason, some of this traffic is hitting the CPU (arp or other control frame), it might prevent STP from operating by creating a sort of DOS.

Both platform you mention have the same software base, so they should eventually behave roughly the same wrt STP.

Regards,

Francois

Hello Francois :

Thanks for the info . But on Cat3560 sw

when we do the physical loop it doesn't

craete any issue . The port becomes error disable state . Only we observe this behaviour on Cat4506 sw .

Regards

Arjun

I do receive he following logs in Cat4k switch ;

Sep 25 08:36:37.590: dot1x assert failure: old->pae_type != DOT1X_PAE_MAX: ../switch/dot1x/dot1x_switch_core.c: 254

Sep 25 08:36:37.590: -Traceback= 102A9C74 102CFFB4 1139E090 102B8240 102B0EBC 10A37C14 10A36D24 106B0FA0 106B125C 10A37C14 10A36D24 10A64684 105F0580 105E7730

Sep 25 08:36:37.602: dot1x assert failure: old->pae_type != DOT1X_PAE_MAX: ../switch/dot1x/dot1x_switch_core.c: 254

Sep 25 08:36:37.602: -Traceback= 102A9C74 102CFFB4 1139E090 102B8424 102B0CD8 10A37C14 10A36D24 106B0FA0 106B125C 10A37C14 10A36D24 10A64684 105F0580 105E7730

Sep 25 08:36:43: %SYS-5-CONFIG_I: Configured from console by vty0 (146.103.1.13)

Are you sure the port on the 3560 was errordisabled by BPDUguard, and not Loopguard? Those are two completely different features.

As one poster already stated, BPDUguard does not prevent spanning-tree loops, BPDUguard will place a port into errordisable state if and ONLY if it recieves a BPDU, just because you have a loop doesn't mean that you recieved a BPDU.

Look in the output of "show log" on the 3560, I'm betting the loop was detected by loopguard and not BPDUguard.

HTH,

Craig

Dear Craig :

I agree with you . But the thing is that

on Cat3560 customer doesn't have bpdu guard configured . Infact it is disabled . Also no loopguard was configured . In test environment if they

give physical loop ports go into error disbale state .

Regards

Arjun