I have one customer who has created a
physical loop on a Cat4506 switch with
bpduguard enabled on access ports but he
sees STP loop .
Same loop was given to Cat3560 sw but the moment the physical loop given the port goies to error disable state .
So my customer wants to know is there any
limitation on bpdu which is causing a STP loop on Cat4506sw ?
BPDU guard has configured globally .
We ahve the following config .
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x host-mode multi-host
dot1x control-direction in
dot1x timeout tx-period 1
dot1x max-reauth-req 1
dot1x guest-vlan 993
macro description nomab | mab | nomab | mab
Loops are not prevented by bpduguard. They are prevented by STP. Do you have any sort of BPDU filtering enabled on your ports? That would be a reason why STP could fail. Also, if you connect together ports with portfast enabled, you might get a temporary loop. The problem with a loop, even temporary, is that it can generate a very high traffic rate. If for some reason, some of this traffic is hitting the CPU (arp or other control frame), it might prevent STP from operating by creating a sort of DOS.
Both platform you mention have the same software base, so they should eventually behave roughly the same wrt STP.
Hello Francois :
Thanks for the info . But on Cat3560 sw
when we do the physical loop it doesn't
craete any issue . The port becomes error disable state . Only we observe this behaviour on Cat4506 sw .
I do receive he following logs in Cat4k switch ;
Sep 25 08:36:37.590: dot1x assert failure: old->pae_type != DOT1X_PAE_MAX: ../switch/dot1x/dot1x_switch_core.c: 254
Sep 25 08:36:37.590: -Traceback= 102A9C74 102CFFB4 1139E090 102B8240 102B0EBC 10A37C14 10A36D24 106B0FA0 106B125C 10A37C14 10A36D24 10A64684 105F0580 105E7730
Sep 25 08:36:37.602: dot1x assert failure: old->pae_type != DOT1X_PAE_MAX: ../switch/dot1x/dot1x_switch_core.c: 254
Sep 25 08:36:37.602: -Traceback= 102A9C74 102CFFB4 1139E090 102B8424 102B0CD8 10A37C14 10A36D24 106B0FA0 106B125C 10A37C14 10A36D24 10A64684 105F0580 105E7730
Sep 25 08:36:43: %SYS-5-CONFIG_I: Configured from console by vty0 (184.108.40.206)
Are you sure the port on the 3560 was errordisabled by BPDUguard, and not Loopguard? Those are two completely different features.
As one poster already stated, BPDUguard does not prevent spanning-tree loops, BPDUguard will place a port into errordisable state if and ONLY if it recieves a BPDU, just because you have a loop doesn't mean that you recieved a BPDU.
Look in the output of "show log" on the 3560, I'm betting the loop was detected by loopguard and not BPDUguard.
Dear Craig :
I agree with you . But the thing is that
on Cat3560 customer doesn't have bpdu guard configured . Infact it is disabled . Also no loopguard was configured . In test environment if they
give physical loop ports go into error disbale state .