Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5874
Views
0
Helpful
2
Replies

Cisco AP and BPDU-guard setting on the switch port

mrombouts
Level 1
Level 1

‎11-06-2014 03:40 AM - edited ‎03-07-2019 09:24 PM

Hi everyone,

I have looked on different forums and it's quite confusing. So if someone could clarify, then thanks in advance.

Situation:

Cisco AP connected to switch, port in trunk mode.

Config of port on switch:

interface FastEthernet0/37
 description AP1
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 303
 switchport trunk allowed vlan 1,303,313,353
 switchport mode trunk
 switchport nonegotiate
 storm-control broadcast level 60.00
 storm-control multicast level 60.00
 storm-control action shutdown
 storm-control action trap
 spanning-tree bpduguard enable
end

This is a config not set by myself and what is bothering me most is the last line. "spanning-tree bpduguard enable". This setting puts another AP in "err-disable" mode (not this one).

Logfile switch:

286229: Nov  6 10:59:39.288 CET: %SPANTREE-5-TOPOTRAP: Topology Change Trap for vlan 1
286233: Nov  6 11:01:45.872 CET: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port Fa0/3 with BPDU Guard enabled. Disabling port.
286234: Nov  6 11:01:45.872 CET: %PM-4-ERR_DISABLE: bpduguard error detected on Fa0/3, putting Fa0/3 in err-disable state
286235: Nov  6 11:01:46.896 CET: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/3, changed state to down
286236: Nov  6 11:01:47.894 CET: %LINK-3-UPDOWN: Interface FastEthernet0/3, changed state to down

So I disabled "spanning-tree bpduguard". Problem solved. BUT, didn't I disabled an important anti-loop rule here? Although the network is still running fine. And the other AP's have this enabled, but aren't going into "err disable".

This is a trunk port, maybe this rule is more applied on access ports?

Regards,

Max

 

Labels:
0 Helpful
2 Replies 2

John Blakley
VIP Alumni
VIP Alumni

‎11-06-2014 03:54 AM

I never enable bpdu guard on AP switchports. Primarily because our business relies heavily on APs and I don't want something accidentally connecting to it that could start sending bpdus in some way. That being said, is there another AP that's in bridge mode or is this AP in bridge that could be receiving a bpdu from the other switchport? That's the only thing off the top of my head that could cause this.

Yes, I also avoid putting bpdu guard on trunks unless I know it's a port for a host and a phone.

HTH,

John

HTH, John *** Please rate all useful posts ***
0 Helpful

mrombouts
Level 1
Level 1
In response to John Blakley

‎11-06-2014 06:53 AM

Thank you for your reply John.

The AP's are connected to a controller. In that particular environment they are in Flexconnect.

I understand the way you configured it in your network. It's obvious if your business relies on the AP's.

I intend to get rid of that config line on all trunk ports connected to an AP. For pc's and phones I keep:

 spanning-tree portfast
 spanning-tree bpduguard enable

Kr,

Max

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card