Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2241
Views
5
Helpful
2
Replies

Connecting a router to an interface that has BPDUguard enabled

Go to solution
paranengmoose
Level 1
Level 1

‎03-31-2016 08:13 AM - edited ‎03-08-2019 05:10 AM

Hi this is a really silly question, but please advise me as I am confused.

I know BPDU is used for spanning-tree, which is layer2.

What happens when I connect a router to a BPDUguard-enabled interface of a switch?

Will it err-disable the port or can I just use it with no problem?

As far as I know, a router doesn't participate in spanning-tree and send any BPDU, so switches will not consider it as a malicious device.

If my assumption is correct, what technology on layer 2 other than port-security can prevent layer-3 device from connecting to it, and vice versa?

I would really appreciate any comment.

Thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Carlos Villagran
Cisco Employee
Cisco Employee

‎03-31-2016 08:40 AM

Hi!

No, the router will not trigger the BPDUguard feature in your switch since Routers do NOT send BPDUs.

A technology you can use to avoid layer 3 connection to your switch and prevent attacks or other not-desirable network behaviors from your access ports you can use DAI (Dynamic ARP Inspection) which validates ARP replies comparing it with a local-trusted internal database thus host will not answer ARPs with other MAC Addresses other than the specified in the internal database.

Please refer to the next link for configuration and detailed explanation of DAI:

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/dynarp.html

Hope it helps, best regards!

JC

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Carlos Villagran
Cisco Employee
Cisco Employee

‎03-31-2016 08:40 AM

Hi!

No, the router will not trigger the BPDUguard feature in your switch since Routers do NOT send BPDUs.

A technology you can use to avoid layer 3 connection to your switch and prevent attacks or other not-desirable network behaviors from your access ports you can use DAI (Dynamic ARP Inspection) which validates ARP replies comparing it with a local-trusted internal database thus host will not answer ARPs with other MAC Addresses other than the specified in the internal database.

Please refer to the next link for configuration and detailed explanation of DAI:

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/dynarp.html

Hope it helps, best regards!

JC

0 Helpful

Go to solution
acampbell
VIP Alumni
VIP Alumni

‎03-31-2016 08:44 AM

Hi,

You are correct.

Just make sure that the router is not running bridging like BVI or has Ethernet switch card connecting back to your switch network etc.

If it is you will need to make adjustments like loopguard instead etc.

Regards

Alex

Regards, Alex. Please rate useful posts.
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card