06-27-2018 03:52 AM - edited 03-08-2019 03:29 PM
Hi,
As per the Security audit, for securing STP, BPDU Guard command needs to configured on the Nexus 7k vdc instance. I am attaching the show interface brief command output. Please advice, If there is any negative impact of configuring BPDU command on this scenario.
I believe, BPDU will shutdown only the EDGE ports, which recieves BPDU.
Please advise.
Solved! Go to Solution.
06-28-2018 02:03 AM
You should use a trunk interface to uplink the switches, which will allow multiplexing of the VLAN's.
If you enable it as it is now, those interfaces will shutdown on the 7K.
The definition of an access port is an interface that connects to an end-device, such as a PC, printer etc and as such it would not receive BPDU's, which is why BPDUGuard is configured on these interfaces.
Martin
06-27-2018 06:20 AM - edited 06-27-2018 06:21 AM
Correct, it should be configured on your access interfaces and if a BPDU is detected (i.e. a switch running STP) is connected, the interface will shutdown.
It should be used in conjunction with portfast.
Martin
06-27-2018 06:23 AM
Hi
BPDU Guard should be enabled under access ports only, not under trunk interfaces.
06-28-2018 12:40 AM
Thanks Martin and Julio for the valuable input.
I need to have the BPDU Guard configured on Nexus 7k switch.
################Nexus7k############
| | | |
Eth1/14 Eth1/15 Eth 1/16 Eth 2/15
| | | |
###############3750Sw#############
I have the 3750 network switch which is connected using the below interface on access port mode to Nexus 7k. Please advice, can we enable BPDU Guard on Nexus 7k and what is the impact on below access ports.
interface Ethernet1/14
description Versace MPLS - Colt MPLS to Milan Italy
switchport
switchport access vlan 903
no shutdown
interface Ethernet1/15
switchport
switchport access vlan 1004
no shutdown
interface Ethernet1/16
switchport
switchport access vlan 136
no shutdown
interface Ethernet2/15
switchport
switchport access vlan 1004
no shutdown
Thanks & Regards
Sreeraj
06-28-2018 02:03 AM
You should use a trunk interface to uplink the switches, which will allow multiplexing of the VLAN's.
If you enable it as it is now, those interfaces will shutdown on the 7K.
The definition of an access port is an interface that connects to an end-device, such as a PC, printer etc and as such it would not receive BPDU's, which is why BPDUGuard is configured on these interfaces.
Martin
06-28-2018 02:06 AM
Thanks a ton Martin. Yea, same was in my mind, but i was looking for an expertise input. Thanks again.
06-28-2018 02:17 AM
No problem, in addition you should add redundancy/aggregation by using two uplinks, these can then be placed into an Etherchannel.
This is another discussion though and something that can be worked on later.
Martin
06-28-2018 02:48 AM
Ok, All the mentioned interface going to 3750 switch are for various other Network Services (on different vlan) exiting out of the L2 3750 switch and it cannot be bundled.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide