Solved: Effect of applying BPDU guard command

sreeraj.murali · ‎06-27-2018

Hi,

As per the Security audit, for securing STP, BPDU Guard command needs to configured on the Nexus 7k vdc instance. I am attaching the show interface brief command output. Please advice, If there is any negative impact of configuring BPDU command on this scenario.

I believe, BPDU will shutdown only the EDGE ports, which recieves BPDU.

Please advise.

Martin Carr · ‎06-28-2018

You should use a trunk interface to uplink the switches, which will allow multiplexing of the VLAN's.

If you enable it as it is now, those interfaces will shutdown on the 7K.

The definition of an access port is an interface that connects to an end-device, such as a PC, printer etc and as such it would not receive BPDU's, which is why BPDUGuard is configured on these interfaces.

Martin

View solution in original post

Martin Carr · ‎06-27-2018

Correct, it should be configured on your access interfaces and if a BPDU is detected (i.e. a switch running STP) is connected, the interface will shutdown.

It should be used in conjunction with portfast.

Martin

Julio E. Moisa · ‎06-27-2018

Hi

BPDU Guard should be enabled under access ports only, not under trunk interfaces.

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

sreeraj.murali · ‎06-28-2018

Thanks Martin and Julio for the valuable input.

I need to have the BPDU Guard configured on Nexus 7k switch.

################Nexus7k############

| | | |

Eth1/14 Eth1/15 Eth 1/16 Eth 2/15

| | | |

###############3750Sw#############

I have the 3750 network switch which is connected using the below interface on access port mode to Nexus 7k. Please advice, can we enable BPDU Guard on Nexus 7k and what is the impact on below access ports.

interface Ethernet1/14
description Versace MPLS - Colt MPLS to Milan Italy
switchport
switchport access vlan 903
no shutdown

interface Ethernet1/15
switchport
switchport access vlan 1004
no shutdown

interface Ethernet1/16
switchport
switchport access vlan 136
no shutdown

interface Ethernet2/15
switchport
switchport access vlan 1004
no shutdown

Thanks & Regards

Sreeraj

Martin Carr · ‎06-28-2018

You should use a trunk interface to uplink the switches, which will allow multiplexing of the VLAN's.

If you enable it as it is now, those interfaces will shutdown on the 7K.

The definition of an access port is an interface that connects to an end-device, such as a PC, printer etc and as such it would not receive BPDU's, which is why BPDUGuard is configured on these interfaces.

Martin

sreeraj.murali · ‎06-28-2018

Thanks a ton Martin. Yea, same was in my mind, but i was looking for an expertise input. Thanks again.

Martin Carr · ‎06-28-2018

No problem, in addition you should add redundancy/aggregation by using two uplinks, these can then be placed into an Etherchannel.

This is another discussion though and something that can be worked on later.

Martin

sreeraj.murali · ‎06-28-2018

Ok, All the mentioned interface going to 3750 switch are for various other Network Services (on different vlan) exiting out of the L2 3750 switch and it cannot be bundled.