Solved: Re: help BPDU Guard and BPDU Filter enable ??

csawest.dc · ‎01-18-2010

Dear Experts,

We are using one 3550 and 8 2950 switches in my ISP.

Can i enable on uplink port and also on all access port to enable BPDU guard and Filter enable when portfast not enable ??

all access interface working on same VLAN.

Thanks in ADV,

Vaib...

Mohamed Sobair · ‎01-20-2010

Hi Vaib,

To optimize your spanning-tree config , you should statically make the 3550 is the root bridge for vlan 2, and make tone of the other 2950 switches is the secondary root, no matter what VTP mode is used.

Pls rate helpful posts

Mohamed

View solution in original post

Mohamed Sobair · ‎01-20-2010

Hi Vaib,

Yes , thats correct

HTH

Mohamed

View solution in original post

Marwan ALshawi · ‎01-18-2010

i think if you enable root guard on all your links connected to your customers to avoid having a customer switch to became a root switch and make a big problem

this feature will put the interface in error disable if it receive inferior bpdu ( better root from that interface connected to the customer )

bpdu filter will only filter out the bpdu but will not disable the interface in the case of recieving bpdu

Ganesh Hariharan · ‎01-18-2010

Hi Vaibhav,

BPDU Filtering configured on the interface level will COMPLETELY stop send/receive BPDU, and if you plug in two switches then you may have a loop because they don't 'see' each other as a problem.

BPDU Guard on the other hand will alert you to that mistake/mayhem and will shut down the port instead of letting the loop shut down your network.

BPDU Filtering at the global level will work with Portfast interfaces, and simply kick them out of portfast if a BPDU is received.

The root guard feature of Cisco switches is designed to provide a way to enforce the placement of root bridges in the network. Root guard limits the switch ports out of which the root bridge may be negotiated. If a root-guard-enabled port receives BPDUs that are superior to those that the current root bridge is sending, then that port is moved to a root-inconsistent state, which is effectively equal to an STP listening state, and no data traffic is forwarded across that port.

So what i suggest you to configure root gaurd if you feel any therat at access layer switches that somebody will plug a switch on those ports.

Hope that clear out your query!!

Regards

Ganesh.H

csawest.dc · ‎01-19-2010

Dear experts,

Thanks to both of you , should i configure spanning-tree root guard on all access port when it portfast disable ??

pl check my bellow templats to configure on all access port in cisco 35590 and also 2950. if any changes so pl suggest me.

interface FastEthernet0/4
description *** ADCOM (Paradyne) Fiber-2 ***
switchport access vlan 2
switchport mode access
switchport protected
switchport block multicast
switchport block unicast
no ip address
no cdp enable
ip access-group Virus-Block in
storm-control broadcast level 10.00
mac access-group Block-Invalid-Frames in
spanning-tree portfast disable

spanning-tree root guard

Thanks in ADV,

Ganesh Hariharan · ‎01-19-2010

Hi Vaibhav,

Root guard will place this interface in the root-inconsistent or blocked state to prevent the customer switch from becoming the root switch or from being in the path to the root.

Uplinkfast is incompatible with RootGuard, so you must disable it on your access switches. Use the no spanning-tree uplinkfast configuration command to do so.

Apply root guard to both switches on the links that connect to your second access switch with the spanning-tree guard root interface command.

DS1(config)#int fast 0/27
DS1(config-if)#spanning-tree guard root

Hope that clears out your query!!

Regards

Ganesh.H

Mohamed Sobair · ‎01-19-2010

Vaib,

Normally (root Guard) configured on the uplink ports connected to different switch.

could you let us know what is connected to your Access ports and the uplink ports, and are all of these devices Intra domain Switches or Interdomain Switches connected to different Enterprises.I may suggest you different configuration.

HTH

Mohamed

csawest.dc · ‎01-20-2010

Dear Mohamed,

Pl find herewith attachment of my HQ Switch config of cisco 3550.

Breif Details :

cisco 3550 48 ports

Port 1 and 2 as a uplink from Billing Authenticaion server

port 3 and 4 connected to cisco 2950 swtich at different location.

port 5 to 48 connectd to DSLAM to connetd different location

port 5 to 48 (more than 50 users connect each port through IP DSLAM).

we are facing huge issue when loop occure at all the location.

Thanks in ADV,

Vaib...

Mohamed Sobair · ‎01-20-2010

Hi,

Breif Details :

cisco 3550 48 ports

Port 1 and 2 as a uplink from Billing Authenticaion server

port 3 and 4 connected to cisco 2950 swtich at different location.

port 5 to 48 connectd to DSLAM to connetd different location

port 5 to 48 (more than 50 users connect each port through IP DSLAM).

we are facing huge issue when loop occure at all the location

-----------------------------------------------------------------------------------------------------------

1- Port1 and 2 , should be configured with (spanning-tree portfast and bpduguard enabled).

2- port 3 and 4 should be configured with (spanning-tree guard root), however, on the Cisco 2950 switches , make sure all access ports to the DSLAM are configured with portfast bpdu filter.

3- port 5 to 48 , should be configured with spanning-tree bpdu filter and spanning-tree portfast.

Note:

make sure you properly set your spanning tree root bridge for the Active vlans is the 3550 .

A gain, maks sure all access ports on the 2950 switches are configured with Spanning tree bppdu filter and portfast.

With the above config, loop should be prevented on the Network

HTH

Mohamed

csawest.dc · ‎01-20-2010

Dear Mohamed,

Pl check my bellow config templates of both switches cisco 3550 and 2950 as per your suggation. pl let me know if need to any changes.

IN cisco 3550 :

On interface port 1 & 2 (Which is connectd with billing Authentication Server as a Uplink)

Spanning-tree portfast

Spanning-tree bpduguard enable

On interface 3 & 4 (Which is connected to cisco 2950)

spanning-tree guard root

On interface 5 to 48 ( Which is connected to IP DSLAM with more than 50 users each inerface)

spanning-tree portfast

spanning-tree bpdufilter enable

IN cisco 2950 :

On interface 1 (which is connectd with cisco 3550 )

spanning-tree guard root

on interface 2 to 24 ( Which is connect to IP DSLAM with conneted more than 50 users each interface)

spanning-tree portfast

spanning-tree budufilter enable

But, i dont understand which is you said me

Note:

"make sure you properly set your spanning tree root bridge for the Active vlans is the 3550 .

A gain, maks sure all access ports on the 2950 switches are configured with Spanning tree bppdu filter and portfast. "

please clear it.

Please check my above config templates and suggest me if needs to any change.

Thanks in ADV,

Vaib...

Mohamed Sobair · ‎01-20-2010

Hi Vaib,

Yes your config template should be fine.

what I meant by making sure syntax, is to set your primary root bridge for the Active vlans is Switch 3550 by configuring the bellow on 3550:

Assuming you are running PVST+ ,

spanning-tree vlan 2,3 root primary

spanning-tree vlan 2,3 priority 0

On the 2950 , you should configure the Access ports toward the DSLAM as follows:

spanning-tree portfast

spanning-tree bpdu filter enable

spanning-tree vlan 2,3 root secondary

HTH

Mohamed

csawest.dc · ‎01-20-2010

Dear Mohamed,

Thanks man have great support .

There are in cisco 3550 all ports including port 1 and 2 also in same VLAN 2 only. and cisco 2950 also access VLAN 2 all ports.

vtp mode transperant in all 3550 and 2950 also.

so what is the config

IN cisco 3550 ;

Assuming you are running PVST+ ,

spanning-tree vlan 2 root primary

spanning-tree vlan 2 priority 0

In cisco 2950 :

spanning-tree vlan 2 root secondary

Pl suggest like above config should i configure ??? in both 2950 and 3550 switches ??

Thanks in ADV,

Vaib...

Mohamed Sobair · ‎01-20-2010

Hi Vaib,

To optimize your spanning-tree config , you should statically make the 3550 is the root bridge for vlan 2, and make tone of the other 2950 switches is the secondary root, no matter what VTP mode is used.

Pls rate helpful posts

Mohamed

csawest.dc · ‎01-20-2010

Dear Mohamed,

So my final config in global mode for both swithch as under:

IN cisco 3550 ;

spanning-tree mode PVST+ ,

spanning-tree vlan 2 root primary

spanning-tree vlan 2 priority 0

In cisco 2950 :

Spanning-tree mode PVST+

spanning-tree vlan 2 root secondary

Thats right ??

Thanks in ADV,

Vaib...

Mohamed Sobair · ‎01-20-2010

Hi Vaib,

Yes , thats correct

HTH

Mohamed

csawest.dc · ‎01-20-2010

Dear Mohamed,

Ok now i will try to do this within couple of days then let you know what happend.

Thanks have great support!!!

Cheers!!!

Vaib...