cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1690
Views
0
Helpful
3
Replies
Highlighted
Beginner

spanning-tree bpduguard enable

Hello,

 

I am studying for CCNP switching. I am trying to apply the spanning-tree guard loop in my virtual lab. I set the port of the root instance 1 switch Gi0/2 as  spanning-tree bpduguard enable. I have connected to that port another switch setting a lower priority and I can correctly see the log of the root switch instance 1 port set to err-desable state, but why I can not see that port as inconsistent when I type the command: shoe spanning-tree inconsistent ports?

The ppt attached display the topology and some show commands of the root switch and the other switch which is trying to become the root (CiscoIOSvL215.2.4055-1).

 

Thank you

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Participant

Re: spanning-tree bpduguard enable

@giacomo12 greetings,

you can apply root guard, on the root trunking interface, and when it will receive a bpdu with a lower priority, this message appears after root guard blocks a port:

%SPANTREE-2-ROOTGUARDBLOCK: Port 1/1 tried to become non-designated in VLAN 77. Moved to root-inconsistent state

 

Please note, that BPDU filter filters BPDUs in both directions. BPDU filter will prevent inbound and outbound BPDU but will remove portfast state on a port if a BPDU is received. Enabling BPDU filtering on an interface is the same as disabling spanning tree on it and can cause spanning-tree loops.

On the other hand, BPDU Guard keeps an eye open for any BPDU’s entering the interfaces that are enabled this feature. The port will disable as soon as the first BPDU is received, by shutting the port down (err-disabling it)

 

The only devices which can reliably create and transmit BPDU’s are switches. Our main aim to have a predictable topology and not allow other switches outside our control onto our network. According to the features, the Best Practices to enable BPDU Guard only on access ports (to end user devices) so that any end user devices on these ports that have BPDU Guard enabled are not able to influence the Spanning-tree topology, while BPDU filter could considerate as a disable-STP-on-port feature.

 

I hope it's helpful!

Please, don't forget to rate all helpful responses and mark solutions!

Bst Rgds,

Andrew Khalil

View solution in original post

3 REPLIES 3
Highlighted
Cisco Employee

Re: spanning-tree bpduguard enable

Hi Giacomo

For the scenario you are aiming for (STP causing a port to go to Loop Inconsistent state - Listen) you should be using the BPDUFilter feature instead.
Whenever a port that was previously under "blocking" state stops receiving superior BPDUs from the other end after the MaxAge timer, LoopGuard will consider that this port might be experiencing unidirectional traffic and the port will move into the Inconsistent state. By using BPDUGuard, the port you want to simulate as unidirectional is physically shut by the err-disabled cause (as it is receiving BPDUs from other STP P2P links), for STP purposes, the port in both ends are now considered disabled-state.

BPDUGuard will cause incoming BPDUs to trigger an err-disable cause, but it will still allow a port to send BPDUs each 2 seconds
Portfast will bypass the Forwarding Delay timers as long as there is no BPDU received on the interface, but it will send BPDUs
BPDUFilter will virtually disable both incoming and outgoing BPDUs, being a feasible choice to simulate an unidirectional scenario for loopguard.

Highlighted
Beginner

Re: spanning-tree bpduguard enable

Hello,

 

Thank you for the answer

 

I tried to use BPDUFilter:

 

Root_instance_1#show run int Gi0/2
Building configuration...

Current configuration : 137 bytes
!
interface GigabitEthernet0/2
 media-type rj45
 negotiation auto
 spanning-tree bpdufilter enable
 spanning-tree bpduguard disable
end

 

but still not getting the Gi0/2 of the Root_instance_1 as inconsistent port:

 

Root_instance_1#show spanning-tree inconsistentports

Name                 Interface                Inconsistency
-------------------- ------------------------ ------------------

Number of inconsistent ports (segments) in the system : 0

Root_instance_1#

 

 

However, if I use BPDUguard , the Gi0/2 of Root_instance_1 goes in err-desable

 

Highlighted
Participant

Re: spanning-tree bpduguard enable

@giacomo12 greetings,

you can apply root guard, on the root trunking interface, and when it will receive a bpdu with a lower priority, this message appears after root guard blocks a port:

%SPANTREE-2-ROOTGUARDBLOCK: Port 1/1 tried to become non-designated in VLAN 77. Moved to root-inconsistent state

 

Please note, that BPDU filter filters BPDUs in both directions. BPDU filter will prevent inbound and outbound BPDU but will remove portfast state on a port if a BPDU is received. Enabling BPDU filtering on an interface is the same as disabling spanning tree on it and can cause spanning-tree loops.

On the other hand, BPDU Guard keeps an eye open for any BPDU’s entering the interfaces that are enabled this feature. The port will disable as soon as the first BPDU is received, by shutting the port down (err-disabling it)

 

The only devices which can reliably create and transmit BPDU’s are switches. Our main aim to have a predictable topology and not allow other switches outside our control onto our network. According to the features, the Best Practices to enable BPDU Guard only on access ports (to end user devices) so that any end user devices on these ports that have BPDU Guard enabled are not able to influence the Spanning-tree topology, while BPDU filter could considerate as a disable-STP-on-port feature.

 

I hope it's helpful!

Please, don't forget to rate all helpful responses and mark solutions!

Bst Rgds,

Andrew Khalil

View solution in original post

Content for Community-Ad