Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1608
Views
7
Helpful
6
Replies

Spanning-tree

Go to solution
Jorrie
Level 1
Level 1

‎09-08-2021 07:31 AM

Hello! I would like to ask for assistance, I'm having trouble understanding this command "spanning-tree portfast bpduguard default" whenever I issue this command in global config mode it automatically disables the port that I manually configure as a trunk. 

 

 

here is the running-config of the switch that I'm working on packet tracer

version 12.1

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname L2Switch1

!

!

!

!

!

!

spanning-tree mode rapid-pvst

spanning-tree portfast default

spanning-tree portfast bpduguard default

spanning-tree extend system-id

!

interface GigabitEthernet0/1

switchport trunk allowed vlan 10-12

switchport mode trunk

switchport nonegotiate

!

interface GigabitEthernet1/1

switchport trunk allowed vlan 10-12

switchport mode trunk

switchport nonegotiate

!

interface GigabitEthernet2/1

switchport trunk allowed vlan 10-12

switchport mode trunk

switchport nonegotiate

!

interface FastEthernet3/1

switchport access vlan 10

switchport mode access

switchport nonegotiate

switchport port-security

switchport port-security mac-address sticky

!

interface FastEthernet4/1

switchport access vlan 10

switchport mode access

switchport nonegotiate

switchport port-security

switchport port-security mac-address sticky

!

interface FastEthernet5/1

switchport access vlan 10

switchport mode access

switchport nonegotiate

switchport port-security

switchport port-security mac-address sticky

!

interface FastEthernet6/1

switchport access vlan 11

switchport mode access

switchport nonegotiate

switchport port-security

switchport port-security mac-address sticky

!

interface FastEthernet7/1

switchport access vlan 11

switchport mode access

switchport nonegotiate

switchport port-security

switchport port-security mac-address sticky

!

interface FastEthernet8/1

switchport access vlan 12

switchport mode access

switchport nonegotiate

switchport port-security

switchport port-security mac-address sticky

!

interface FastEthernet9/1

switchport access vlan 12

switchport mode access

switchport nonegotiate

switchport port-security

switchport port-security mac-address sticky

!

interface Vlan1

no ip address

shutdown

!

interface Vlan10

no ip address

!

interface Vlan11

no ip address

!

interface Vlan12

no ip address

!

!

!

!

line con 0

!

line vty 0 4

login

line vty 5 15

login

!

!

!

!

end

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎09-08-2021 07:54 AM

Hello @Jorrie ,

>> spanning-tree portfast bpduguard default

 

All ports configured for STP portfast will have also STP BPDU guard enabled.

When BPDU guard is enabled and a STP BPDU is received on the port the reaction can be the one to put the port in error-disable or to remove STP portfast,

if you want to configure a trunk to another switch you should first disable on the specific  interface spanning-tree portfast and spanning-tree bpuguard

 

 

Hope to help

Giuseppe

 

View solution in original post

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎09-09-2021 04:42 AM

Hi Jorrie,

I agree with Giuseppe and Martin, but let me elaborate. Bear with me, it's going to be a little lengthy - but it's necessary.

The first thing to agree on is: How can a switchport become a PortFast-enabled port? There are only these possibilities:

  1. The port is an access port, and it has been explicitly configured with spanning-tree portfast or spanning-tree portfast trunk
  2. The port is a trunk, and it has been explicitly configured with spanning-tree portfast trunk
  3. The port is an access port, and on the global config level, the spanning-tree portfast default command has been configured

This is the IOS and IOS-XE behavior - no exceptions. Notice that a trunk port can only become a PortFast-enabled port if you go directly to its configuration and configure spanning-tree portfast trunk command there. This is the only way for a trunk to be treated as a PortFast port; no other way exists.

The second thing to agree on is: After enabling the BPDU Guard on the global config level using the spanning-tree portfast bpduguard default, this BPDU Guard applies to all ports that are PortFast-enabled. It does not matter how they became PortFast-enabled - which one of the 3 methods above caused the port to be considered as being PortFast. As long as the port is a PortFast port, the BPDU Guard configured on the global level will apply to it.

And this is what Giuseppe and Martin pointed to: Your configuration has PortFast enabled on the global level (meaning it applies to all access ports only), and BPDU Guard enabled on the global level (which applies to all PortFast-enabled ports but in your config, only access ports will become PortFast ports so in the end, your BPDU Guard should also only apply to access ports). None of your trunks is configured with the spanning-tree portfast trunk command. So the BPDU Guard should not have been active on any of your trunks.

If it is, it's the Packet Tracer deviating from the vanilla IOS/IOS-XE behavior, and it is a bug. As plain as that.

To the proprietary nature of BPDU Guard - strictly speaking, it is proprietary, but it does not involve any special protocol changes. The functionality of the BPDU Guard is entirely local: After receiving a BPDU on a BPDU Guard-protected port, shut it down. There's nothing special or "incompatible" about it as far as the protocol itself is concerned.

Just like Martin suggested, it would be best to test your configuration on something that runs real IOS/IOS-XE - perhaps a real switch, or VIRL/CML2 PE virtual topologies.

Feel welcome to ask further!

Best regards,
Peter

 

View solution in original post

6 Replies 6

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎09-08-2021 07:54 AM

Hello @Jorrie ,

>> spanning-tree portfast bpduguard default

 

All ports configured for STP portfast will have also STP BPDU guard enabled.

When BPDU guard is enabled and a STP BPDU is received on the port the reaction can be the one to put the port in error-disable or to remove STP portfast,

if you want to configure a trunk to another switch you should first disable on the specific  interface spanning-tree portfast and spanning-tree bpuguard

 

 

Hope to help

Giuseppe

 

Go to solution
Jorrie
Level 1
Level 1
In response to Giuseppe Larosa

‎09-09-2021 12:09 AM

Hi @Giuseppe Larosa. Base on how I understand portfast is that it must satisfy a specific requirement which is to put a port into access mode or safe to say to a nun-trunking port before configuring it in the global config mode or per interfaces to make it work. Then you can enable bpduguard either thru global config or per interfaces. Now for BPDUGuard for what I understand is a security feature(don't know if its Cisco proprietary or not) that prevents a rogue device that acts as a switch to access the network, It also helps prevent unintentionally loop in a layer 2 network by shutting down its port since portfast bypass the listening and learning state. 

0 Helpful

Go to solution
Martin L
VIP
VIP

‎09-08-2021 05:11 PM

 

this could be Packet tracer fault, aka bug.  try it using different switch.   it should only disable access ports when portfast is enabled on them as bpduguard is protection command for L2 loops.    

 

 

Regards, ML
**Please Rate All Helpful Responses **

Go to solution
Jorrie
Level 1
Level 1
In response to Martin L

‎09-08-2021 11:23 PM

Hi @Martin L thanks for the advice haven't tried it yet so far. But I have doubts since this is not the 1st time I encounter this problem. 

0 Helpful

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎09-09-2021 04:42 AM

Hi Jorrie,

I agree with Giuseppe and Martin, but let me elaborate. Bear with me, it's going to be a little lengthy - but it's necessary.

The first thing to agree on is: How can a switchport become a PortFast-enabled port? There are only these possibilities:

  1. The port is an access port, and it has been explicitly configured with spanning-tree portfast or spanning-tree portfast trunk
  2. The port is a trunk, and it has been explicitly configured with spanning-tree portfast trunk
  3. The port is an access port, and on the global config level, the spanning-tree portfast default command has been configured

This is the IOS and IOS-XE behavior - no exceptions. Notice that a trunk port can only become a PortFast-enabled port if you go directly to its configuration and configure spanning-tree portfast trunk command there. This is the only way for a trunk to be treated as a PortFast port; no other way exists.

The second thing to agree on is: After enabling the BPDU Guard on the global config level using the spanning-tree portfast bpduguard default, this BPDU Guard applies to all ports that are PortFast-enabled. It does not matter how they became PortFast-enabled - which one of the 3 methods above caused the port to be considered as being PortFast. As long as the port is a PortFast port, the BPDU Guard configured on the global level will apply to it.

And this is what Giuseppe and Martin pointed to: Your configuration has PortFast enabled on the global level (meaning it applies to all access ports only), and BPDU Guard enabled on the global level (which applies to all PortFast-enabled ports but in your config, only access ports will become PortFast ports so in the end, your BPDU Guard should also only apply to access ports). None of your trunks is configured with the spanning-tree portfast trunk command. So the BPDU Guard should not have been active on any of your trunks.

If it is, it's the Packet Tracer deviating from the vanilla IOS/IOS-XE behavior, and it is a bug. As plain as that.

To the proprietary nature of BPDU Guard - strictly speaking, it is proprietary, but it does not involve any special protocol changes. The functionality of the BPDU Guard is entirely local: After receiving a BPDU on a BPDU Guard-protected port, shut it down. There's nothing special or "incompatible" about it as far as the protocol itself is concerned.

Just like Martin suggested, it would be best to test your configuration on something that runs real IOS/IOS-XE - perhaps a real switch, or VIRL/CML2 PE virtual topologies.

Feel welcome to ask further!

Best regards,
Peter

 

Go to solution
Jorrie
Level 1
Level 1

‎10-05-2021 08:57 PM

Hello everyone sorry for being late replying to this topic.

 

Thank you everyone for helping to solve the problem. God bless and have a great day.  

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card