Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
14005
Views
12
Helpful
9
Replies

Switch BPDU Question

Go to solution
CiscoIPMAN
Level 1
Level 1

‎05-13-2017 12:54 PM - edited ‎03-08-2019 10:33 AM

I have a questions about BPDU on switch ports. I have 2 switches connected together switch 1 and switch 2

Switch 1 port G0/2 ---> Switch 2 port G0/1

I understand BPDU get sent between two switches in trunk mode and this is to prevent loops. But for testing I have the following configuration

Switch 1

interface GigabitEthernet0/2
 description to iosvl2-2
 switchport mode access
 logging event trunk-status
 media-type rj45
 no negotiation auto
 spanning-tree portfast edge

Switch 2

interface GigabitEthernet0/1
 description to iosvl2-1
 switchport trunk encapsulation dot1q
 switchport mode trunk
 logging event trunk-status
 media-type rj45
 negotiation auto
 spanning-tree bpduguard enable

This is the error for switch 2

*May 13 15:50:47.728: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port Gi0/1 with BPDU Guard enabled. Disabling port.
*May 13 15:50:47.729: %PM-4-ERR_DISABLE: bpduguard error detected on Gi0/1, putting Gi0/1 in err-disable state
*May 13 15:50:47.733: %SPANTREE-5-TOPOTRAP: Topology Change Trap for vlan 1
*May 13 15:50:48.234: %DTP-5-NONTRUNKPORTON: Port Gi0/1 has become non-trunk
*May 13 15:50:48.730: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to down

So my question is if switch 1 is in access mode and not trunk mode why is switch 1 sending BPDU? BPDU is configured at the edge port. Is it because switch 2 is not sending any BPDU packet back to switch 1? So I looked at Cisco documentation I see this:

To prevent loops from occurring in a network, the PortFast mode is supported only on nontrunking access ports because these ports typically do not transmit or receive BPDUs. The most secure implementation of PortFast is to enable it only on ports that connect end stations to switches. Because PortFast can be enabled on nontrunking ports connecting two switches, spanning tree loops can occur because BPDUs are still being transmitted and received on those ports.

PortFast BPDU guard prevents loops by moving a nontrunking port into an errdisable state when a BPDU is received on that port. When you enable BPDU guard on the switch, spanning tree shuts down PortFast-configured interfaces that receive BPDUs instead of putting them into the spanning tree blocking state. In a valid configuration, PortFast-configured interfaces do not receive BPDUs. If a PortFast-configured interface receives a BPDU, an invalid configuration exists. BPDU guard provides a secure response to invalid configurations because the administrator must manually put the interface back in service

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4000/8-2glx/configuration/guide/stp_enha.html#wp1046787

Any help clearing this up would be appreciated!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio E. Moisa
VIP Alumni
VIP Alumni
In response to CiscoIPMAN

‎05-13-2017 02:29 PM

Hi, that is correct. 

Never configure BPDU Guard on trunk ports because they will disable the ports and no communication will work. 

Also Portfast over a trunk can generate problems. 

So Portfast and BPDU Guard must be configured on access ports only.

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Julio E. Moisa
VIP Alumni
VIP Alumni

‎05-13-2017 01:24 PM

Hi

The switch 1 will be sending BPDU to the switch 2, that is the reason why BPDU Guard is configured on the access ports only otherwise the access switch will be receiving and sending BPDU's.  BPDU basically is the language between switches, please check this link:

http://www.rogerperkin.co.uk/cisco/switching/spanning-tree-portfast/

Imagine a rogue switch is connected to an end user port (switchport mode access) on a company switch, it could create a change on the STP topology and generate serious problems, because they are exchanging BPDUs, remember BPDU Guard will be configured on access ports only. 

Hope it is useful

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Go to solution
Masoud Pourshabanian
VIP Alumni
VIP Alumni
In response to Julio E. Moisa

‎05-13-2017 02:32 PM

Hello,

"So my question is if switch 1 is in access mode and not trunk mode why is switch 1 sending BPDU"

Port sends BPDU even if it is an access port and portfast is enable. 

When you enable portfast, port skips spanning-tree learning and listening and goes directly to forwarding.

An access port drops receiving packets with an 802.1Q tag in the header other than the access VLAN. For example, It drops packets with tag 20 if it is in VLAN 10.

Neither of these configuration prevent ports from sending BPDUs. You need to enable BDPU filter under the interface to prevent ports from sending BPDUs. BPDU-filter is not recommended.

Masoud

Go to solution
Mohamed chahbandar
Level 1
Level 1
In response to Julio E. Moisa

‎02-26-2019 12:18 AM

yes Julio im totally agree with you...
But what if this access switch port connected to ESXI then it will advise the port fast feature to 
release the learning listening time and go to forwording state directly. but when it is connected to ESXI then it has to pass 
many VLANs through it which enforce us to make the port working as a trunk so trunk port with port fast frature and bpdu guared to prevent false switches from being connected to our access switch. 

0 Helpful

Go to solution
CiscoIPMAN
Level 1
Level 1

‎05-13-2017 01:32 PM

I ran a wireshark capture on switch 1 and it does look like DTP packets are being sent. Not sure why that is happening. I attached a txt file not sure why I cant upload a pcap but just open in Wireshark to look

Preview file
21 KB
0 Helpful

Go to solution
Julio E. Moisa
VIP Alumni
VIP Alumni
In response to CiscoIPMAN

‎05-13-2017 01:49 PM

Hi

A switch connected to other switch will start to exchange bpdu, if you have a port configured with BPDU Guard, it will stop to receiving BPDU and put as it with err-disable state. No more BPDU will be received on that port until you enable it again.




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

Go to solution
CiscoIPMAN
Level 1
Level 1
In response to Julio E. Moisa

‎05-13-2017 02:19 PM

Thanks Julio. So regardless of the switch port mode (access or trunk) the switch will send BPDU which is what I saw in my wireshark capture. So only BPDU guard is on a access port only connected to a host?

0 Helpful

Go to solution
Julio E. Moisa
VIP Alumni
VIP Alumni
In response to CiscoIPMAN

‎05-13-2017 02:29 PM

Hi, that is correct. 

Never configure BPDU Guard on trunk ports because they will disable the ports and no communication will work. 

Also Portfast over a trunk can generate problems. 

So Portfast and BPDU Guard must be configured on access ports only.

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

Go to solution
cedricdirr
Level 1
Level 1
In response to Julio E. Moisa

‎01-31-2023 11:28 AM

Hello, 

But this doesn't answer the question "how to re-enabled ports that have been put down for this reason" please?

0 Helpful

Go to solution
cedricdirr
Level 1
Level 1
In response to cedricdirr

‎01-31-2023 11:36 AM

never mind, found it

you need to perform a shut no shut in the interface down.

0 Helpful
Customers Also Viewed These Support Documents