cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2633
Views
20
Helpful
7
Replies

Switchport Spanning Tree Loop Prevention - Cisco 2960

danny9797
Level 1
Level 1

Hello gurus,

We recently experienced a network outage when two PC lan ports were connected to one another.  For eg, the network port gi1/0/2 and gi1/0/3 were directly connected to each other and this action brought the network down.

On both switchports, the following is configured:


interface GigabitEthernet1/0/x
 description Access
 switchport access vlan xx
 no cdp enable
 spanning-tree portfast
 spanning-tree bpdufilter enable
 spanning-tree bpduguard enable

What ideal configuration is recommended and should be used to prevent such an outage in the future and what could have prevented the outage from happening in the first place?

Thank you!

 

7 Replies 7

Hi Danny,

Since you have spanning-tree bpdufilter enable  configured on this interface, it ignores all bpdu recieved and also it dont send bpdu out. Effectively you are disabling STP on this. Thats the reason when you had a physical loop, the switch did not detect and created a network down situation.

So either you could remove that line of configuration or you could enable it under global mode

spanning-tree portfast bpdufilter default

 When configured globally all portfast enabled ports stop sending and receiving BPDUs, but if a BPDU is received on the port it gets out of the portfast state and normally participate in the spanning tree calculations. This should help you in future.

Hope this helps,

Madhu

 

*** Please rate useful posts***

 

Much appreciated for all of the responses.

So if I configure the below globally and leave the bpdufilter on each interface, the bpdu guard will stick kick in if stp detects a loop?

spanning-tree portfast bpdufilter default

If so, configuring this globally may be more beneficial. Is there any benefit with having filter configured globally and filter + guard configured on the interfaces?

Hello Danny,

There is basically no benefit in it. As Peter said, you could go ahead and remove bpdu filter entirely. You have already bpdu guard configured so any mis cabling like what you experienced, bpdu guard will take care of it.

 

Regards,

Madhu.

I decided to yank filter.  Is it advisable to keep portfast configured with bpduguard enabled on the switchports?

 

Is it advisable to keep portfast configured with bpduguard enabled on the switchports?

For ports connected to clients etc. yes you should keep it there. .

Jon

Hello

If you have bpduguard enabled then remove bgpdufiler altogether as it dosnt make any sence having one to protect against rouge bpdu's and the other to basically ignore them.

 

res

Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Peter Paluch
Cisco Employee
Cisco Employee

Hi Danny,

Both Madhu and Paul have correctly identified the cause of your problems. I would like just to add that the BPDU Filter feature is intended for special scenarios such as creating multiple independent STP domains in a single network, but is not intended to be used as a security measure in enterprise environment. In my opinion, you should remove the BPDU Filter entirely and forget about it - there is no value for you in having it activated.

Best regards,
Peter

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco