07-30-2015 12:19 PM - edited 03-08-2019 01:11 AM
Hello gurus,
We recently experienced a network outage when two PC lan ports were connected to one another. For eg, the network port gi1/0/2 and gi1/0/3 were directly connected to each other and this action brought the network down.
On both switchports, the following is configured:
interface GigabitEthernet1/0/x
description Access
switchport access vlan xx
no cdp enable
spanning-tree portfast
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
What ideal configuration is recommended and should be used to prevent such an outage in the future and what could have prevented the outage from happening in the first place?
Thank you!
07-30-2015 12:36 PM
Hi Danny,
Since you have spanning-tree bpdufilter enable configured on this interface, it ignores all bpdu recieved and also it dont send bpdu out. Effectively you are disabling STP on this. Thats the reason when you had a physical loop, the switch did not detect and created a network down situation.
So either you could remove that line of configuration or you could enable it under global mode
spanning-tree portfast bpdufilter default
When configured globally all portfast enabled ports stop sending and receiving BPDUs, but if a BPDU is received on the port it gets out of the portfast state and normally participate in the spanning tree calculations. This should help you in future.
Hope this helps,
Madhu
*** Please rate useful posts***
07-30-2015 04:49 PM
Much appreciated for all of the responses.
So if I configure the below globally and leave the bpdufilter on each interface, the bpdu guard will stick kick in if stp detects a loop?
spanning-tree portfast bpdufilter default
If so, configuring this globally may be more beneficial. Is there any benefit with having filter configured globally and filter + guard configured on the interfaces?
07-30-2015 09:05 PM
Hello Danny,
There is basically no benefit in it. As Peter said, you could go ahead and remove bpdu filter entirely. You have already bpdu guard configured so any mis cabling like what you experienced, bpdu guard will take care of it.
Regards,
Madhu.
08-05-2015 06:00 AM
I decided to yank filter. Is it advisable to keep portfast configured with bpduguard enabled on the switchports?
08-05-2015 06:11 AM
Is it advisable to keep portfast configured with bpduguard enabled on the switchports?
For ports connected to clients etc. yes you should keep it there. .
Jon
07-30-2015 01:12 PM
Hello
If you have bpduguard enabled then remove bgpdufiler altogether as it dosnt make any sence having one to protect against rouge bpdu's and the other to basically ignore them.
res
Paul
07-30-2015 04:29 PM
Hi Danny,
Both Madhu and Paul have correctly identified the cause of your problems. I would like just to add that the BPDU Filter feature is intended for special scenarios such as creating multiple independent STP domains in a single network, but is not intended to be used as a security measure in enterprise environment. In my opinion, you should remove the BPDU Filter entirely and forget about it - there is no value for you in having it activated.
Best regards,
Peter
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide