Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
795
Views
15
Helpful
7
Replies

use of portfast and BPDU guard

knaik99
Level 1
Level 1

‎11-15-2022 11:47 PM

Can we enable portfast and BPDU guard on switch port where AP is connected?

Can we enable port security also on switch port where AP is connected?

7 Replies 7

Arshad Safrulla
VIP Alumni
VIP Alumni

‎11-16-2022 12:19 AM - edited ‎11-16-2022 12:21 AM

Definitely you can enable port fast in the AP connecting ports, irrespective whether the port is configured as trunk or access. Please find the below.

  • if the AP is in Flex and port is configured as trunk - spanning-tree portfast trunk
  • If the AP is in Local mode and port is configured as access - spanning-tree portfast 

You can enable bpduguard on the access ports connecting to the Local mode APs, however I don't recommend enabling bpduguard in the AP connecting trunk ports. (APs doesn't usually send BPDUs)

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

MHM Cisco World
VIP
VIP

‎11-16-2022 12:26 AM

Can we enable portfast and BPDU guard on switch port where AP is connected? Yes you can 

Can we enable port security also on switch port where AP is connected? NO you can not because of the Wireless client if roaming then the port is showdown since the mac address (mac of wireless client ) is learn from two or more port. 

Rich R
VIP
VIP

‎11-16-2022 09:00 AM

We actually use portfast with this as our standard:
spanning-tree bpdufilter enable
spanning-tree bpduguard disable

This ever since we had some trouble with AP ports and bpduguard some years back and TAC recommended using bpdufilter instead.  You don't want to shut the port - just drop all BPDUs.

@Arshad Safrulla "(APs doesn't usually send BPDUs)" - correct - except they apparently sometimes do (buggy software?) and that causes havoc ...

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
0 Helpful

knaik99
Level 1
Level 1
In response to Rich R

‎11-16-2022 09:37 AM

BPDU-Guard error-disables the port and BPDU Filter can not shut down the port but drops the BPDU received i.e. Not receiving BPDU coming ,right?

 

0 Helpful

Arshad Safrulla
VIP Alumni
VIP Alumni
In response to knaik99

‎11-16-2022 10:17 AM

May I ask what is the goal behind enabling these features? I have never enabled these features for AP connecting ports in most of my deployments till today. I Don't recommend enabling bpdu guard or bpdu filter on any AP connecting ports. It is not recommended by Cisco as well.

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla
0 Helpful

Rich R
VIP
VIP
In response to Arshad Safrulla

‎11-16-2022 10:26 AM

@Arshad Safrulla I don't know what the history was but I inherited some switchports with bpduguard enabled - probably a security directive or something - which caused problems (obviously) when APs sent BPDU's on startup.  TAC recommended the bpdufilter config instead.  We've used it since without any problems.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
0 Helpful

Rich R
VIP
VIP

‎11-16-2022 10:16 AM - edited ‎11-16-2022 10:28 AM

BPDU-Guard error-disables the port and BPDU Filter can not shut down the port but drops the BPDU received i.e. Not receiving BPDU coming ,right?

Exactly

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card