BPDU guard feature

Unanswered Question
Apr 13th, 2007


I am trying to use BPDU guard feature but I am not able to make it work. I am configuring one switch port, with portfast (even in trunking mode), and I am enabling bpduguard feature. After this, I am connecting another switch to this port, which has stp enable, thus is sending BPDUs every 2 s (I have already tested it with sniffer), and as far as I know, the port from first switch should enter in errdisable state, but no way.

Can anyone help me?

Thanks in advance.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Francois Tallet Fri, 04/13/2007 - 07:09

Are you configuring bpduguard globally or on the interface? I have the feeling that you configured it globally, which may explain why it fails (I'll detail this later if this is the case). Try configuring it locally on the port, or do a shut/no shut of the interface first.



jorolas Fri, 04/13/2007 - 09:32

Hi Francois,

I was doing it port-basis, not globally. The problem was the shut/no shut. Thanks a lot.

Anyway, can you tell me why when doing it globally doesnt work?

Thanks in advance,



Francois Tallet Fri, 04/13/2007 - 10:43

Weird. The shut/no shut trick should only have had an impact if you had enabled the feature globally.

It is generally desirable to enable bpduguard on "edge" ports, ports that are connected to devices not participating to the bridging operation. The global bpduguard configuration just assumes that all the ports that have portfast operational are edge ports, and the feature is applied to them. That's supposed to be a simple way of applying bpduguard to all your edge ports in one configuration command.

However, portfast has an operational state. If a port receives a bpdu, it is not to be considered an edge port any more (someone is talking stp on this port) and thus the operational portfast flag is cleared. So in (what I think was) your case, it is possible that you configured bpduguard after the port has already received a bpdu. That means that the operational portfast bit was clear on your port, and that bpduguard would not apply on it. By doing shut/no shut, you are setting the operational portfast bit again, and then a receiving a bpdu would trigger bpduguard (before it has a change to clear the operational flag of portfast). I'm not sure all this is clear, let me know;-)

On the other hand, the per port configuration of bpduguard is not dependent on portfast. As soon as you enable it, receiving a bpdu should bring down the port.



jorolas Sat, 04/14/2007 - 00:03

Ok, undertood. Weird but it is working ;-)

Thanks a lot for your help.




This Discussion