BPDU Guard and Rapid Spanning Tree go err-disable on redundant link

Unanswered Question
Aug 24th, 2007
User Badges:

Can anyone explain me the below problem:

We have four switches (2xC6506-Sup1a and 2xC4506-sup4) in square with rapid spanning tree. On link is blocked like expected. The unexpected is that the BPDU-guard now put this interfaces in err disabled state. Currently we disable the BPDU guard on these ports, so it works normally.


But we have other C4506-Sup2p in a triangle behind the both C6506, there works the blocked link with BPDU guard.

Until now I didn?t found a explanation. Has any one already make similar experience?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
avmabe Fri, 08/24/2007 - 05:27
User Badges:
  • Bronze, 100 points or more

I am not clear why you are using (or attempting to) use bpdu guard. You /want/ bpdu's to be transmitted across those interfaces.


I would recommend properly setting your root and secondary root bridges as the 6506's (based on your description) and if you really are concerned about protecting root, run root guard not bpdu guard.

agugger Fri, 08/24/2007 - 06:51
User Badges:

Hello

This done so, the 6500 are configured as root and backup root bridge.

But to make the configuration most common on all switches we decide to use the ?spanning-tree portfast bpduguard default? command. Because the 6506 switches has a mix use of sever and uplink ports. The network is too small to use the classic Cisco access, distribution, core design. Around the 7 main switches are about 60 access layer 2 switches most 2950 and 2960. I study a few documents, but I found no principal reason way this not should work.


avmabe Fri, 08/24/2007 - 06:57
User Badges:
  • Bronze, 100 points or more

You should not run bpduguard on the links that connect the cisco switches.


You can run bpduguard on server connected ports.

agugger Fri, 08/24/2007 - 07:18
User Badges:

Hello

I have now BPDU guard on those ports disabled, as you see in the example below:


interface GigabitEthernet3/1

description Link SW_FN2 2/4 (1610)

switchport access vlan 20

switchport mode access

spanning-tree bpduguard disable


But back on the ?spanning-tree portfast bpduguard default? command, maybe I understand it wrong.

There should proper uplink detect and appropriate handled. The active links are all working.

Only the redundant, by spanning tree blocked link cause problems. From the defined root bridges seen, it is correct blocked.

I found the Interface handle this configuration as access port. So we have to disable the BPDU guard manually on this ports.


lamav Fri, 08/24/2007 - 08:11
User Badges:
  • Blue, 1500 points or more

Gugger:


Lets start from scratch. As a CCIE, I am sure you know that BPDUGUARD should be configured on ports that you do NOT wish to have partipipate in the STP convergence/root election process.


In other words, an access port, to which you would only have a user PC or a server connected, is not going to pose a threat of creating a redundant inter-switch connection and a possible layer 2 loop. Therefore, BPDUs do not need to be sent to such a port. It does not need to participate in STP convergence.


So, you can configure that access port for portfast, thereby by-passing the STP port states and going directly to the forwarding state. If you also configure BPDUGUARD, it will shut down an access port configured for portfast IF it receives a BPDU by mistake. In other words, if some fool plugs a switch into an access port with portfast on it. In that case the switch says,


"Hey, wait a minute. You configured this port for portfast because you promised me that nothing but a PC or server would be connected to it, but here you go breaking your promise and you, instead, connected this switch, which may now create a redundant link and an L2 loop. So, I am going to shut that port down until his indentity crisis is up."


A redundant inter-switch connection CAN be a threat, so you DO want a port like that to go through all the STP states and partipate in the STP convergence process because it may have to be placed in a blcoking state to prevent it from becoming part of an L2 loop. Therefore, you must NOT configure such a port with portfast or BPDUGUARD.


HTH and makes sense to you...



Francois Tallet Fri, 08/24/2007 - 08:54
User Badges:
  • Gold, 750 points or more

Do you also enabled spanning-tree portfast default? Spanning-tree portfast bpduguard default (as its name is trying to say;-) is only applied to portfast ports. As I don't see portfast explicitly configured on your g3/1, I guess that you enabled it globally.

The global commands are a way of applying a feature to the majority of the ports in one shot. But the flip side of the coin is that, of course, you need to disable the feature explicitly on the minority of ports that don't need it. On the uplinks, you should explicitly disable portfast. Of course, I'm also assuming that you agree that using portfast or bpduguard is not a good idea on a redundant link.

Regards,

Francois

agugger Fri, 08/24/2007 - 23:33
User Badges:

So the handling is absolute clear, I don?t understand anymore way I don?t see this from begin The ports run as uplinks for this single VLAN and only this, without any additional services of normal trunk.. As you mentioned I have to disable both port fast and BPDU guard. Tanks to all how help to open my eyes.

Andy Gugger


Actions

This Discussion