BPDU guard issue

Unanswered Question
Sep 17th, 2007

Cat 5000, running with older release. If i turn on BPDU gurad, I can't going out to network. My network team forced us to make this change. Currently it's off..

PLS. help

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (6 ratings)
Francois Tallet Mon, 09/17/2007 - 13:00

BPDU guard is not a feature that you can enable on any port. It only makes sense on ports that will never be connected to another switch. You should push back on an administrative decision to enable the feature everywhere, as it looks like it is what you are facing. Just see on the CatOS console what port BPDU guard put in errdisable state to convince yourself, and the others;-)



fbp008_igw Mon, 09/17/2007 - 13:16

Thx for comment.

I have two Vlans on this cat5000 and each Vlan has 20 some connections. Currently, we have turned BPDU guard off at this two Vlan. He (Netadmin corp) level installing new gear and he doesn't want me to continue with this practice. If i turned on this on my Vlan than i can't reach it his gateway which will provide me further corp connection. any suggestion...

Francois Tallet Mon, 09/17/2007 - 15:31

BPDU guard is in fact applied per-port. On some version of CatOS (yours is probablyone of them), the command was applied to all the ports configured for portfast.

Portfast should only be configured on ports that are not connecting to other bridges. It seems that it is not the case in your setup. Go to the CatOS console, identify the ports that were shut down by BPDU guard (you cannot resolve this by staying at the level "I cannot reach my gateway anymore";-) Those ports must have portfast disabled.



fbp008_igw Tue, 09/18/2007 - 07:23

What software version i have to have in my SP module for cat 5000? for sup 1, 2, 3.

Francois Tallet Tue, 09/18/2007 - 08:29

Simply upgrading your cat5k will not change anything. There is no dumb way out, you really have to understand what is happening;-)



Nathan Spitzer Tue, 09/18/2007 - 04:30

First, your network team is actually getting you to do a Very Good Thing. BPDUGuard prevents idiot users from hooking up cheap hubs and switches unbeknownst to you and causing spanning tree loops. It allows you to maintain control over your network and provides proactive punishment to your users. If they do something bad they have to call you and meekly admit what they did, at which time you wave your favorite LART at them before re-enabling the port. After a couple of times they will stop doing it. Been there, done that.

If enabling BPDUGuard caused so many problems, you ALREADY have something broken that needs fixed. BPDUGuard did not break you, you were already broken, you just did not know it.

The other posters are right, if you have portfast enabled on ports connecting switches, hubs, or bridges you are doing a Very Bad Thing that can cause all kinds of spanning-tree issues. I believe that if you universally enable BPDUGuard (I recommend it) it is turned on on all portfast trunks. By default a port disabled by BPDUGuard stays disabled until you fix it (forcing the user to own up) but you can have a timer that re-enables the port after some time.

See http://www.cisco.com/warp/public/473/65.html for more information.

In short, this is something you should embrace.


This Discussion