11-21-2007 07:02 AM - edited 03-05-2019 07:33 PM
I have my ports configured like this.
router - L2 3750G switch - 6506 (port allocated to FWSM Module)
3750G config
int g1/0/1
desc "Router"
switchport mode access
switchport access vlan 5
spanning-tree portfast
spanning-tree bpduguard enable
int g1/0/2
desc "to 6506 FWSM"
switchport mode access
switchport access vlan 5
spanning-tree portfast
spanning-tree bpduguard enable
6506
int g1/1
switchport
switchport mode access
switchport access vlan 5
spanning-tree portfast
spanning-tree bpduguard enable
I enable
firewall multiple-vlan-interfaces
firewall module 5 vlan-group 1
firewall vlan-group 1 5
My problem is that int g1/0/2 keeps receiving bpdu's and goes into errdisable because of bpduguard. My only fix to this is to enable "spanning-treee bpdufilter enable". Is this the proper way fixing the problem?
The FWSM is in routed mode.
11-21-2007 08:09 AM
It's behaving as designed.
bpduguard protects the switchport from unauthorized 'switch' connections on enabled switchports.
On switchports dedicated for uplinks, bpduguard must be disabled.
bpdufilter removes the portfast feature once it receives a bpdu from its link partner.
What exactly are you trying to accomplish here with the bdpu commands ?
11-21-2007 08:44 AM
Well I want to make sure my L2 3750G switch connects the router and 6506 (fwsm) module properly.
I dont want to connect directly into the 6506 from the router because I will use multiple routers sharing a vlan on the 3750g.
Basically, the router interfaces and FWSM outside interface will connect to vlan 5 on the 3750G.
Attached is the picture to clarify whatI am doing. I just want to make sure I am properly connected.
11-21-2007 11:47 AM
Just connect them.
Since you've decided to implement portfast on the interfaces, I do recommend enabling bdpufilter as you did in the example you posted.
You can enable bdpuguard in the remaining switchports that aren't connected to switches. This will prevent anyone from connecting an unauthorized switch.
11-21-2007 02:23 PM
Ok I will, how does a switch decide to send bpdu's to a given port?
I mean if I have a server conencted to a port with portfast and bpduguard enabled I never have problems.
I understand how spanning tree works, but how does a switch know to send bpdu to a port? Is it just listening on that stp multicast address?
11-22-2007 12:34 AM
A switch will always send BPDUs unless you stop them with a bdpufilter, or if you like living dangerously and disable Spanning Tree altogether. Even on an access port. Personally, I never filter the BPDUs, except as an absolute last resort.
I prefer to leave bpduguard enabled on all ports except the ones that I know are going to be receiving legitimate BPDUs. That is, I enable it globally, and then explicitly disable it on those connected to other spanning-tree switches, or to dumb switches or hubs that have spanning-tree switches attached to them.
Kevin Dorrell
Luxembourg
11-22-2007 08:36 AM
Kevin,
The interfaces still send a few BPDUs at link-up before the switch begins to filter outbound BPDUs, when BPDUFilter is enabled.
If a BPDU is received on a Port Fast-enabled interface, the interface loses its Port Fast-operational status, and BPDU filtering is disabled.
11-22-2007 08:38 AM
At link-up, the switchport will always send BPDU. If the link partner does not reply, the switch assumes its link partner is not a switch so it stops sending BPDUs.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide