BPDUs on port connecting fwsm

cisconoobie · ‎11-21-2007

I have my ports configured like this.

router - L2 3750G switch - 6506 (port allocated to FWSM Module)

3750G config

int g1/0/1

desc "Router"

switchport mode access

switchport access vlan 5

spanning-tree portfast

spanning-tree bpduguard enable

int g1/0/2

desc "to 6506 FWSM"

switchport mode access

switchport access vlan 5

spanning-tree portfast

spanning-tree bpduguard enable

6506

int g1/1

switchport

switchport mode access

switchport access vlan 5

spanning-tree portfast

spanning-tree bpduguard enable

I enable

firewall multiple-vlan-interfaces

firewall module 5 vlan-group 1

firewall vlan-group 1 5

My problem is that int g1/0/2 keeps receiving bpdu's and goes into errdisable because of bpduguard. My only fix to this is to enable "spanning-treee bpdufilter enable". Is this the proper way fixing the problem?

The FWSM is in routed mode.

Edison Ortiz · ‎11-21-2007

It's behaving as designed.

bpduguard protects the switchport from unauthorized 'switch' connections on enabled switchports.

On switchports dedicated for uplinks, bpduguard must be disabled.

bpdufilter removes the portfast feature once it receives a bpdu from its link partner.

What exactly are you trying to accomplish here with the bdpu commands ?

cisconoobie · ‎11-21-2007

Well I want to make sure my L2 3750G switch connects the router and 6506 (fwsm) module properly.

I dont want to connect directly into the 6506 from the router because I will use multiple routers sharing a vlan on the 3750g.

Basically, the router interfaces and FWSM outside interface will connect to vlan 5 on the 3750G.

Attached is the picture to clarify whatI am doing. I just want to make sure I am properly connected.

Edison Ortiz · ‎11-21-2007

Just connect them.

Since you've decided to implement portfast on the interfaces, I do recommend enabling bdpufilter as you did in the example you posted.

You can enable bdpuguard in the remaining switchports that aren't connected to switches. This will prevent anyone from connecting an unauthorized switch.

cisconoobie · ‎11-21-2007

Ok I will, how does a switch decide to send bpdu's to a given port?

I mean if I have a server conencted to a port with portfast and bpduguard enabled I never have problems.

I understand how spanning tree works, but how does a switch know to send bpdu to a port? Is it just listening on that stp multicast address?

Kevin Dorrell · ‎11-22-2007

A switch will always send BPDUs unless you stop them with a bdpufilter, or if you like living dangerously and disable Spanning Tree altogether. Even on an access port. Personally, I never filter the BPDUs, except as an absolute last resort.

I prefer to leave bpduguard enabled on all ports except the ones that I know are going to be receiving legitimate BPDUs. That is, I enable it globally, and then explicitly disable it on those connected to other spanning-tree switches, or to dumb switches or hubs that have spanning-tree switches attached to them.

Kevin Dorrell

Luxembourg

Edison Ortiz · ‎11-22-2007

Kevin,

The interfaces still send a few BPDUs at link-up before the switch begins to filter outbound BPDUs, when BPDUFilter is enabled.

If a BPDU is received on a Port Fast-enabled interface, the interface loses its Port Fast-operational status, and BPDU filtering is disabled.

Edison Ortiz · ‎11-22-2007

At link-up, the switchport will always send BPDU. If the link partner does not reply, the switch assumes its link partner is not a switch so it stops sending BPDUs.