catos bpdu guard

Unanswered Question
May 7th, 2008

How do you configure BPDU guard on CatOS ? It looks to be set up in our switches right but it works for one switch and not the other.

In the one switch this line is enabled:


set spantree global-default bpdu-guard enable

and under the module it says bpdu-guard default as well.

In the other switch this line is enabled:


set spantree global-default bpdu-guard disable

but under the modules it says


set spantree bpdu-guard 2/1-48 enable

Does the global one mean anything? It doesnt seem to matter since in the second example it is disabled globally and enabled on the module and it works.

For the first example should I set the on under the module to "bpdu-guard enable" instead of "bpdu-guard default"?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Francois Tallet Wed, 05/07/2008 - 10:53

I'm extrapolating from IOS (that I'm familiar with). The global-default is different. When you enable bpdu-guard with global default, the bpdu-guard feature will apply to any port that is operationally portfast enabled. The idea is that port operationally portfast enable are edge ports (connecting to hosts). The global-default command is a simple way of enabling bpdu-guard on all the edge ports (where it matters the most).

The per-port command is different and is not dependent on the portfast configuration. If you enable bpdu-guard on a port with this CLI... well, bpdu-guard will be effective on this port.



MZydorczyk2 Thu, 05/08/2008 - 05:13

So if I entered the command:

"set spantree global-default bpdu-guard enable"

would it automatically put the statement:

"set spantree portfast bpdu-guard default"

under the modules?

Or do I need to put the second statement in myself, or not at all?

Francois Tallet Thu, 05/08/2008 - 07:59

I missed this subtle difference earlier and might have not answered your question exactly...

-a- set spantree global-default bpdu-guard enable

-b- set spantree portfast bpdu-guard default

I think that -a- and -b- are two formats for the same command (again, I don't have much CatOS memories;-). The oldest is probably -b-, as I guess that -a- was introduced with some other global-default commands.

In the CatOS showing -a- in its configuration, you should still be able to enter -b- and it's going to be interpreted as -a-.

In the latest versions (whether it's CatOS or IOS), this global configuration command now has a per-interface configuration that does not depend on portfast.



MZydorczyk2 Fri, 05/09/2008 - 08:03

This is the statements in the config...


#spantree global defaults

set spantree global-default portfast disable

set spantree global-default loop-guard disable


set spantree global-default bpdu-guard enable

set spantree global-default bpdu-filter disable


set spantree portfast 2/48 disable

set spantree portfast 2/1-47 enable

set spantree bpdu-filter 2/1-48 default

set spantree bpdu-guard 2/1-48 default

This is before I enabled portfast on all the ports and enabled bpdu-guard on all the ports.

But the ports are still not operating like portfast nor do they disable the port when I plug a test switch into one of the ports.

MZydorczyk2 Fri, 05/09/2008 - 08:14

Along with my problem above this one...on the IOS switch I am working with I entered the command:

"spanning-tree portfast bpduguard"

I read that this command would enable bpduguard on all interfaces configured as portfast but it doesnt disable when I test.

Francois Tallet Fri, 05/09/2008 - 15:10

With the config you have above, portfast is enabled on 2/1-47

bpduguard is enabled globally. Those port should run bpduguard. A subtle thing thought... as I mentioned earlier, the global bpduguard command applies to port that are *operationally* running portfast. If the port receives a bpdu, portfast gets disabled on it. So if you received a bpdu on a port before you configured global bpduguard, the feature will not be activated on this port. Flapping the link should fix the issue.

If bpduguard does not kick in after that (check that the test bridge you are inserting is actually sending bpdus btw), then I don't know what's happening;-)

Again, I'm just trying to answer a CatOS question by extrapolating IOS behavior...



MZydorczyk2 Mon, 05/12/2008 - 07:01

The thing is, I believe I've enabled bpdu-guard gloablly AND specificly on the ports. and also enabled portfast specificly on the ports. When I went to test it tho, I believe 2 of the 3 modules shut down the port when they recieved bpdu's but the other didnt. But also, none of them were in portfast. The 2 of the 3 shutdown the port before the LED even went green. If it was portfasting it would go green then be shutdown I thought (at least this is what I've seen on another switch).

Francois Tallet Mon, 05/12/2008 - 07:37

If you configure bpduguard explicitly on a port (which was not the case in the config you posted), then its portfast status is irrelevant: the feature is then enabled on the port.

Also, be careful that it's not because you are connecting a bridge running STP that it is going to send a single bpdu. Even if it's a race condition, it's possible that the bridge you are connecting is receiving a superior bpdu as soon as the link comes up and stays silent.



MZydorczyk2 Mon, 05/12/2008 - 07:55

Yes, good point. Is there any other way I can test it with the bridge I'm using to shut down the switch port if it really is getting a superior bpdu?

Francois Tallet Mon, 05/12/2008 - 07:58

bpdu guard will kick in regardless of whether the bpdu received is inferior or superior. It's just that you need to make sure that the switch you connect cannot be silent. Do your test with a bridge having a very low priority (0 should do it;-)



MZydorczyk2 Mon, 05/12/2008 - 08:30

For IOS these config lines should be fine for just enabling the guard on one port right?

int fast 3/4

spanning-tree bpduguard enable

(already set as portfast)

Francois Tallet Mon, 05/12/2008 - 08:33

yep (this, I'm sure;-)

And this again irrespective of portfast configuration.



MZydorczyk2 Mon, 05/12/2008 - 08:58

Also, did you say there was a global command for enabling bpdu-guard on all previously configured portfast ports?

I found this command:

spanning-tree portfast bpduguard

I did try this command and it was supposedly accepted but when I just tried a port I didnt specificly set bpdu-guard on, it never disabled the port.?


This Discussion