05-07-2008 07:41 AM - edited 03-05-2019 10:48 PM
How do you configure BPDU guard on CatOS ? It looks to be set up in our switches right but it works for one switch and not the other.
In the one switch this line is enabled:
Code:
set spantree global-default bpdu-guard enable
and under the module it says bpdu-guard default as well.
In the other switch this line is enabled:
Code:
set spantree global-default bpdu-guard disable
but under the modules it says
Code:
set spantree bpdu-guard 2/1-48 enable
Does the global one mean anything? It doesnt seem to matter since in the second example it is disabled globally and enabled on the module and it works.
For the first example should I set the on under the module to "bpdu-guard enable" instead of "bpdu-guard default"?
05-07-2008 08:08 AM
What CAT OS Version is on each ?
05-07-2008 08:09 AM
version 8.6
05-07-2008 10:53 AM
I'm extrapolating from IOS (that I'm familiar with). The global-default is different. When you enable bpdu-guard with global default, the bpdu-guard feature will apply to any port that is operationally portfast enabled. The idea is that port operationally portfast enable are edge ports (connecting to hosts). The global-default command is a simple way of enabling bpdu-guard on all the edge ports (where it matters the most).
The per-port command is different and is not dependent on the portfast configuration. If you enable bpdu-guard on a port with this CLI... well, bpdu-guard will be effective on this port.
HTH,
Francois
05-08-2008 05:13 AM
So if I entered the command:
"set spantree global-default bpdu-guard enable"
would it automatically put the statement:
"set spantree portfast bpdu-guard default"
under the modules?
Or do I need to put the second statement in myself, or not at all?
05-08-2008 07:59 AM
I missed this subtle difference earlier and might have not answered your question exactly...
-a- set spantree global-default bpdu-guard enable
-b- set spantree portfast bpdu-guard default
I think that -a- and -b- are two formats for the same command (again, I don't have much CatOS memories;-). The oldest is probably -b-, as I guess that -a- was introduced with some other global-default commands.
In the CatOS showing -a- in its configuration, you should still be able to enter -b- and it's going to be interpreted as -a-.
In the latest versions (whether it's CatOS or IOS), this global configuration command now has a per-interface configuration that does not depend on portfast.
Regards,
Francois
05-09-2008 08:03 AM
This is the statements in the config...
#spantree
#spantree global defaults
set spantree global-default portfast disable
set spantree global-default loop-guard disable
#portfast
set spantree global-default bpdu-guard enable
set spantree global-default bpdu-filter disable
#Module2
set spantree portfast 2/48 disable
set spantree portfast 2/1-47 enable
set spantree bpdu-filter 2/1-48 default
set spantree bpdu-guard 2/1-48 default
This is before I enabled portfast on all the ports and enabled bpdu-guard on all the ports.
But the ports are still not operating like portfast nor do they disable the port when I plug a test switch into one of the ports.
05-09-2008 08:14 AM
Along with my problem above this one...on the IOS switch I am working with I entered the command:
"spanning-tree portfast bpduguard"
I read that this command would enable bpduguard on all interfaces configured as portfast but it doesnt disable when I test.
05-09-2008 03:10 PM
With the config you have above, portfast is enabled on 2/1-47
bpduguard is enabled globally. Those port should run bpduguard. A subtle thing thought... as I mentioned earlier, the global bpduguard command applies to port that are *operationally* running portfast. If the port receives a bpdu, portfast gets disabled on it. So if you received a bpdu on a port before you configured global bpduguard, the feature will not be activated on this port. Flapping the link should fix the issue.
If bpduguard does not kick in after that (check that the test bridge you are inserting is actually sending bpdus btw), then I don't know what's happening;-)
Again, I'm just trying to answer a CatOS question by extrapolating IOS behavior...
Regards,
Francois
05-12-2008 07:01 AM
The thing is, I believe I've enabled bpdu-guard gloablly AND specificly on the ports. and also enabled portfast specificly on the ports. When I went to test it tho, I believe 2 of the 3 modules shut down the port when they recieved bpdu's but the other didnt. But also, none of them were in portfast. The 2 of the 3 shutdown the port before the LED even went green. If it was portfasting it would go green then be shutdown I thought (at least this is what I've seen on another switch).
05-12-2008 07:37 AM
If you configure bpduguard explicitly on a port (which was not the case in the config you posted), then its portfast status is irrelevant: the feature is then enabled on the port.
Also, be careful that it's not because you are connecting a bridge running STP that it is going to send a single bpdu. Even if it's a race condition, it's possible that the bridge you are connecting is receiving a superior bpdu as soon as the link comes up and stays silent.
Regards,
Francois
05-12-2008 07:55 AM
Yes, good point. Is there any other way I can test it with the bridge I'm using to shut down the switch port if it really is getting a superior bpdu?
05-12-2008 07:58 AM
bpdu guard will kick in regardless of whether the bpdu received is inferior or superior. It's just that you need to make sure that the switch you connect cannot be silent. Do your test with a bridge having a very low priority (0 should do it;-)
Regards,
Francois
05-12-2008 08:30 AM
For IOS these config lines should be fine for just enabling the guard on one port right?
int fast 3/4
spanning-tree bpduguard enable
(already set as portfast)
05-12-2008 08:33 AM
yep (this, I'm sure;-)
And this again irrespective of portfast configuration.
Regards,
Francois
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide