cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2484
Views
0
Helpful
15
Replies

catos bpdu guard

MZydorczyk2
Level 1
Level 1

How do you configure BPDU guard on CatOS ? It looks to be set up in our switches right but it works for one switch and not the other.

In the one switch this line is enabled:

Code:

set spantree global-default bpdu-guard enable

and under the module it says bpdu-guard default as well.

In the other switch this line is enabled:

Code:

set spantree global-default bpdu-guard disable

but under the modules it says

Code:

set spantree bpdu-guard 2/1-48 enable

Does the global one mean anything? It doesnt seem to matter since in the second example it is disabled globally and enabled on the module and it works.

For the first example should I set the on under the module to "bpdu-guard enable" instead of "bpdu-guard default"?

15 Replies 15

murphymd
Level 1
Level 1

What CAT OS Version is on each ?

version 8.6

Francois Tallet
Level 7
Level 7

I'm extrapolating from IOS (that I'm familiar with). The global-default is different. When you enable bpdu-guard with global default, the bpdu-guard feature will apply to any port that is operationally portfast enabled. The idea is that port operationally portfast enable are edge ports (connecting to hosts). The global-default command is a simple way of enabling bpdu-guard on all the edge ports (where it matters the most).

The per-port command is different and is not dependent on the portfast configuration. If you enable bpdu-guard on a port with this CLI... well, bpdu-guard will be effective on this port.

HTH,

Francois

So if I entered the command:

"set spantree global-default bpdu-guard enable"

would it automatically put the statement:

"set spantree portfast bpdu-guard default"

under the modules?

Or do I need to put the second statement in myself, or not at all?

I missed this subtle difference earlier and might have not answered your question exactly...

-a- set spantree global-default bpdu-guard enable

-b- set spantree portfast bpdu-guard default

I think that -a- and -b- are two formats for the same command (again, I don't have much CatOS memories;-). The oldest is probably -b-, as I guess that -a- was introduced with some other global-default commands.

In the CatOS showing -a- in its configuration, you should still be able to enter -b- and it's going to be interpreted as -a-.

In the latest versions (whether it's CatOS or IOS), this global configuration command now has a per-interface configuration that does not depend on portfast.

Regards,

Francois

This is the statements in the config...

#spantree

#spantree global defaults

set spantree global-default portfast disable

set spantree global-default loop-guard disable

#portfast

set spantree global-default bpdu-guard enable

set spantree global-default bpdu-filter disable

#Module2

set spantree portfast 2/48 disable

set spantree portfast 2/1-47 enable

set spantree bpdu-filter 2/1-48 default

set spantree bpdu-guard 2/1-48 default

This is before I enabled portfast on all the ports and enabled bpdu-guard on all the ports.

But the ports are still not operating like portfast nor do they disable the port when I plug a test switch into one of the ports.

Along with my problem above this one...on the IOS switch I am working with I entered the command:

"spanning-tree portfast bpduguard"

I read that this command would enable bpduguard on all interfaces configured as portfast but it doesnt disable when I test.

With the config you have above, portfast is enabled on 2/1-47

bpduguard is enabled globally. Those port should run bpduguard. A subtle thing thought... as I mentioned earlier, the global bpduguard command applies to port that are *operationally* running portfast. If the port receives a bpdu, portfast gets disabled on it. So if you received a bpdu on a port before you configured global bpduguard, the feature will not be activated on this port. Flapping the link should fix the issue.

If bpduguard does not kick in after that (check that the test bridge you are inserting is actually sending bpdus btw), then I don't know what's happening;-)

Again, I'm just trying to answer a CatOS question by extrapolating IOS behavior...

Regards,

Francois

The thing is, I believe I've enabled bpdu-guard gloablly AND specificly on the ports. and also enabled portfast specificly on the ports. When I went to test it tho, I believe 2 of the 3 modules shut down the port when they recieved bpdu's but the other didnt. But also, none of them were in portfast. The 2 of the 3 shutdown the port before the LED even went green. If it was portfasting it would go green then be shutdown I thought (at least this is what I've seen on another switch).

If you configure bpduguard explicitly on a port (which was not the case in the config you posted), then its portfast status is irrelevant: the feature is then enabled on the port.

Also, be careful that it's not because you are connecting a bridge running STP that it is going to send a single bpdu. Even if it's a race condition, it's possible that the bridge you are connecting is receiving a superior bpdu as soon as the link comes up and stays silent.

Regards,

Francois

Yes, good point. Is there any other way I can test it with the bridge I'm using to shut down the switch port if it really is getting a superior bpdu?

bpdu guard will kick in regardless of whether the bpdu received is inferior or superior. It's just that you need to make sure that the switch you connect cannot be silent. Do your test with a bridge having a very low priority (0 should do it;-)

Regards,

Francois

For IOS these config lines should be fine for just enabling the guard on one port right?

int fast 3/4

spanning-tree bpduguard enable

(already set as portfast)

yep (this, I'm sure;-)

And this again irrespective of portfast configuration.

Regards,

Francois

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: